14 minute read
The biggest security challenges of 2023
by d2emerge
BY JENNA SARGENT BARRON
Security will continue to cause headaches in 2023. Not only will companies have to continue dealing with the normal issues like supply chain security and preventing ransomware, which they ’ll continue to deal with, but a number of companies see other issues on the horizon for 2023.
Supply chain attacks are ones in which the attackers are targeting something within the business that the business depends on. In the context of software security, this usually means parts of the development toolchain are being targeted.
For example, a major instance of a supply chain vulnerability you might be familiar with is the one in the Apache Log4j library, which is a Java library for logging in applications that is widely used.
According to Matthew Appleton, ecommerce manager of candy company Appleton Sweets, supply chains can be really complex and challenging to comprehend, which makes them hard to manage.
“Any entity ’ s security (and resilience) depends on the security (and resilience) of all of the hardware, software, people, procedures, etc. that it depends on because of the many interdependencies between them. Despite the fact that third-party audits, data security agreements, and standards all might be helpful, the issue is extremely complex and is likely to continue, ” said Appleton.
Jeff Williams, co-founder and CTO of Contrast Security, agrees that supply chain security will continue to be an issue.
He noted that there are only a “handful of security researchers ” who work on analyzing open source libraries. He predicts that at least two or three significant zero day disclosures will happen next year.
“Attackers will leverage these vulnerabilities not only to steal data, but also to install malware, run ransomware, and mine cryptocurrency, ” he said.
Impacts of the economy and government regulations
Tech companies haven ’t been immune from the economic downturn that the US has been experiencing for the past several months. A number of companies — big and small — have laid off large portions of their workforce.
For example, Meta recently laid off 11,000 employees, Amazon is reportedly planning to lay off up to 10,000 corporate employees, Stripe laid off 1,100 employees, and so on.
These layoffs have Justin Foxwood, solution engineer at IT services company TBI, predicting that the biggest challenge in 2023 will be keeping up with security measures amidst budget cuts.
“Businesses of all sizes are continuing to experience breaches and cyberattacks, so it’ s never been more important to have the proper measures in place. However, when tougher economic times are on the horizon, it can be easy to cut some security measures that companies may not think are necessary. In 2023, we ’ll see an increase in all types of cyberattacks from DDoS to Malware, so businesses need to remain vigilant. Cutting security employees will prove to be a costly mistake as companies will need to continue updating software and making any necessary patches as breaches become more complex, ” he said.
Fortunately there will be some pressure on companies to be more secure in order to meet the recent measures set by the White House to improve security.
For example, last year President Biden signed an executive order “Improving the Nation ’ s Cybersecurity, ” which sets strict guidelines on software developed for the federal government. It requires software bill of materials (SBOMs), establishes a zero trust strategy, improves remediation capabilities after data breaches, and more.
“By the end of 2023, we know that any company building software will have to publicly attest to their software security practices and create SBOMs under the Cybersecurity Executive Order and OMB regulations, ” said Williams. “In 2023, organizations will adopt new technologies to track appsec test results, appsec processes, development of SBOMs, and runtime protection. We ’ll see folks get much smarter around the management of the information. ”
Other priorities for 2023
attacks, a number of companies have other priorities for the coming year.
Human Error
Another area companies will need to continue focusing on is training their employees to follow best practices.
Security tools can only do so much, and good security training can help reduce the risk of someone accidentally clicking on a phishing email or falling victim to some other sort of social engineering attack.
Gilad Zilberman, CEO of ticketing company SeatPick, plans to invest more heavily in security training for its personnel, with a particular emphasis on its IT and security employees. In addition, to test the effectiveness of the training, they ’ll run breach tests to see how employees respond after the training.
“Minimizing human error is one of the best ways to secure your company in 2023, and we will be working full speed to tackle this challenge, ” said Zil-
berman.
Shift Smart
Contrast Security
’ s Williams believes companies need to do away with the notion of shifting left. Rather, they will need to instead “ shift smart. ”
“In 2023, more organizations will realize that they need to stop naively shifting everything left without considering where security can be done most accurately and cost-efficiently. Shifting smart takes advantage of additional context available as software goes through a development pipeline, ” said Williams.
According to Williams, not every issue can even be addressed early on in the life cycle. There are many issues that will require additional context to deal with and thus they should be dealt with later in the life cycle when that context is available.
Remote Work
Though remote work is not new at this point, Evgen Verzun, founder of crypto company Kaizen.Finance, believes it will be a concern in the coming year from a security perspective.
Hackers will become more innovative in their approaches to targeting remote workers. Businesses are also struggling with ensuring privacy as their teams become more scattered.
