Last Updated on March 16, 2023
What emerging trends will reshape the cybersecurity industry in 2022? John Verry, CISO and Managing Partner at Pivot Point Security, shares his 2022 forecast in a consultative format on a recent episode of The Virtual CISO Podcast.
John’s #7 prediction directly reflects pressure from regulators, the US government and other stakeholders in the wake of the SolarWinds breach: software security practices will garner greater attention in 2022 as they increasingly become mandated or required to do business.
“Software Bill of Materials”
There are multiple drivers for increasing software security in 2022. One is pervasive concern about more nation-state level attacks on the software supply chain. “It’s really the only logical response to the SolarWinds breach,” John reflects. “If you can inject software into somebody else’s software that’s being used and trusted by lots of organizations, that gives you an insane level of access.”
Another driver is the presidential executive order from May 2022, which directs the FTC to come up with labeling approaches for software and IoT devices. In this context, the term “software bill of materials” will soon have a lot more buzz. It relates to approaches to address rampant API-related risk.
“That way we have a better understanding, when somebody provides us with software, about whether it has been developed securely, and also whether the third-party libraries that it’s leveraging, perhaps open-source libraries, are properly validated to be secure,” explains John.
Greater API risk
John also believes that API risk is going to manifest in a big way in 2022.
“I think we’re going to see what I call evolving API risk, and cybercrime that begins to exploit API risk,” John cautions. “Increasingly, software is truly eating the world. And increasingly with IoT devices and cloud services these services talk to each other. Your cloud services are talking to lots of other cloud services. If those APIs are not designed optimally, if I can get inside your org, maybe I stop moving laterally and try to use ransomware, or maybe I start to see what I can do in terms of manipulating those APIs if they’re not properly protected. There’s been some interesting proof of concept attacks of this nature. I think we’re going to see a little bit more of that.”
Greater reliance on SaaS
Another major driver for focusing on software security is the ongoing shift to a DevSecOps, continuous development world.
“As SaaS becomes critical to us, we’re increasingly at a point where what used to be hardware is now software,” says John. “You’ve heard the term ‘infrastructure as code.’ You can deploy a data center—not just a server, not only an application, but a data center with network infrastructure, firewalls, servers… all using virtualization and container technologies, and all done as code.”
“And if that code is not properly secured, then none of that infrastructure is secure,” John underscores.
To get all of John’s predictions for 2022, click here.
Interested in best-practice approaches to bring security into the flow of your software development process? This podcast episode is just what you’re looking for: EP#74 – Harshil Parikh – Bridging the Gap Between Security & Development Teams