DEVOPSdigest

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024. Part 2 covers risks and vulnerabilities.

Start with: 2024 DevSecOps Predictions - Part 1

AI-Generated Code Vulnerabilities

AI will play a significant role in generating code, allowing for faster development with fewer human resources. But as code inevitably becomes more like open-source software, AI-generated vulnerabilities will become a bigger concern. The speed at which AI-assisted developers work will underscore the importance of enhanced application visibility and security, as developers may lack the full understanding of their AI-generated output.
Shahar Man
Co-Founder & CEO, Backslash Security

Overconfidence in Generative AI code will lead to generated AI vulnerabilities: As more and more developers use generative AI to successfully help build their products, 2024 will see the first big software vulnerabilities attributed to AI generated code. The success of using AI tools to build software will lead to overconfidence in the results and ultimately a breach that will be blamed on the AI itself. This will lead to a redoubling across the industry of previous development practices to ensure that all code, written by both developers and AI, is analyzed, tested, and compliant with quality and security standards.
Phil Nash
Developer Advocate, Sonar

EMA'S 2024 CYBERSECURITY PREDICTIONS

Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.

Click here for a direct MP3 download of Episode 41

AI VULNERABILITIES

In 2024, the software landscape will witness a swift surge in AI integration, posing challenges for organizations that must understand how these tools are adopted. DevOps professionals become frontline defenders, addressing risks from data privacy to new attack vectors. This will make a strategic Software Bill of Materials (SBOM) crucial to enhance transparency and proactively manage AI-related components, empowering organizations to navigate this transformative era confidently.
Tyler Warden
SVP of Product, Sonatype

COMPRISED AI DEVELOPMENT

Organizations inability to identify the lineage of AI is going to lead to an increase in software supply chain attacks in 2024. Over the course of the last year, organizations have been heavily focused on how to prevent cyberattacks on AI. There's only one problem: everyone is focusing on the wrong aspect. Many security teams have zeroed in on threats against AI once it's deployed. Organizations are concerned about a threat actor using AI to prompt engineering, IT, or security to take action that could lead to a compromise. The truth is that the best time to compromise AI is when it is being built. Much like the majority of today's software, AI is primarily built from open-source software. The ability to determine who created the initial AI models, with what bias, which developer with what intent, is by and large far more critical to preventing gaps in an organization's security posture. I suspect that few organizations have considered this approach, and as a result, we'll see all kinds of interesting challenges and issues emerge in the coming months.
Javed Hasan
CEO and Co-Founder, Lineaje

GenAI ATTACKS

As the use of GenAI becomes more pervasive, the likelihood of someone inputting sensitive information increases. I wouldn't be surprised to learn that, in 2024, a GenAI platform is hacked and some juicy data is discovered. People need to think about where the sensitive information they share goes before it ends up in the wrong hands — but they probably won't before it's too late.
Anna Belak
Director, Office of Cybersecurity Strategy, Sysdig

GenAI leaks will put software supply chains at risk. Careless use of AI will lead to massive secrets leaks, resulting in all kinds of creative supply chain attacks. The known prevalence of poorly managed passwords, keys, and other sensitive information means that any code, configuration, or file someone sends to a GenAI API is a disaster waiting to happen.
Anna Belak
Director, Office of Cybersecurity Strategy, Sysdig

SDLC ATTACKS

Amidst the rising attention of open source security, a newer threat will continue to grow in 2024. We won't see just vulnerabilities but a surge in malicious components strategically designed to attack the Software Development Life Cycle (SDLC) itself. Developers' machines and environments will become the new battleground as bad actors seek entry into organizational estates. This underlines the urgent need for a robust defense system against attacks and equipping developers with the necessary tools to do so.
Tyler Warden
SVP of Product, Sonatype

HACKERS TARGETING DEVELOPERS

Hackers will prioritize targeting developers. As the development environment and the developers themselves continue to be highly valuable assets, they have become the primary focus for malicious actors. With their privileged access to corporate computer systems, developers are now the top target for hackers. These cybercriminals are well aware that development and CI/CD environments are often less secure compared to internet-facing production environments. Consequently, phishing campaigns will increasingly be aimed at developers, aiming to pilfer their authentication tokens and other critical secrets utilized in the development cycle.
Eric Fourrier
CEO and Co-Founder, GitGuardian

DEVOPS CYBERCRIMINALS

Cyber Adversaries Will Unleash DevOps Expertise: We will see skilled cybercriminals with advanced expertise in DevOps, IT, and Security, unlike anything we've seen before. These adversaries will leverage their target’s existing IT stack to meet their malicious needs. They’ll do this by manipulating security controls to establish and maintain persistence and evade detection — without the need for malware.
Sam Rubin
VP of Unit 42 Consulting, Palo Alto Networks