“Remote employment frequently results in an increase in ransomware, phishing, and social engineering attacks. To address attacks related to remote workplaces, businesses must adopt a zero-trust policy, assuming that every device and user is a possible attacker, ” he said.
Zero Trust
According to Verzun, in zero trust environments, data and resources are unreachable by default. Using leastprivilege access, users can only gain access to data under certain conditions.
Zero trust is a relatively new practice, but it is gaining traction, and is one of the key points of the executive order on reducing cyberattacks.
“Zero-trust technologies will continue to be deployed across the U.S. government. We should see a rise in the testing of zero trust defenses and reports to Congress — including through hearings — about the U.S. government’ s increasing cybersecurity effectiveness. Congress should push to hold the U.S. federal government accountable for real progress over the coming year, ” predicted Jonathan Reiber, vice president of cybersecurity strategy and policy at risk company AttackIQ, and former chief strategy officer for cyber policy in the Office of the U.S. Secretary of Defense in the Obama administration.
Gartner predicts that by 2025, 60% of “ organizations will embrace zero trust as a starting point for security. ”
Travis Lindemeon, managing director of Nexus IT Group, an IT staffing company, said: “The Zero Trust cloud security architecture is one of the most significant innovations in cloud security in recent years. This design assumes that an attack has already occurred in the network. Everyone has complete access to all systems and information. Many problems that people and businesses experience in the present are mitigated by zero-trust architecture.
March 13, 2020. Friday the 13th. That’ s when a large number of companies shut their offices to prevent the spread of a deadly virus — COVID-19. Many thought this would be a short, temporary thing.
They were wrong.
The remainder of 2020 and 2021 were spent trying to figure out how to get an entire workforce to work remotely, while still being able to collaborate and innovate. Sales of cloud solutions soared. Much of the new software companies invested in required training just to get up to speed.
But training in the form of in-person conferences ceased to exist, and organizers sought to digitalize the live experience to closely resemble those conferences.
Fast forward to 2023. The software and infrastructure organizations have put in place enabled them to continue to work, albeit not necessarily at peak performance. Most companies today have figured out the ‘ what’ of remote work, and some have advanced to the ‘how. ’
But this move to a digital transformation has provided organizations with tools that can help them work even more efficiently than they could when tethered to an on-premises data center, and are only now just starting to reap the benefits.
Thus, the editors of SD Times have determined that 2023 will be “The Year of Continuous Improvement. ” It will, though, extend beyond 2023.
Bob Walker, technical director at continuous delivery company Octopus Deploy, said, “The way I kind of look at that is that you have a revolution, where everyone's bought all these new tools and they ’ re starting to implement everything. Then you have this evolution of, we just adopted this brand new CI tool, or this brand new CD tool, whatever the case may be. And then you have this evolution where you have to learn through it, and everything takes time. ”
Development managers, or a team of software engineers, or QA, have to worry about making sure they
’ re delivering on goals and OKRs, to ensure the software they deliver has value. So, Walker noted, “it’ s a balance between ‘ what can we do right now ’ versus ‘ what can we do in a few months ’ time ’? What do we have right now that is ‘ good enough’ to get us through the next couple of weeks or the next couple months, and then start looking at how we can make small changes to these other improvements? It can be a massive time investment. ”
Show me the metrics
Continuous improvement begins with an understanding of what’ s happening in your product and processes. There are DevOps and workflow metrics that teams can leverage to find weaknesses or hurdles that slow production or are wasteful time sucks, such as waiting on a pull request. Mik Kersten, who wrote the book “Project to Product” on optimizing flow, holds the view that continuous improvement needs to be driven by data. “You need to be able to measure, you need to understand how you ’ re driving business outcomes, or failing to drive business outcomes, ” he said. or the Agile team, but the level of the organization. ”
Yet, like Agile development and DevOps adoption, there ’ s no prescription for success. Some organizations do daily Scrum stand-ups but still deliver software in a “ waterfall” fashion. Some will adopt automated testing and note that it’ s an improvement. So, this begs the question: Isn ’t incremental improvement good? Does it have to be an overarching goal?
Chris Gardner, research analyst at Forrester, said data bears out the need for organization-wide improvement efforts, so that as they adopt things like automated testing, or value stream management, they can begin to move down the road in a more unified way, as opposed to simply being better at testing, or better at security.
