2019 was an interesting year for the IT industry, especially where cybersecurity is concerned. Just check the report from form ZDnet for the scariest attacks and vulnerability of the year. Many things have changed, while many issues and trends have continued to escalate.
Among the trends driving the change is, of course, the broad transition to microservices architectures. While containers and microservices have been a talk of the industry since 2015, However, it’s not until this year that the majority of users have acquired enough confidence in container technology to run it in production. In fact, 87% of users use containers in production. Just wow! API has always been a key part of the enterprise and SaaS security as I discussed earlier.
B2B scenarios … require security federation for both portal users and API requests, more complex services with higher needs for security and integrity, and a broader range of messaging styles. – Rand Heffner et. all, The Forrester Wave(™)
Microservices rely on API as the primary fabric of the application structure, which has brought API management and API security to the forefront and made it an attractive target for hackers. More on this topic on 2020 prediction.
The trend that has continued in 2019 and shows no signs of waning is the abundance of phishing and compromised credentials attacks. A recent Verizon data breach report shows that 40% of incidents involved phishing and 35% involved stolen credentials. Also in many cases, the attacks have only resulted in incidents because of the week authentication practices / not using a second factor. The same report also shows that as many as 60% of all hacker attacks are using a compromised web application to gain unauthorized access or steal data.
Neither authentication problem nor web vulnerabilities are new, nor are they going away anytime soon.
So, what lies ahead? Let’s turn over our virtual coffee cups and read the coffee grounds.
- API exploits will multiply
APIs will continue to gain in importance. APIs are the main moving force for mobile and IoT. APIs within Kubernetes and other microservices architecture require special handling. (BTW, check out Wallarm recent expansion into protecting Envoy and ServiceMesh)
So far, we haven’t seen many exploits in the wild that were focused explicitly on the APIs but I believe this is about to change. With the new importance, API becomes a more attractive target and more hackers will attempt to steal data and gain access via this channel. This will be further exasperated by the use of the newer underlying API protocols such as GraphQL & gRPC that do not have as big of a tool chest to provide security for them as older SOAP and REST technologies.
What to do: Ensure you apply security monitoring mesures specific to the APIs, like WAFs with protocol support for the tech you’re using.
- More tools will get built into the DevOps
This trend is in line with is line with “shift left” tendency described by Gartner. As DevOps cycles accelerate, it only makes sense to shift security considerations into the design and development phases. Unfortunately, developers have more and more demands placed on them which are making them less and less inclined to become experts in yet another discipline, like security. Hence, forward-looking CISOs and vendors alike will look to shift the burden of “how” to do things to tools and automation. The later will become a standard part of the DevOps toolchain in a sizable share of IT shops in 2020.
What to do: Get ahead of the game by identifying the most significant security risks in your DevOps toolchain and making security a part of your DevOps of CI/CD pipeline.
- Password-less authentication will take hold
To combat phishing where users get their credentials stolen, the industry will finally start broad-scale adoption of technologies that do not require passwords. In the battle between security and convenience, the only winners are hackers. Technology that creates hurdles in the user workflows gets bypassed – just like a strong password written on a post-it and stuck on the monitor.
What to do: Start evaluation tools that not only provide strong authentication, like two-factor auth, but eliminate passwords altogether. Try to find tools that will help you manage authentication across the board: employees, partners, IOT devices and so on.
- Industry consolidation will continue
2019 was the year of consolidation in the cybersecurity industry with some sources pegging overall M&A pool at $17B or more.
Palo Alto Networks went on a shopping spree gobbling Demisto, Twistlock, and Puresec; Carbonite ventured into software with the acquisition of Webroot; larger players such as Broadcom, Sophos, and VMware signaled their continued interest in enterprise security with acquisitions of their own. Specifically in the AppSec vertical, recent acquisitions of Zenedge, Prevoty, tCell, and Imperva are being followed up by the deals involving Shape Security and ObserveIT. The consolidation trend will continue into 2020 as CTOs and CIOs are looking to solve for accelerated, lower-risk development, not add technologies that solve for point security problems.
In the words of Hank Thomas, CEO at Strategic Cyber Ventures, “Key M&A driver is a lack of sophistication in today’s security platforms. Many of the point tools companies rely on are “very much just features, CISO are looking to consolidate their data feeds and dashboards; to do security orchestration, automation, and response. The problem is, they don’t have a sufficiently advanced platform.”
What to do: The most important thing in the climate of a fluid industry is to avoid vendor lock-in. Make sure that a vendor you select allows you to manage the functionality via API in case you need to integrate it with an external management console and allows you to access and control your own data if you need to migrate away after an M&A event. For smaller vendors that my become prime targets for an acquisition, insisting on a source-code escrow and other transparency measures may be a good idea.
- We’ll see more platform serialization vulnerabilities
Platforms are not going anywhere. Serialization/ deserialization platform issues originally introduced in Java, known for creating tough problems in WebLogic and Struts frameworks, is also a culprit in many issues seen PhP, Phython, Ruby. .NET and other.
The issue is that there is really no good way to communicate structured data, like those in JSON records or GraphQL without flattening (serializing) them. Thus most sophisticated API protocols will have handlers with serialization and as new protocols get developed we will likely see more 0-days vulnerabilities and associated exploits.
Within OWASP top ten, we can predict the Insecure serialization will advanced from it’s current eighth place up up a few positions.
What to do: There are two ways to protect from these issues and you will need both. Version verification and patching for the platform is old advice but it’s nevertheless one of the strongest tools in your arsenal. If your deployment cadence doesn’t allow for immediate patching, apply a virtual patch for known platform issues. Your second barrier of defense is runtime protection with sophisticated detection tools that will make sure nothing in that JSON will cause trouble once its deserialized.
Have other predictions or disagree with mine? Let’s chat. Write to firstname.lastname@example.org or tweet to @wallarm