This article was originally written by Joe Ferrara for VMBlog.com.
2023 was a tough year for the cyber security industry, with just the first nine months of the year showing a 20% increase in data breaches compared to all of 2022. As we enter a new year, this threat landscape is expected to become even more menacing with cyber criminals turning to new techniques including AI. Overall cyber threats are set to cost businesses $10.5 trillion globally by the end of 2025. Organizations must prioritize cyber resilience in their 2024 planning. With 28,092 new CVEs published in 2023, an increase of over 15% compared to the previous year, this planning should include a focus on software security, both in terms of internally developed code and third-party software vendors.
To form resilience, organizations must increase awareness and take a continuous approach to education. All enterprises should be aware of the importance of secure code and more importantly, how to adopt better security principles, and it is up to the security industry to communicate the implications of insecure software on overall security posture. Without this, organizations are missing out on basic cyber hygiene that drastically increases their risk exposure.
Organizations need to be better at core security principles
As long as companies prioritize security below speed to market, we will likely continue to see cyber criminals reusing old tactics to exploit persistent vulnerabilities. The oversight of basic security measures in most businesses gives threat actors the perfect opportunity to strike over and over again using the same attack methods. Although we may see some more sophisticated attacks emerge from more advanced criminal groups, many will continue attacking businesses at their weakest points with rather simple methods. This highlights the importance of developing a better understanding of security essentials such as threat modelling, secure design, secure coding, and patch management, to protect against a wider range of threats.
A human touch will remain essential
While AI has clear benefits in the software development lifecycle, it also presents risks. Forrester has predicted that 2024 will see multiple public breaches attributed to insecure AI generated code. This brings to light the critical importance of maintaining a human aspect in software development. The problem with AI generated code is that it can be based on open-source, unknown, or insecure code, and although AI will continue to grow more sophisticated with time, it will always be reliant on the information it is trained on. Recently, a presidential executive order laid out plans to focus on building more secure AI systems through red-team testing. To ensure high quality AI output, however, these must be combined with an emphasis on oversight by well-trained human developers and thorough code reviews, treating the generated code as a starting point.
The ongoing fallout of the MoveIT breach will echo through 2024, leading to a focus on secure code, particularly from code generating services. Responsibility will be placed in the hands of AI developers to train the systems with tested, high-quality code, and on business leaders to invest in secure coding training programs that empower the whole SLDC with the skills to detect code vulnerabilities and follow best practices. By bringing in targeted, role-based training for their software development teams, organizations will be building a solid foundation on their path towards cyber resilience.
The road to secure code regulations
2023 saw a continued push towards an ethos of 'secure by design' in regulation, framework, and guidance, but without specificity on how to achieve it. Overarching secure coding mandates are hard to implement due to different industries having a wide variation in application priorities, sensitivities, value to cyber criminals, and times to market. This means that more general guidance often fails to meet the needs of any particular situation and often companies take the easiest or fastest route to avoid losing development time. New CVEs are discovered all the time, but the reputational and financial impacts of this alone don't seem to be enough to convince software vendors to change their approach. In 2024, if the industry wants to see real change, this will have to come from more proactive leadership and not just "checking the box".
This year, the PCI, or Payment Card Industry PCI DSS 4.0 regulation demands more stringent secure coding practices from its vendors. The inclusion of this in requirement 6.2 of the regulation is a striking example of the PCI Council pushing for real change to invest in including security into their products from the start. In 2024, competitive pressures and customer contractual obligations will have the most impact in bringing more secure software to the market while the regulatory changes take time for real adoption.
Security vendors must remain vigilant
2024 will likely see an increase in attacks on security vendors, similar to what we have already seen with SolarWinds and Okta. Given the very nature of what they do, they are particularly lucrative targets for threat actors as they usually store large amount of sensitive data themselves and have special access to their clients' systems, so criminals will be looking to exploit them as a way to access larger corporations and gain higher rewards.
Often the way in is through software vulnerabilities, and so it is essential that all security software vendors take proactive and robust measures in better securing their own code to avoid becoming a threat vector themselves. Development teams should undertake continuous secure coding education to ensure that the applications and APIs used are up to a high security standard, reducing the risk of exploitation. As we go into 2024, we will see that the vendors maintaining a competitive edge will be those that are holding themselves to a higher security standard than the rest.