2024 DevSecOps Predictions – Part 2

AI 5个月前 admin
16 0 0

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024. Part 2 covers risks and vulnerabilities.

Start with: 2024 DevSecOps Predictions – Part 1
2024 DevSecOps预测-第1部分


2024 DevSecOps Predictions - Part 2

AI will play a significant role in generating code, allowing for faster development with fewer human resources. But as code inevitably becomes more like open-source software, AI-generated vulnerabilities will become a bigger concern. The speed at which AI-assisted developers work will underscore the importance of enhanced application visibility and security, as developers may lack the full understanding of their AI-generated output.

Shahar Man 沙哈尔人
Co-Founder & CEO, Backslash Security(link is external)
Backslash Security联合创始人兼首席执行官

Overconfidence in Generative AI code will lead to generated AI vulnerabilities: As more and more developers use generative AI to successfully help build their products, 2024 will see the first big software vulnerabilities attributed to AI generated code. The success of using AI tools to build software will lead to overconfidence in the results and ultimately a breach that will be blamed on the AI itself. This will lead to a redoubling across the industry of previous development practices to ensure that all code, written by both developers and AI, is analyzed, tested, and compliant with quality and security standards.

Phil Nash 菲尔·纳什
Developer Advocate, Sonar(link is external)


Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Enterprise Management Associates(EMA)负责信息安全、风险和合规管理的研究副总裁Chris Steffen和EMA负责信息安全的研究分析师Ken Buckler在Cybersecurity Awesomeness Podcast上对2024年的网络安全进行了预测。

Click here for a direct MP3 download of Episode 41
(link is external)


In 2024, the software landscape will witness a swift surge in AI integration, posing challenges for organizations that must understand how these tools are adopted. DevOps professionals become frontline defenders, addressing risks from data privacy to new attack vectors. This will make a strategic Software Bill of Materials (SBOM) crucial to enhance transparency and proactively manage AI-related components, empowering organizations to navigate this transformative era confidently.

Tyler Warden 泰勒·沃登
SVP of Product, Sonatype(link is external) Sonatype产品高级副总裁


Organizations inability to identify the lineage of AI is going to lead to an increase in software supply chain attacks in 2024. Over the course of the last year, organizations have been heavily focused on how to prevent cyberattacks on AI. There’s only one problem: everyone is focusing on the wrong aspect. Many security teams have zeroed in on threats against AI once it’s deployed. Organizations are concerned about a threat actor using AI to prompt engineering, IT, or security to take action that could lead to a compromise. The truth is that the best time to compromise AI is when it is being built. Much like the majority of today’s software, AI is primarily built from open-source software. The ability to determine who created the initial AI models, with what bias, which developer with what intent, is by and large far more critical to preventing gaps in an organization’s security posture. I suspect that few organizations have considered this approach, and as a result, we’ll see all kinds of interesting challenges and issues emerge in the coming months.
组织无法识别AI的血统将导致2024年软件供应链攻击的增加。在过去的一年中,组织一直非常关注如何防止对人工智能的网络攻击。只有一个问题:每个人都关注错误的方面。许多安全团队已经将AI部署后的威胁集中在了AI上。组织担心威胁行为者使用AI来促使工程,IT或安全采取可能导致妥协的行动。事实是,妥协人工智能的最佳时机是在它被构建的时候。就像今天的大多数软件一样,人工智能主要是由开源软件构建的。确定谁创建了最初的AI模型,有什么偏见,哪个开发人员有什么意图的能力,对于防止组织的安全状况出现漏洞来说,总的来说更为关键。 我怀疑很少有组织考虑过这种方法,因此,我们将在未来几个月内看到各种有趣的挑战和问题。

Javed Hasan 贾韦德·哈桑
CEO and Co-Founder, Lineaje(link is external)


As the use of GenAI becomes more pervasive, the likelihood of someone inputting sensitive information increases. I wouldn’t be surprised to learn that, in 2024, a GenAI platform is hacked and some juicy data is discovered. People need to think about where the sensitive information they share goes before it ends up in the wrong hands — but they probably won’t before it’s too late.