“When we ask folks if they ’ re leveraging DevOps or SRE, or platform methodologies, the numbers are usually pretty high in terms of people saying they ’ re doing it, ” Gardner said. “But then we ask them, the second question is, are you doing it across your organization? Is every application being supported this way? And the answer is inevitably no, it’ s not scaled out. So I believe that continuous improvement also means scaling out success, and not just having it in pockets. ”
BY DAVID RUBINSTEIN
2023: YEAR OF CONTINUOUS IMPROVEMENT
For Gardner, continuous improvement is not just implementing new methodologies, but scaling the ones you have within your organization that are successful, and perhaps scaling down the ones that are not. “Not every approach is going to be a winner, ” he said.
Eat more lean
Agile programming, DevOps and now value stream management are seen as the best-practice approaches to continuous improvement. These are based on lean manufacturing principles that advanced organizations use to eliminate process bottlenecks and repetitive tasks.
Value stream management, particularly, has become a new driver for continuous improvement.
According to Lance Knight, president and COO of VSM platform provider ConnectALL, value stream management is a human endeavor performed with a mindset of being more efficient. “When you think about the Lean principles that are around value stream management, it’ s about looking at how to remove non-value-added activities, maybe automate some of your value-added activities and remove costs and overhead inside your value stream. ”
Value stream management, he noted, is a driver of continuous improve’ re continually looking at how you ’ re doing things, you ’ re continually looking at what can be removed to be more efficient, ” he said.
Knight went on to make the point that you can ’t simply deploy value stream management and be done. “It’ s a human endeavor, people keep looking at it, managing it, facilitating it to remove waste, ” he said. So, to have a successful implementation, he advised: “Learn lean, implement, map your value stream, understand systems thinking, consistently look for places to improve, either by changing human processes or by using software to automate, to drive that efficiency and create predictability in your software value stream. ”
At software tools provider Atlassian, they ’ re working to move software teams to mastery by offering coaching. “Coach teams help [IT teams] get feedback about their previous processes and then allow for continuous improvement, ” said Suzie Prince, head of product, DevOps, at Atlassian. In Compass, Atlassian ’ s developer portal that provides a real-time representation of the engineering output, they ’ ve created CheckOps, which Prince described as akin to a retrospective. “You ’ re going to look at your components that are in production, and look at the health of them every day. And this will give you
insights into what that health looks like and allow you again to continuously improve on keeping them to the certain bar that you expect. ”
Another driver of continuous improvement, she said, is the current economic uncertainty. With conditions being as they are, she said, “We know that people will be thinking about waste and efficiency. And so we also will be able to provide insights into things like this continuous flow of work and reducing the waste of where people are waiting for things and the handoffs that are a long time. We want to use automation to reduce that as well. All which I think fits in the same set of continuously improving. ”
Key to it all is automation
Automation and continuous improvement are inexorably tied together, heard in many conversations SD Times has had with practitioners of the course of the year. It is essential to freeing up high-level engineers from having to perform repetitive, mundane tasks as well as adding reliability to work processes.
So whether it’ s automation for creating and executing test scripts, or for triggering events when a change to a code base is made, or implementing tighter restrictions on data access, automation can make organizations more efficient and their processes more reliable.
When starting to use automation, according to John Laffey, product strategy lead at configuration management company Puppet (now a Perforce company), you should first find the things that interrupt your day. “IT and DevOps staffs tend to be really, really interrupt-driven, when I got out and talk to them, ” he said. “I hear anything from 30% to 50% of some people ’ s time is spent doing things they had no intention of doing when they logged on in the morning. That is the stuff you
should automate. ”
By automating repetitive little things that are easy fixes, that’ s going to start freeing up time to be more productive and innovative, Laffey said. On the other hand, he said there ’ s not point in automating things that youre going to do once a month, “I once had a boss that spent days and days writing a script to automate something we did like once a quarter that took 15 minutes.
There ’ s no return on investment on that. Automate the things that you can do and that others can use. ” z
‘Ihear anything from 30%to 50%ofsomepeople’s time is spentdoing things they hadno intention ofdoing when they loggedon in the morning. Thatis the stuffyou shouldautomate.
—John Laffey, productstrategy lead, Puppet
Introducing “Improve, ” the Continuous Improvement Conference series focusing on how organizations can gain process efficiencies, create secure, higher quality software and deploy more frequently and with confidence. Rapid release cycles, automation and process data give organizations the opportunity to continuously improve how they work and deliver software. This conference series will evaluate how the pieces are put into place to enable continuous improvement.
TESTING
Wed, Feb 22, 2023
9:00 AM - 3:00 PM (EST) FREE Online Event
REGISTER NOW
Join us on February 22 for the first event in this series: Testing
August 30
Presented by
Upcoming online events in the Improve Conference series:
DATA
October 18 SECURITY
November 15 PRODUCTIVITY