ZOMBIE API

There is a problem with API sprawl that will become worse in 2024: the rise of Zombie APIs within enterprise organizations, and the security threat these troublesome APIs pose. Zombie APIs are endpoints that are no longer maintained yet are still active. They may be unused endpoints, old features never officially deprecated, or forgotten development or testing environments. And as infrastructures scale larger and add complexity, API sprawl worsens. Zombie APIs are a type of technical debt that could pose a legitimate threat if left to rot.
Joshua Scott
Head of Security and IT, Observability, Postman

API ATTACKS

As more enterprises rely heavily on their software application architecture, APIs are essential for business-critical solutions. Even though the number of APIs introduced in the market is increasing day by day, API security is not scaling at the same rate. In 2024, DevSecOps teams need to prepare for an increase in API Security breaches from authenticated attackers that have signed up as legitimate-looking customers or partners. Firewalls and gateways alone aren’t going to cut it. Instead DevSecOps need to build an effective API Security strategy that measures and manages the API attack surface from the inside – by employing continuous API threat detection and incident response monitoring.”
Robert Dickinson
VP of Engineering, Graylog

Secure API development will become more prevalent in 2024 as organizations struggle to manage the automated attacks targeting their API ecosystem. For an unlucky number of organizations, data breaches will be the result of a compromised API. While SDLC practices are well intended, they aren't equipped to address complex attacks targeting flaws in the design and implementation of an API or application's business logic. Most organizations don't have visibility into their APIs because they lack complete and up-to-date API schema definitions. API pen tests rely on the API schema for test generation, which means that undocumented APIs are missed during testing. Conventional pen testing is ineffective at identifying broken object level authorization and other abuses related to API business logic. In its place, organizations will implement API testing, enabling them to review an API in the development lifecycle for the risks listed in the OWASP Top 10 for API Security.
Lebin Cheng
VP, API Security, Imperva

CLOUD API ATTACKS

APIs in the cloud are an increasingly popular threat vector for cybercriminals as, if breached, they expose sensitive data. Part of the appeal is that they are often the easiest way for hackers to access a company's network. The increasing popularity of API attacks will accelerate the number of organizations deploying security test automation solutions to combat the problem. The number of cloud-based API attacks will surge in 2024 and GPU farming, where a set of servers allocate resources to perform calculations in the minimum amount of time, will become another popular target of cloud-based attacks.
Mike Wilson
CTO, Enzoic

OPEN-SOURCE LIBRARY VULNERABILITIES

A growing list of supply chain attacks make them a hot topic for development organizations today. There's an underlying design issue exploited by these attacks and it is that all modern software is built on top of other third-party software components, often without clear visibility on the code quality of all the downloaded packages. A single code vulnerability introduced by a library can be used for large-scale attacks against multiple softwares using this library. Because the main code of popular open source software becomes well-reviewed and tested, attackers will focus more on finding previously unknown code vulnerabilities hidden in widely-used but lesser known open-source libraries. It's a very effective and subtle attack vector to compromise many organizations at once. In tandem with the risk and threats, the importance of a deeper code analysis will grow that also covers the code of libraries.
Johannes Dahse
Head of R&D, Sonar

DevOps and DevSecOps staff will need to place greater emphasis on monitoring third-party libraries and tools used in software development for security vulnerabilities. Since third-party software is often used in trusted applications, many of which have administrator or elevated privileges, organizations should also implement microsegmentation to contain the spread and blast radius of attacks.
Sameer Malhotra
CEO, TrueFort

SAAS APPLICATION ATTACKS

As many businesses shift to remote or hybrid work post-pandemic, a significant amount of SaaS applications have been downloaded for work use. In 2024, SaaS applications will present the next biggest attack surface that organizations have not yet addressed. Businesses are increasingly relying on cloud-based solutions for critical operations, which is expanding the attack surface and broadening the canvas for cybercriminals to exploit vulnerabilities. Moreover, the rise in popularity of Generative AI will make social engineering attacks become easier for SaaS identity account takeovers. Security teams will need to assess all the applications that have been installed by employees, determine which are necessary for business operations, and understand the attack surface each presents. In the new year, organizations will need to "clean up" their SaaS security posture and remove all unnecessary applications with extensive permissions. Security teams will need to develop a comprehensive SaaS security program to monitor application installations and manage security controls so they can avoid a major SaaS data breach in the new year to come.
Adam Gavish
CEO and Co-Founder, DoControl

Go to: 2024 DevSecOps Predictions - Part 3