We all wish we had a cybersecurity crystal ball that would give us deep insight into what’s coming next. From fresh exploits to new attack vectors, things change fast – and those sudden ebbs and flows can make or break how prepared you are to respond to future threats quickly and efficiently. Keeping an eye on trends that indicate how processes, tools, and workflows might change in response to these shifts is critical for staying ahead of the curve and ensuring that your organization is ready when the next big vulnerability makes itself known.
Data from our most recent AppSec Indicator report points to positive shifts in the near future when it comes to budget and preparedness. Many DevSecOps teams are planning to increase their investments in dynamic application security testing (DAST) with a focus on clear reporting, more tangible ROI, and reducing the noise generated by inaccurate results. In fact, over half of respondents to our report survey told us that their companies consider investing in a DAST solution to be the number one priority for their application security (AppSec) programs in 2023.
And that gives us hope, especially considering that, according to our research in the AppSec Indicator, 99% of organizations struggle to address vulnerabilities for a variety of reasons – including a lack of modern tools. It’s mission-critical that companies invest in the most accurate, automated platforms so no security issue is left unchecked. The next Log4j-level vulnerability or zero-day flaw is always waiting in the wings and bad actors are ready to exploit it to the full, so if organizations aren’t thinking proactively about the right technologies, new attack vectors, and challenges in the decade ahead, they’ll get left in the dust.
Looking beyond 2023, as organizations continue to modernize their approach to AppSec and increase their investment in reliable DAST solutions, what will the next five to ten years of cybersecurity trends look like? To find out, we sat down with Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti.
Automation and accuracy will become standard features for DAST solutions
In the race to the software finish line, development doesn’t slow down for security. Every security tool and workflow needs to plug into existing processes and work effectively – or risk being bypassed. Automation, accuracy, and reliability are already setting the stage, but in DAST solutions, they’ll become a standard. No longer a nice-to-have, these features aid continuous application security by automating scans and delivering results via integrations right into development, security, and operations tools. That means teams can test all of their web applications and APIs with ease while more easily following industry regulations and government standards.
“DAST is quickly becoming a must-have in cybersecurity,” Catucci said. “Not only is it an invaluable tool for vulnerability testing – even more so when it comes to key integrations – but also it allows teams to regularly scan all their environments instead of focusing only on testing in pre-production. In the future, once this approach becomes standard, more DevSecOps teams will use it to anticipate and head off the actions of attackers, gaining end-to-end clarity of risk and direct-impact vulnerabilities that they can fix quickly.”
When DAST is standardized as part of AppSec program foundations and working in tandem with other testing types, it will enable critical insight into risk and allow security to cover all bases in collaboration with software developers. Ultimately, that will mean less friction between security and development and better security posture all around.
We’ll see more SBOMs and stricter regulations for critical vulnerabilities
If you don’t know what goes into every piece of software you build and deploy, how can you be certain that it’s secure? That’s where a software bill of materials, or SBOM, can really make a difference in understanding the risks within your software supply chain. An SBOM helps you cover every corner of an application by listing the tools, processes, libraries, and components that went into building it. That list becomes a must-have during or after a security incident, when remediation and prevention are a priority and need to happen quickly.
It’s an issue of national importance; the United States government is encouraging greater transparency through SBOMs by releasing guidelines for identifying and remediating risks in the software supply chain. These guidelines urge government enterprises to consider producing SBOMs for their purchased software, open source software, and in-house software. According to Catucci, the SBOM mindset will likely spread beyond the government in the future. And that mindset, he says, will be all about preparedness:
“If your product is vulnerability-free today, but a new exploit comes out tomorrow, how much time will you have to find all the places where a vulnerable component is used?” Catucci asked. “SBOMs are the start for fixing this issue, and I think that legislation for critical and high-severity common vulnerabilities and exposures (CVEs) is next. From there, it will rapidly expand into internal policies that will eventually make their way to the consumer ecosystem.”
Part of that change starts with awareness, Catucci noted. Many cybersecurity professionals know and understand that the supply chain requires more attention, but we’re not seeing a ton of improvements today because there isn’t much urgency. As SBOMs and supply chain security become standard in the next five to ten years, there will be an industry shift toward awareness and proactive fixes. As more organizations use open-source components in their code to speed up delivery timelines, proactive approaches will also help DevSecOps teams pivot fast the moment the next big exploit is uncovered.
“When we have lots of open-source components, the impact of even one vulnerability could be catastrophic – think of the ramifications of losing business and customer data, which damages revenue and trustworthiness,” Catucci added. “When I think back to 2016, the impact of the Heartbleed vulnerability was huge; we can no longer overlook these types of risks.”
SBOMs and software composition analysis (SCA) for open source code are a start; as we move into the future of cybersecurity, fully understanding these risks and having a sturdy strategy for approaching them will be paramount for preparedness.
APIs and cloud-friendly security products will drive security needs
Just as DAST solutions are driving budget decisions over the next few years, the trends point to APIs and cloud-friendly security also leading the pack in the future. According to Gartner, cloud security is forecast to have the strongest category growth in 2023. They predict that organizations will spend over $6 billion on cloud security efforts – a sizable growth of 26.8% year over year. Operating in the cloud reduces time to market and makes it easier to manage and scale application deployments. But as organizations also implement APIs in their cloud environments, they face unique challenges as threat actors get new avenues for API-based data access and attacks.
Undocumented and otherwise unseen APIs remain hidden from the security radar because teams either lack the right security processes and tools to cover this attack surface or simply don’t know these APIs exist and can be accessed. That’ll become a bigger problem in the future without the right security checks in place, especially considering that APIs are easy to add but hard to test and even harder to detect if undocumented.Frank Catucci, Chief Technology Officer and Head of Security Research, Invicti Security
“Do you know every API you have? Is there a list that your DevSecOps professionals can easily reference? Most organizations say no, and then realize this means they don’t have the full picture of their security posture,” said Catucci. “In the next ten years, we’ll see a merging of SBOMs, greater API security, and more cloud-friendly products that reduce manual maintenance, improve systems and operations, and give a fuller picture of risk.”
Organizations will need to stay on top of their APIs and API usage if they want to properly scale, test, and secure these interfaces and the highly distributed applications that use them. Within the next decade, as more enterprises shift to the cloud and appreciate the importance of security for their APIs, we’ll see budgets shift to reflect these requirements and more cloud-native security solutions come to fruition.
The next decade of cybersecurity – and beyond
Nobody can predict exactly what the next five to ten years will bring for cybersecurity, but the trends are clear: DAST, SCA, SBOMs, APIs, and cloud-native technologies will lead the pack, with a push toward increased AppSec budgets overall. “We’ll likely see new, previously unknown attack vectors coming to light over the next decade, especially as the world shifts to streamlined digital identities and more smart products in the home and in vehicles,” Catucci concluded. “But how we respond to today’s security challenges will set us up for responding quickly and efficiently to the challenges of tomorrow, which means we need to be diligent about modern cybersecurity while also keeping an eye on the winding road ahead.”
Join us on December 7th for a webinar to gain deeper insight from Frank Catucci on what we will likely see over the next decade in cybersecurity and what your organization can do to stay prepared. Register now for the Invicti webinar