From data to decision-making: Data security in 2019
In this article, Ralf Huuck goes over his predictions for how the field of data security will shake out in the new year. What’s in store for 2019? Hopefully, more standardization within the field and less data breaches overall.
There are a lot of high-quality and security solutions available on the market. Each one comes with its own purpose, strength, and data generated, whether we’re talking about penetration testing, log monitoring and intrusion detection, or automated application security testing solutions. While capabilities and technologies advance, they also create disproportionately more information and data points. It is easy to drown in this sea of information and lose sight of the essentials. As such, the key will be to fuse that data for making risk- and business-based decisions. The challenge is to find the needle in the haystack and to combine data from different methods and domains to obtain a holistic view.
In 2019, we don’t need more data. We need better decision making support.
Security has been a hot topic for years. At the same time, data breaches have become more common; by this point in time, most people have already signed up with one organization or another that has been breached. The initial shock and concern has slowly moved to acceptance and shoulder-shrugging. However, if we do not care enough about our security and privacy, it is unlikely that corporations will continue their effort and investment protecting our data. As a result, easier and more common targets will appear with more severe implications. Currently, autonomous technology and IoT infrastructure appear to be at high risk.
We won’t see fewer breaches in 2019, but we might care less until more physically evident disasters strike.
Security by design and standards
Software is still largely written without formal standards and processes behind it. Unlike building bridges, software development is not a standardized, repeatable job. Open source has been on the rise for a long time and is now commonplace. One can imagine that more trust will be placed in common building blocks based around open source software. Moreover, vertical software development standards will appear stronger. Safety critical systems for cars and aircrafts are self-evident. When lives depend on correct software execution, then more effort will be placed on standards, audibility, and accountability. These standards may evolve bottom-up or will be government regulated. Potential new verticals on the rise for this are financial services, solutions around blockchain, and security around mobility solutions.
We might see a rise of consortia within verticals to establish more domain-specific security standards, improving trust and interchangeability. Much of this might be built on open source components.
As Gary McGraw, Vice President of Security Technology at Synopsys, said, “DevOps is great, except for when it comes to secure design. We’ve been automating security analysis at the code level and pen testing at the application level for over a decade, and that automation is perfectly suited for DevOps. The same cannot be said for design analysis, also called threat modeling. The lack of automation for architectural risk analysis will mean that in many cases it is conveniently left out (oops, we’ll just sweep that under the rug). This is becoming a more tangible problem as DevOps adoption progresses.”
Software design flaws are the new target
All of this means that software design flaws will be on the rise as targets of attack. Witness the recent Facebook and Google+ attacks that led to massive data loss impact. Design flaws are much harder to find and fix than simple bugs. As a result, even very strong software security groups sometimes miss them during review. In my experience, flaws and bugs as software defects split around 50/50. Once the really dumb bugs are gone, that leaves the flaws hanging out there ripe for attack.
In general, software will continue to grow as an attack vector, second only to humans. Software, software, software. As the pile of software grows and its distributed nature becomes even more so, the attack surface grows as well. We are not making less software these days, we’re making more. Now that software has worked its way into the lifeblood of society, we have a bigger problem than when it was only the domain of geeks.
For example, your IoT stuff has lots of software in it. We then have to ask, “How secure is your IoT stuff?” When it comes to security, devices, gadgets, and consumer electronics are not secure by default. If your gizmo maker does not mention security, do not assume the thing you bought is secure.
IoT remains a security disaster waiting to happen. One of the main problems is that there is no way to update the broken software and hardware running inside of IoT devices when new security problems are discovered. IoT needs to be secure by design and secure by implementation. Firewalls on the network will not fix this problem.
In fact, IoT represents only part of the problem. With cloud architecture, the inventory problem is getting worse. The “inventory” problem (that is, what is running where, who made it, what its constituent parts are) is exacerbated by the move to the cloud and massively distributed architectures. Gary McGraw explains why this is such a problem in his article, “The New Killer App for Security: Software Inventory”. Unfortunately, the bad news is that things are going in the wrong direction.
Should we despair?
No! Software security is growing. The BSIMM shows that software security is growing as a field. Many companies are catching on and making progress. Even retail is in the game now. We know what to do. Now, we just have to do it.