Skip to main content

Year in Review: Security

As we bid farewell to another year, it is crucial to reflect on the threats of cyberattacks and ransomware and think of how to mitigate them moving forward. However, this year feels a bit different – marked by the unknown of what challenges AI will bring to the security landscape in the new year. 

This comes on top of persistent supply-chain security vulnerabilities, insider threats, and more that have only grown this year. 

The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a roadmap with five key efforts aimed at the responsible and secure deployment of AI. 

Firstly, the agency commits to responsibly employing AI to fortify cyber defense, adhering to applicable laws and policies. Second, CISA aims to assess and ensure the default security of AI systems, fostering safe adoption across various government agencies and private sector entities. The third effort involves collaborating with companies to safeguard critical infrastructure from potential malicious uses of AI, addressing threats, vulnerabilities, and mitigation strategies.

In its fourth effort, CISA emphasizes collaboration and communication with other agencies, international partners, and the public to develop policy approaches concerning security and AI. Lastly, the agency plans to bolster its workforce by expanding the number of qualified AI professionals through education and recruitment efforts. 

The dominant player in the AI space, OpenAI, also recognizes the need for training and secure AI use. 

OpenAI this year introduced the Cybersecurity Grant Program, a $1 million initiative designed to advance and quantify AI-driven cybersecurity capabilities while promoting high-level discourse in the field. 

Seeking collaboration with security professionals globally, the company aims to rebalance power dynamics in cybersecurity through the strategic use of AI technology and fostering coordination among like-minded individuals. The overarching goal is to prioritize access to advanced AI capabilities for security teams, with a commitment to developing methods that accurately measure and enhance the efficacy of AI models in the realm of cybersecurity, thereby ensuring collective safety.

Also, this year showed that many applications still have many vulnerabilities and many more projects aren’t actively maintained, particularly in the open-source space. 

In January, application security testing solution provider Veracode released a report showing that nearly 32% of applications are found to have flaws at the first scan, jumping to almost 70% once they have been in production for five years. The report also stated that after the initial scan, most apps enter a safety period of about a year and a half, where 80% do not take on any new flaws.

In 2023, there was a 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s annual State of the Software Supply Chain report

The report highlights a concerning statistic, finding that merely 11% of open-source projects are actively maintained. Despite this, Sonatype emphasizes that 96% of vulnerabilities in open-source software are preventable. 

The report revealed that 2.1 billion downloads of open-source software occurred, and among them were instances where known vulnerabilities existed, and newer versions addressing these issues were available. This underscores the need for increased attention to maintaining and updating open-source projects to mitigate potential security risks associated with outdated software versions.

Organizations are taking the initiative to fix the vulnerabilities

Recognizing the widespread security challenges, major corporations are proactively launching initiatives to address and counteract the proliferation of security issues in today’s digital landscape.

In March, the White House released a new plan for ensuring security in digital ecosystems. It hopes to “reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society.”

Achieving this will require shifts from how we currently view cybersecurity. The Biden-Harris administration plans to rebalance the responsibility of security from individuals and small businesses and onto organizations that are best positioned to reduce risk for all. They also plan to rebalance the need to defend security risks today by positioning organizations to plan for future threats. 

In October, Google enabled passkeys as the default authentication method in Google accounts. Passkeys offer a convenient and faster way to log in using fingerprints, face scans, or pins. They are 40% quicker than traditional passwords and boast enhanced security due to advanced cryptography, according to Google in a blog post. They also alleviate the burden of remembering complex passwords and are more resistant to phishing attacks.

Soon after, Microsoft announced its Secure Future Initiative, which consists of three main pillars: defenses that use AI, advances in software engineering, and international norms to protect civilians from cyber threats. Microsoft aims to establish an “AI-based cyber shield” to safeguard both customers and nations, expanding its internal protective capabilities for broader customer use. In response to the global shortage of cybersecurity skills, estimated at around 3 million people, Microsoft plans to leverage AI, particularly through tools like Microsoft Security Copilot, to detect and respond to threats. Additionally, Microsoft Defender for Endpoint will utilize AI detection methods to enhance device protection against cybersecurity threats.

Luckily, as technology advances, developers and organizations can turn to established frameworks and best practices released this year. 

In June, the Open Worldwide Application Security Project (OWASP) announced the launch of OWASP CycloneDX version 1.5, a new standard in the Bill of Materials (BOM) domain that specifically targets issues of transparency and compliance within the software industry. The recent release expands BOM support beyond its existing coverage of hardware, software, and services. The primary goal is to enhance organizations’ capabilities in identifying and addressing supply chain risks, offering a more comprehensive tool for managing and mitigating potential vulnerabilities.

In September, the National Institute of Standards and Technology (NIST) released a draft document detailing strategies for incorporating software supply chain security measures into CI/CD pipelines. In the context of cloud-native applications employing a microservices architecture with a centralized infrastructure like a service mesh, the document outlines the alignment of these applications with DevSecOps practices.

The post Year in Review: Security appeared first on SD Times.



from SD Times https://ift.tt/6ethTNZ

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20