Anna Belak 安娜·贝拉克
Director, Office of Cybersecurity Strategy, Sysdig(link is external)

GenAI leaks will put software supply chains at risk. Careless use of AI will lead to massive secrets leaks, resulting in all kinds of creative supply chain attacks. The known prevalence of poorly managed passwords, keys, and other sensitive information means that any code, configuration, or file someone sends to a GenAI API is a disaster waiting to happen.
GenAI泄漏将使软件供应链面临风险。不小心使用人工智能将导致大规模的秘密泄露,导致各种创造性的供应链攻击。众所周知,密码、密钥和其他敏感信息普遍管理不善,这意味着有人发送到GenAI API的任何代码、配置或文件都是等待发生的灾难。

Anna Belak 安娜·贝拉克
Director, Office of Cybersecurity Strategy, Sysdig(link is external)


Amidst the rising attention of open source security, a newer threat will continue to grow in 2024. We won’t see just vulnerabilities but a surge in malicious components strategically designed to attack the Software Development Life Cycle (SDLC) itself. Developers’ machines and environments will become the new battleground as bad actors seek entry into organizational estates. This underlines the urgent need for a robust defense system against attacks and equipping developers with the necessary tools to do so.

Tyler Warden 泰勒·沃登
SVP of Product, Sonatype(link is external) Sonatype产品高级副总裁


Hackers will prioritize targeting developers. As the development environment and the developers themselves continue to be highly valuable assets, they have become the primary focus for malicious actors. With their privileged access to corporate computer systems, developers are now the top target for hackers. These cybercriminals are well aware that development and CI/CD environments are often less secure compared to internet-facing production environments. Consequently, phishing campaigns will increasingly be aimed at developers, aiming to pilfer their authentication tokens and other critical secrets utilized in the development cycle.

Eric Fourrier 埃里克·福里耶
CEO and Co-Founder, GitGuardian(link is external)


Cyber Adversaries Will Unleash DevOps Expertise: We will see skilled cybercriminals with advanced expertise in DevOps, IT, and Security, unlike anything we’ve seen before. These adversaries will leverage their target’s existing IT stack to meet their malicious needs. They’ll do this by manipulating security controls to establish and maintain persistence and evade detection — without the need for malware.

Sam Rubin 山姆·鲁宾
VP of Unit 42 Consulting, Palo Alto Networks(link is external)
帕洛阿尔托网络公司Unit 42 Consulting副总裁


There is a problem with API sprawl that will become worse in 2024: the rise of Zombie APIs within enterprise organizations, and the security threat these troublesome APIs pose. Zombie APIs are endpoints that are no longer maintained yet are still active. They may be unused endpoints, old features never officially deprecated, or forgotten development or testing environments. And as infrastructures scale larger and add complexity, API sprawl worsens. Zombie APIs are a type of technical debt that could pose a legitimate threat if left to rot.

Joshua Scott 约书亚·斯科特
Head of Security and IT, Observability, Postman(link is external)


As more enterprises rely heavily on their software application architecture, APIs are essential for business-critical solutions. Even though the number of APIs introduced in the market is increasing day by day, API security is not scaling at the same rate. In 2024, DevSecOps teams need to prepare for an increase in API Security breaches from authenticated attackers that have signed up as legitimate-looking customers or partners. Firewalls and gateways alone aren’t going to cut it. Instead DevSecOps need to build an effective API Security strategy that measures and manages the API attack surface from the inside – by employing continuous API threat detection and incident response monitoring.”

Robert Dickinson 罗伯特·狄金森
VP of Engineering, Graylog(link is external)

Secure API development will become more prevalent in 2024 as organizations struggle to manage the automated attacks targeting their API ecosystem. For an unlucky number of organizations, data breaches will be the result of a compromised API. While SDLC practices are well intended, they aren’t equipped to address complex attacks targeting flaws in the design and implementation of an API or application’s business logic. Most organizations don’t have visibility into their APIs because they lack complete and up-to-date API schema definitions. API pen tests rely on the API schema for test generation, which means that undocumented APIs are missed during testing. Conventional pen testing is ineffective at identifying broken object level authorization and other abuses related to API business logic. In its place, organizations will implement API testing, enabling them to review an API in the development lifecycle for the risks listed in the OWASP Top 10 for API Security.
安全的API开发将在2024年变得更加普遍,因为组织将努力管理针对其API生态系统的自动化攻击。对于一些不幸的组织来说,数据泄露将是受损的API的结果。虽然SDLC实践的意图是好的,但它们不具备解决针对API或应用程序业务逻辑的设计和实现中的缺陷的复杂攻击的能力。大多数组织无法看到他们的API,因为他们缺乏完整和最新的API模式定义。API笔测试依赖于API模式来生成测试,这意味着在测试期间会遗漏未记录的API。传统的笔式测试在识别损坏的对象级授权和与API业务逻辑相关的其他滥用方面是无效的。取而代之的是,组织将实施API测试,使他们能够在开发生命周期中审查API,以了解OWASP Top 10 for API Security中列出的风险。

