2020 vision: Synopsys predictions
Steve Cohen, Security Services Manager...
Happy New Year! To kick off 2020, the leadership team at Synopsys share their predictions for the year to come.
Steve Cohen, Security Services Manager at Synopsys:
Focus: Cloud Security
“In 2020, I believe we’ll see the accelerated adoption of finer granular objects to drive efficiencies. As developers adopt these finer granular objects within their cloud applications, such as containers, microservices, micro-segmentation, and the like, security testing tools will need to be object aware in order to identify unique risks and vulnerabilities introduced by utilizing these objects.
I anticipate that new approaches to collecting security related data may become necessary in the cloud. In addition to application logs, cloud API access will be seen as necessary. There will also be a growing focus on centralized logging in the upcoming year.
In addition to application security, the cloud management plane will become an additional security layer that needs addressing in 2020. Developers, for example, will require access to the management plane to deploy applications. Incorrect settings here could expose the application to security risks as sensitive information flows through it.
Reduced transparency around what’s going on within a given application will likely be a growing trend. A cloud provider doesn’t necessarily tell you what security controls exist for the PaaS services they expose to you. Businesses will therefore need to make some assumptions about their security considerations and stance.
In terms of data security and integrity in the cloud, there will be more of a need to have proper policies in place so prevent improper disclosure, alteration or destruction of user data. Policies must factor in the confidentiality, integrity and availability across multiple system interfaces of user data.
In 2020, the adoption of PaaS and serverless architecture will provide even more of an opportunity to dramatically reduce the attack surface within the cloud.”
Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre):
Focus: General Cybersecurity
“Cyber-attacks on 2020 candidates will become more brazen. While attacks on campaign websites have already occurred in past election cycles, targeted attacks on a candidate’s digital identity and personal devices will mount.
With digital assistants operating in an “always listening” mode, an embarrassing “live mic” recording of a public figure will emerge. This recording may not be associated directly with a device owned by the public figure, but rather with them being a third party to the device. For example, the conversation being captured as “background noise”.
With the high value of healthcare data to cybercriminals and a need for accurate healthcare data for patient care, a blockchain-based health management system will emerge in the US. Such a system could offer the dual value of protecting patient data from tampering while reducing the potential for fraudulent claims being submitted to insurance providers.”
Emile Monette, Director of Value Chain Security at Synopsys:
Focus: General Cybersecurity
“In the year to come, I anticipate that we’ll see continued developments in software transparency (e.g., NTIA Software Component Transparency efforts). Additionally, a continued need for software testing throughout the software development life cycle (SDLC) will also persist as a focus in 2020—most assuredly a positive step in terms of firms understanding the criticality of proactive security maturity. I also have reason to believe we’ll see increased efforts to secure the hardware supply chain, and specifically efforts to develop secure microelectronic design and fabrication will come into focus in the upcoming yearb”
Asma Zubair, Sr. Manager, IAST Product Management at Synopsys:
Focus: Endpoint Security
“In 2020, we know that attackers will continue to exploit all applications, end-points, and networks they possibly can. This includes, but isn’t limited to, web and mobile apps (internal or external), IoT devices in smart homes, and even the 5G network as it is being rolled out. Attackers will also continue to use the latest and greatest technologies (be it in machine learning, AI, or open source components that are freely available) to carry out ever-more sophisticated attacks at even greater scale. At the same time, organizations will continue to struggle as they try to balance competing priorities: the need to improve security, reduce time to market, and complete projects within budget and time constraints.
As we look to what will change in the year to come, California's SB-327 IoT bill will take effect on Jan 1, 2020 requiring manufacturers to build reasonable security into their connected devices. This is a step in the right direction as it will establish minimum standards and improve security of IoT devices available in the market. I anticipate there will be more legislative activity in 2020, especially in the US. The California Consumer Privacy Act will also take effect on January 1, 2020. I expect more states to follow suit. If done properly, regulations will bring about the accountability needed to improve the overall state of cybersecurity.
We saw several high-profile GDPR-related lawsuits, fines, and settlements in 2019. I wouldn’t be at all surprised to see more of these to hit the headlines in the coming year.
Organizations tend to focus a good deal of attention to their end-point protection and network security, and this is indeed very important. But applications, another very critical piece in the overall security puzzle, often don’t get as much attention and therefore tend to become a weak link in terms of security. Organizations need to test their applications throughout the development process for security vulnerabilities using methods such as interactive application security testing (IAST), static application security testing (SAST), or dynamic application security testing (DAST). They must also actively work to address the vulnerabilities detected by these testing methods.”
