Convincing businesses to transition to cloud computing was a struggle in 2018 and 2019. Many companies just weren’t ready to make such a huge change, uncomfortable with relying on cloud services over localized hardware and software.
But things changed. Cloud migration was the major focus of 2020 and 2021, mainly because of the pandemic’s sudden appearance. Companies selected one of the giant cloud providers, namely Amazon Web Services (AWS), Microsoft Azure, and/or Google Cloud as these 3 companies control most of the market share for cloud services.
Right now, cloud computing is an incredible success, so much so that global spending on cloud services will reach over $84 billion in 2022. However, information technology experts are warning that another upset is on the horizon. Widespread use of APIs, a shortage of IT professionals, and software with ‘trust but verify’ architecture pose security issues for the near future.
This exponentially increased cloud computing usage means that the software development community must react swiftly to improve security. New cyber threats emerge every day but developers are using the same security technologies from 3-10 years ago. In 2022, companies should act to incorporate these critical security trends into the development life cycle and all of their software.
Top Critical Security Trends
Evaluate the IT Department
IT security professionals are in short supply and severely outnumbered by malicious actors. Most business decision-makers don’t understand the complex problems that IT experts work to solve. Management should seek to inform themselves on these critical security challenges and collaborate more closely with IT experts.
Also, you should know that there is a major overlap between software development and cybersecurity. Hiring third-party contractors is too commonplace, because of this misunderstanding. In reality, building high-quality software requires a cybersecurity perspective. Outsourcing software development itself, instead of the cybersecurity department, would be a more effective use of the development budget.
Additionally, it’s worth noting that higher education institutions are pivoting to address the needs of the interconnected world by creating more programs for cybersecurity and IT professionals. Despite this, the gap between supply and demand in trained cybersecurity workers will likely continue. There are many entry-level workers currently but a severe lack of IT professionals with 10-15 years of experience.
APIs
The enmeshment of APIs (Application Programming Interface) may not be obvious to those outside the software and web development space. But in this field, APIs connect everything. However, they also are especially difficult to secure because they are hard to source.
Developers reuse APIs all the time, which sometimes means your engineers might end up using APIs developed by someone else. By using external APIs, software companies open themselves up to disastrous security risks. Cambridge Analytica is a perfect example of this. While this public relations disaster wasn’t technically a data breach, Facebook’s APIs were at the center of this scandal.
Facebook failed to set important permissive scopes, terms-of-service enforcement, and to notify users how their data was being collected and used. Without going too deep, Cambridge Analytica was able to leverage Facebook’s Graph AI to collect and sell data on over 87 million users.
Other API security risks include security misconfiguration, needless data exposure, poor monitoring, inadequate logging, permission issues, and authorization concerns. While data transfers between different software mediums, it’s a high risk for malicious manipulation or collection. At a minimum, all APIs transferring user data required data encryption and OAuth integration.
Software Bill of Materials
Development rarely produces 100% original and disconnected software. Code reuse is an extremely common practice as it allows teams to develop sophisticated software on reasonable timelines. Reusing code improves efficiency and productivity but, if the original code was low-quality, unreliable, or unsafe, those issues will spread throughout your platform.
Within a single software product, companies have the ability to incorporate multiple smaller pieces of software, firmware, plus APIs. A security breach during financial transactions or involving sensitive user data could be catastrophic.
It’s important to point out that the US government may soon be requiring SBOMs for all software products in use by government agencies. An SBOM is a software bill of materials that requires a company to include a comprehensive list of all components that make up that software. These components would include the pieces listed above, such as APIs, software, and firmware.
Government agencies would then be able to vet the software based on its SBOM and determine if the software is safe and secure enough for government use. That approach feels like a good measure, so it’s possible we might end up seeing it pop up in the private sector as well.
Zero Trust and Access Control
IT security professionals use the concept of zero trust to protect IT resources. Zero trust architecture treats everyone that interacts with the software or data as a suspect. No one has sweeping access to areas that aren’t explicitly stated in their permissions.
After implementing zero trust, all user access and changes will require verification of the user’s identity. This architecture addresses the blind spots inherent in perimeter-based security. Attacks from outside the firewall aren’t the only access path into secure networks. Companies should understand attacks commonly come from within, entering through user access.
Identification of specific permission levels for each user group is a start towards zero trust policies. Software development will need different access than administration or project management. A company’s unique hierarchy will define these rules, but users should only have the minimum privilege needed to complete their jobs. All companies need a process for removing provisions for employees that have parted ways with the company.
“Trust but verify” is already a common practice, but businesses must invest in better security monitoring and anticipate tasks from all sides. Zero trust provides the most robust prevention against threats by requiring multi-factor authentication with each new session.
Focus On One Area of Improvement at a Time
Every company has different cybersecurity needs. Conscientious development practices are a must when developing software involved in financial transactions and storing user data. Developers and product managers should consult with IT professionals when working on every new feature. In that context, effective communication tools are important for fostering a close relationship with the IT department, especially if the department is a third party.
To negate issues, companies must have security professionals check APIs for any concerns and address them immediately. If the software provides value and integrates with a user’s life, it’s almost guaranteed to use APIs. If necessary, overhaul these systems to prevent ending up like Facebook.
Companies that serve industries where federal and state contracts are commonplace should consider including SBOMs in all forthcoming products. All companies should transition from ‘trust but verify’ to zero-trust security architecture. Developers, endpoint users, and everyone in between should have clearly outlined minimum need provisions. Zero trust is already standard in many industries and its adoption will continue to grow rapidly.