Lebin Cheng 程乐斌
VP, API Security, Imperva(link is external)
Imperva API安全副总裁


APIs in the cloud are an increasingly popular threat vector for cybercriminals as, if breached, they expose sensitive data. Part of the appeal is that they are often the easiest way for hackers to access a company’s network. The increasing popularity of API attacks will accelerate the number of organizations deploying security test automation solutions to combat the problem. The number of cloud-based API attacks will surge in 2024 and GPU farming, where a set of servers allocate resources to perform calculations in the minimum amount of time, will become another popular target of cloud-based attacks.

Mike Wilson
CTO, Enzoic(link is external) 首席技术官,Enzoic


A growing list of supply chain attacks make them a hot topic for development organizations today. There’s an underlying design issue exploited by these attacks and it is that all modern software is built on top of other third-party software components, often without clear visibility on the code quality of all the downloaded packages. A single code vulnerability introduced by a library can be used for large-scale attacks against multiple softwares using this library. Because the main code of popular open source software becomes well-reviewed and tested, attackers will focus more on finding previously unknown code vulnerabilities hidden in widely-used but lesser known open-source libraries. It’s a very effective and subtle attack vector to compromise many organizations at once. In tandem with the risk and threats, the importance of a deeper code analysis will grow that also covers the code of libraries.

Johannes Dahse 约翰内斯·达瑟
Head of R&D, Sonar(link is external) 研发主管,Sonar

DevOps and DevSecOps staff will need to place greater emphasis on monitoring third-party libraries and tools used in software development for security vulnerabilities. Since third-party software is often used in trusted applications, many of which have administrator or elevated privileges, organizations should also implement microsegmentation to contain the spread and blast radius of attacks.

Sameer Malhotra 萨米尔·马尔霍特拉
CEO, TrueFort(link is external) TrueFort首席执行官


As many businesses shift to remote or hybrid work post-pandemic, a significant amount of SaaS applications have been downloaded for work use. In 2024, SaaS applications will present the next biggest attack surface that organizations have not yet addressed. Businesses are increasingly relying on cloud-based solutions for critical operations, which is expanding the attack surface and broadening the canvas for cybercriminals to exploit vulnerabilities. Moreover, the rise in popularity of Generative AI will make social engineering attacks become easier for SaaS identity account takeovers. Security teams will need to assess all the applications that have been installed by employees, determine which are necessary for business operations, and understand the attack surface each presents. In the new year, organizations will need to “clean up” their SaaS security posture and remove all unnecessary applications with extensive permissions. Security teams will need to develop a comprehensive SaaS security program to monitor application installations and manage security controls so they can avoid a major SaaS data breach in the new year to come.
随着疫情过后许多企业转向远程或混合工作,大量SaaS应用程序已被下载用于工作。到2024年,SaaS应用程序将成为组织尚未解决的下一个最大的攻击面。企业越来越依赖基于云的解决方案来进行关键操作,这扩大了攻击面,并扩大了网络犯罪分子利用漏洞的范围。此外,生成式人工智能的普及将使社交工程攻击变得更容易被SaaS身份账户接管。安全团队需要评估员工安装的所有应用程序,确定哪些应用程序是业务运营所必需的,并了解每个应用程序所呈现的攻击面。在新的一年里,企业将需要“清理”其SaaS安全状况,并删除所有不必要的具有广泛权限的应用程序。 安全团队将需要开发一个全面的SaaS安全计划来监控应用程序安装和管理安全控制,这样他们就可以避免在新的一年里发生重大的SaaS数据泄露。

原文始发于devopsdigest:2024 DevSecOps Predictions – Part 2

版权声明:admin 发表于 2024年2月8日 上午8:45。
转载请注明:2024 DevSecOps Predictions – Part 2 | CTF导航