Erik Costlow of Azul provides his cybersecurity predictions for 2023 and beyond. From security catching up to DevOps to the software supply chain and an emphasis on Java, cybersecurity has a big year ahead.Â
Security predictions are a tricky business â€” something almost always happens that is both unexpected and a big deal. But in the coming year, several social and technological factors are lining up that set the stage for a major breach.
With recessionary indicators and layoffs, economic uncertainty also lies ahead, creating an opportunity for an increase in ransomware attacks. By cutting back on security that protects data, companies have fewer resources to keep things safe, increasing the chance of a breach. On the technology side, as we connect more and more devices, we’re also accumulating and storing massive amounts of data, which inherently means that a vulnerability lies undetected somewhere in there.
Even in the face of those looming threats, knowledge and preparation can go a long way to protect organizations. Here are some trends to keep an eye on in 2023.
1. Security Must Catch Up with DevOps
For years, security has typically lagged behind DevOps, either because DevOps teams went full speed ahead and paid only partial attention to security or they paid some attention but were only sometimes certain that the security model was correct.
The disconnect has led to a sort of â€œbolt-on do-it-laterâ€ security or security tooling that came late and didn’t quite fit. As sub-industries reached a stable point, security eventually caught up. Network security is pretty good, and operating system security is doing well, but a lot of the risk now is in applications: the custom piece that DevOps does at a much faster rate.
In this space, every vendor talks about the number of results, the severity, the risk of a breach, and so on. However, application security is becoming more about the workflow and ability to fit into how a team moves as much, if not more so, than the results themselves. Tools that are more â€œsecurity tools for security peopleâ€ will be left behind in favor of â€œsecurity tools that fit into teams.â€
We’re at a point where the broader groups of application buyers and users expect applications to be secure, so security is finally being pulled forward. At some point, the role of security will evolve beyond the silo of experts or the â€œcenter of excellenceâ€ approach. Security capabilities and knowledge will merge with many DevOps tools and processes, ideally to automate the risk away.
2. Investors Will Look for Speed
The security approaches that will draw attention from investors are those that come closer to matching DevOps speed in newer areas. This is often where the seed investments are because the firm hopes to get a first-mover advantage and have its solution baked into the way the DevOps approach is designed, capturing more of the addressable market. This includes techniques like infrastructure as code security companies.
3. Protecting the Software Supply Chain
According to Gartner, attacks on the software supply chain are expected to triple over the next few years. Security teams must increase their awareness of one of the most substantial attack vectors: vulnerabilities in Java libraries and components.
One of the most significant gaps in the software supply chain lies in production code, where open-source or third-party software could open the door to potential attacks. Failure to detect and patch known vulnerabilities in their Java application estates can expose organizations to significant impact and cost, including financial penalties running into the hundreds of millions of dollars, compromising of customer data, lower market capitalization, and turnover in executive staff.
Over the last several years, the security industry has used the term â€œshift leftâ€ to bring some tools closer to where the software is being built. While these are worthwhile endeavors, it’s created a disconnect between what companies see â€œon the leftâ€ and what they run in production â€œon the right.â€ A prediction I would like to see is for some techniques to keep shifting left, but more validation and prevention techniques coming in on the right.
4. Java’s Role in Security
The future of Java is secure and reliable development. That will prove critical now that developers have their hands on the wheel of critical business areas, such as security and infrastructure costs. Executives will have little patience for developers who abdicate the responsibility of how their technology decisions impact the broader company.
5. Lightning Round: What to Watch For
These are the trends poised to capture a lot of attention next year in the security space:
- Inventories and SBOMs: With CISA taking a guiding role of the US Federal Government and its influence on vendors, it’s impossible for software providers not to notice and understand what the word â€œrequiresâ€ means. Integrating a software bill of materials (SBOM) into your application security toolset will keep DevOps and security teams connected and will save you time when it’s time to intermediate.Â
- Observability: In DevOps and Platform Engineering teams, observability is built for problem resolution to identify how information flows through a system and track what went wrong. When security ties into observability, you have better insight into what constitutes normal and safe behavior to pick out what’s abnormal and dangerous. This will be at a more granular level than today.Â
- Team structure: Instead of acting as consultative teams of experts, I’d like to see a trend where security teams follow the Team Topologies approach to become enabling teams or even rotate members onto stream-aligned teams to embed security into the normal workflow.
Unfortunately, many organizations focus more on security only after an attack has occurred. In the end, awareness and knowledge are the underpinnings of any security program, and I hope these trends will help security pros stay ready for what’s ahead.