Application security and threat intelligence trends, Simon Roe, Product Manager
#1 Website attacks
#2 DevSecOps goes mainstream
With DevSecOps gaining mainstream traction, the tools enabling security to easily be built into the CI/CD process will become more readily available in 2020. To further enable DevSecOps, a focus on education will increase as developers are being ‘shifted to the left’ to become both security champions and code warriors. The need for organizations to have a well-developed, and embedded education program covering the key aspects of secure coding practices such as the OWASP and has a layered defence will become more apparent with the increased adoption of DevSecOps. Automation is the ultimate tool to support DevSecOps adoption and will kick start security testing throughout the SDLC from development, deployment to production to ensure ongoing assessment of critical apps.
#3 Automation and continuous risk assessment for critical apps
To combat the continual breach of applications, and the ever increasing demands on time brought on by DevSecOps practices, organizations will look for a more continuous solution to assess critical applications to give them greater visibility throughout the lifecycle, irrespective of where and when it is deployed or updated - continually feeding back into the development backlog for efficient management and handling. Automated testing tools for application security will be key to supporting a DevSecOps approach in 2020 allowing internal teams to collaborate and work more efficiently whilst updates and new releases are continuously tested against security guidelines.
#4 Risk based approach and predictive model coming of age
Organizations will continue to adopt a risk based prioritization for vulnerability management and remediation. As pressure increases on organizations to remediate quickly, this approach helps stretched security teams focus efforts and be more efficient , moving from a ‘patch all’ critical vulnerabilities to patch vulnerabilities that pose a true risk to their business first. Threat intelligence tools provide context around vulnerabilities, enabling prioritization and better-informed decision making.
As vendors build predictive models to further enhance risk-based prioritization of vulnerabilities, these models will attempt to guide organizations by predicting what vulnerabilities are likely to be weaponized and used next. Organizations will through 2020 start to adopt these types of services more and more to build more effective vulnerability management programmes.
Cloud security trends, Sergio Loureiro, Product Manager
#5 Multi-cloud adoption grows and so does the risk
In 2019 we have seen a strong growth of multi-cloud adoption, with more than 73% of organizations using 2 or more cloud providers. Organizations and business units are choosing the best provider for their use cases, and application development are increasing shifting to the cloud in search of lower compute costs and increased flexibility. This continual rise will see cloud becoming a growing target for threat actors in 2020, as hackers take note of the opportunities surrounding multi-cloud and misconfiguration. With cloud spawn and confusion over the shared responsibility model, security professionals will continue to be challenged by misconfiguration and the need for cloud workload protection. AWS dominates this market so expect to see more attacks hitting the news in 2020.
Get Cloud security ready with our securing public clouds guide.
#6 Cloud providers double down on security, but there’s a catch
Cloud providers will continue to push into security, with integrated solutions, such as Azure Security Center, AWS Security Hub or GCP Command Center. These solutions will increase their market share amongst customers with low legacy architectures but will not support multi-cloud scenario and complex hybrid architectures. In order to protect your cloud infrastructure and build security assurance, organizations need the tools to automate discovery of cloud assets and homogenize security controls across providers to achieve a single view of the risk profile.
#7 Containerization of apps and infrastructure as code
Containers and shift left security will continue its path to become common practice. The next phase will see an increased adoption of security by design through Infrastructure as Code, such as AWS Cloud Formation, Azure Resource Manager and GCP Cloud Deployment Manager. Containerized apps bring additional security concerns, in 2020 organizations will need greater visibility and context on vulnerabilities in order to harden container infrastructures through automated and integrated security assessment.
Technology and hacking trends, Martin Jartelius, CSO and Hugo Van den Toorn, Product Manager
#8 Organizations continue to overlook basic security hygiene
We predict that most breaches will be down to old forgotten systems, outdated software and poor access management leading to high consequences of breach of individual users. So, a misguided focus towards what’s “new and cool” rather than a responsible clean-up of the mistakes will continue to plague businesses, when a big majority of the risks could be resolved with proper security hygiene, regular risk review and security assessment.
#9 Supply chain attacks go large
Although supply chain attacks seem limited to more advanced and determined adversaries, the risk is evolving. What to do when you struggle to catch the big fish? Poison it’s bait! Target a supplier that has far less security control in place and from that ‘island’ you can jump straight onto your target. From a defensive perspective this is also a difficult thing to secure from. The larger the organization, the harder it is to enforce security and perform business impact assessments for each and every supplier. 2020 might just be the year that gives us more large-scale examples of this threat.
#10 Business email compromise and phishing
BEC and phishing in general is ever evolving and will most likely continue to grow in both volume and sophistication. The past year we have seen an increase in advanced phishing methods targeting applications secured with two-factor authentication (2FA) and almost all reporting phishing website appear to use a secure HTTPS connection. Although it is a good trend that 2FA and use of HTTPS is being adopted, we see that end-users still fall prey to phishing. Hopefully 2020 will also be the year of increase support and adoption for hardware authentication devices.
#11 From phishing to smishing
In line with phishing, SMS phishing (or Smishing) seems to be on the rise. More and more Smishing campaign appear to be executed by adversaries, most of which are going full-circle to where we were ten-or-so years ago with email: The sender can easily be spoofed, and we will rely on the inherent trust users have in this type of messages. Most Smishing campaigns don’t seem to focus that much on the content of the text message, as long as the content puts some pressure on the victim and the company name that is used as sender matches the victim’s profile they will click. The included hyperlinks are often not even masking the fact that it is an illicit webpage.
#12 Wireless and IoT threats
Misconfiguration and Shadow IT will most certainly be the main problem posed for organisations and managing wireless security. Combined with the growing uptake of IoT devices, it’s easy to see how the new risks presented by reliance on wireless technologies will increase. Organizations need to apply the same security fundamentals to protect their wireless airspace and apply this to prevent hackers getting in. We shouldn’t assume someone else is taking care of the problem as it becomes a critical element of security.
2020 is set to bring a flurry of new challenges for security professionals, however it’s better to be prepared, taking a proactive approach and regain control of your threatscape before it becomes a problem. With increased legislation and compliance regulations coming into force, we at Outpost24 could help eliminate your security blindspots by providing continuous full stack assessment across network, device, application and cloud. Giving you time to focus on strategy, delivering ROI and helping to implement a security lead culture where all employees are accountable in delivering a secure future into the next decade.