top 6 technology trends that will affect software security in 2016
TRANSCRIPT
Since technology is intertwined into every
aspect of most people’s lives around the
world, the overall attack surface increases
tremendously year over year.
With this continually increased risk, we
should place increased importance on
software security.
What will define 2016 in terms of the
seemingly never-ending cat and mouse
game of software security?
1. Everything is mobile
• We are in the era of smart devices.
• We use mobile devices extensively to
communicate, shop, and store sensitive
information.
• The storage of payment information on mobile devices
has long been a driving force for cyber criminals.
• As more and more people conduct financial transactions online,
the attack surface grows.
• We also have to worry about mobile malware.
• Apple and Google app stores have both been hit by mobile
malware.
What can be done?
Because software security for mobile applications is a
growing trend, organizations should have their applications
assessed before releasing them internally and externally to
bolster their security.
Learn more about mobile application security testing.
2. Smarter automobiles
• Machine learning is quickly becoming a core part of
autonomous technology, including cars.
• We have yet to see complete autonomy of cars, but we
can still expect to see attacks on automobiles in the
future.
• In 2015, we’ve already witnessed attacks on cars and planes.
What can be done?
To prevent these attacks from taking place, manufacturers
are diligently integrating software security into their
vehicles.
They are recognizing that any automobile part connected to
a network needs to be protected.
3. Virtualization and cloud environments
• Virtualization is a major part of cloud environments. It
helps a cloud environment provide software, data, or any
computing resources efficiently, and comes in the form of
a software-defined network.
• At a basic level, virtualization partitions a physical layer
(say a server) into different virtual layers (virtual
machines).
• Each layer has to be secured.
• In 2015, with the advancement of virtualization within
cloud environments, we are seeing an increase
in software security defects being reported.
What can be done?
Organizations are heavily dependent
on virtualization for core functions
because it provides easier deployment
and management, improved disaster
recovery, and reduction in hardware
costs.
Delivering proper security mechanisms for virtualization
and cloud-based functions will be a big trend next year.
4. Zero-day vulnerabilities
• A zero-day vulnerability is a software security flaw that is not known or not disclosed to the vendor.
• With a zero-day exploit, an attacker could cause serious damage (ranging from planting malware to gaining unauthorized system access).
• With the development of sophisticated tools to detect attacks, attackers are forced to evolve their skillset and tools to sneak through the advanced detection. • Attackers are continually working to find exploits for different
components.
• Infrastructures are building components that are interconnected. This increases the attack-surface and gives attackers more room to exploit.
What can be done?
Of course we cannot predict what is going to be hit, and
that is why software security needs to be taken seriously
from the very beginning of the SDLC.
5. Wearable, smart tech, and Internet of Things
• Internet of Things (IoT) is emerging
at a rapid rate.
• We have more devices embedded with
network connectivity that are collecting
and exchanging data.
• Wearable devices, including medical devices, are
vulnerable to being hacked.
• We saw quite a few cases related to ransomware in 2015.
• The trend is sure to continue in 2016 as we connect
more wearable and smart gadgets to the Internet.
What can be done?
We need to perform rigorous security tests before making
such devices available to the public.
Download the BSIMM6 to see common security activities
currently undertaken in the healthcare industry.
6. Internal security training
• Organizations are becoming more aware of the overall
security problem.
• There is an increase in the demand for software
developer security training so that they’re able to build
secure software from the beginning.
• This trend will grow exponentially in 2016 as more
organizations identify the need for security training.
What can be done?
Training sessions are helpful to establish a “secure
development” mindset among developers who don’t
currently care about security unless their system is
compromised.
With new technology coming into our homes and
our lives every day, it’s important that we stay
focused on building secure software for these
devices.
We may not know how attackers could leverage
these devices until it’s too late.
But, adopting software security measures will
make the exploitation task for attackers much
harder.
The bottom line
• Security will buy us more time.
• In that extra time, we can move the focus to better
hardening of software.
• Securing software is not a one-time task. It is continually
evolving as the technology around us evolves.
As 2016 gets underway, let’s tighten our
security measures to create a safer, smarter
year than the bad guys.
How proactive is your organization’s
software security initiative?