Kimm Yeo, Senior Manager at Synopsys:
“The introduction of wireless broadband communication technologies such as 4G and LTE haven’t only affected consumer lifestyles. Such technology has also fueled the growth of ride-sharing business models. Although the adoption of LTE has been broad based, with over 600 carriers in 200 countries deployed, and over 3.2 billion subscribers worldwide (as of 2018), the enhanced user experience and convenience hasn’t come without a price. Several dozen new security flaws related to LTE have been identified through fuzz testing.
As both cellular and wireless technologies continue to advance to 5G, 6G and beyond, this will not only greatly reduce latency and improve the user experience, it will also open the door to new attack surfaces and attack strategies. It’s extremely difficult to anticipate and prevent such malicious advances in the increasingly connected ecosystems and lifestyles in which we all live. However, this is something we should strive to improve upon in the not-so-distant future.”
Dennis Kengo Oka, Senior Solution Architect at Synopsys:
“There are two major trends emerging. The first is the concept of CASE (connected, autonomous, shared, electric). As technologies such as 5G lead to increased connectivity alongside advances in proprietary and open source software (e.g., Automotive Grade Linux), we’ll see targets move beyond the vehicle. Malicious actors will leverage new, evolving attack vectors in backend systems, mobile apps, infrastructure and services relating to automotive technologies.
The second major trend we’ll see in 2020 is that of standardization and regulations such as ISO/SAE 21434 and UNECE WP.29 driving cybersecurity activities in the automotive industry. This will lead to changes in organizational teams and processes, including the addition of security gates such as static code analysis, open source risk management, fuzz testing, and penetration testing to implement security throughout the entire vehicle life cycle. An increased focus on automated test processes and toolchains will continue to emerge as well in the year to come.”
IT Employees Predict 90% Increase in Cloud Security Spending
As companies get back on their feet post-pandemic, they’re going all-in on cloud applications. In a recent report by Devo Technology titled “Beyond Cloud Adoption: How to Embrace the Cloud for Security and Business Benefits”, 81% of the 500 IT and security team members surveyed said that COVID accelerated their cloud timelines. More than half of the top-performing businesses reported gains in visibility. In fact, the cloud now outnumbers on-premise solutions at a 3:1 ratio.
But the benefits are accompanied by significant cybersecurity risks, as cloud infrastructure is more complex than legacy systems. Let’s dive in.
Why Are Cloud Platforms Taking Over?
According to Forrester, the public cloud infrastructure market could grow 28% over the next year, up to US$113.1bn. Companies shifting to remote work and decentralised workplaces find it easy to store and access information, especially as networks start to share more and more supply chain and enterprise information—think risk mitigation platforms and ESG ratings.
Here’s the catch: when you shift to the cloud, you choose a more complex system, which often requires cloud-native platforms for network security. In other words, you can’t stop halfway. ‘Only cloud-native platforms can keep up with [the cloud’s] speed and complexity” and ultimately increase visibility and control’, said Douglas Murray, CEO at cloud security provider Valtix.
Here’s a quick list of the top cloud security companies, as ranked by Software Testing Help:
What are the Security Issues?
Here’s the bad news. According to Accenture, less than 40% of companies have achieved the full value they expected on their cloud investments. All-in greater complexity has forced companies to spend more to hire skilled tech workers, analyse security data, and manage new cybersecurity threats.
The two main issues are (1) a lack of familiarity with cloud systems and (2) challenges with shifting legacy security systems to new platforms. Out of the 500 IT employees from Devo Technology’s cloud report, for example, 80% said they’d sorted 40% more security data, suffered from a lack of cloud security training, and experienced a 60% increase in cybersecurity threats.
How Will Companies React?
They certainly won’t stop investing in cloud platforms. Out of the 500 enterprise-level companies that Devo Technology talked to throughout North America and Western Europe, 90% anticipated a jump in cloud security spending in 2021. They’ll throw money at automating security processes and investing in security upskilling programmes.
After all, company executives will find it incredibly difficult to stick with legacy systems when some cloud-centred companies have found success. Since moving from Security Information and Event Management (SIEM) offerings to the cloud, Accenture has saved up to 70% on its processes; recently, the company announced that it would invest US$3bn to help its clients ‘realise the cloud’s business value, speed, cost, talent, and innovation benefits’.
The company stated: ‘Security is often seen as the biggest inhibitor to a cloud-first journey—but in reality, it can be its greatest accelerator’.