Web security trends 2020 from security leaders

In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 2 security leaders to get their perspective on trends to come in 2020.

Anne-Marie Eklund Löwinder – CISO at the Swedish Internet Foundation, Internet Hall of Fame (2013) and holder of one of The Keys to the Internet

What security issues/trends are you anticipating for 2020?
We are all targets. I believe that the world of digitalization continues to grow in complexity. As a result of that, it becomes even more difficult to protect the technical environment appropriately in our homes and workplaces.

With more and more systems and software, plugins and apps, we will continue to be challenged with keeping everything updated. Attackers will probably outpace incomplete and hurried patches. With more devices brought to our homes, most of them with network access with or without our knowledge, the exposition will let cybercriminals to home in on IoT devices for espionage and extortion. The digitalization leads to critical infrastructures being more exposed and they will most certainly be plagued by more attacks and production downtimes (I’ve just finished reading Sandworm by Andy Greenberg).

The increasing use of cloud services continues to change the security map. When more and more companies are handing over their information to someone else’s IT environment, aka cloud service providers, vulnerabilities in their environment, such as container components, will be top security concerns for DevOps teams.

Some novelties will introduce new attack surfaces for misconfiguration and vulnerable codes. Not monitoring enough will result in bigger damages than necessary. User misconfigurations and insecure third-party involvement will also compound risks in cloud platforms.

Threat intelligence will need to be augmented with security analytics expertise for protection across security layers. Which means companies must put more resources on security. But will they? Are the executive leaders of the companies willing to act upon the increasing risks? To what extent?

Are there any trends to do with security automation or ethical hackers? 
I am not aware of any specific trends that do with security automation or ethical hackers, but the value in skilled ethical hacking is critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. NSA recently handed over a serious vulnerability in Windows 10 to Microsoft, which to me shows a change in behaviour. Maybe they understand the problem with keeping them secret for future use when the collateral damage threatens to be global.

What are your current challenges and how do you plan to tackle these this year?
My current challenges are to keep the staff (at the Swedish Internet Foundation) happy by offering new and modern solutions, and keep them informed about the risks and of what’s going on at the same time.

What event do you look forward to in 2020?
Internetdagarna! As always.

Tanya Janca – Application security specialist, Ethical hacker, Pentester, Women in Security co-founder, frequent speaker

What security issues/trends are you anticipating for 2020?
I anticipate more breaches and news stories of ‘cyber tragedy’, but also more companies investing in their employees via training and enablement in the workplace to create processes for faster and more effective security.

I also think we will see a lot more cultures moving towards DevOps and automation of security testing, defences and detection. I believe the Information Security field will try to move towards using more Artificial Intelligence/Machine Learning to provide better security experiences, for better or worse. I also foresee many companies abusing new technologies to violate user’s privacy, which is a trend I find both unethical and worrisome.

Read: Tanya’s blog series on DevOps and security: Pushing Left, Like a Boss.

Are there any trends to do with security automation or ethical hackers?
More and more development shops are realizing that if they don’t move to the DevOps model/culture they will no longer have a competitive advantage. I am currently seeing many security teams that are getting on board with this, adding automation, security sprints and adding security tooling to CI/CD pipelines, and other forms of “DevSecOps” (application security activities that are adapted to DevOps environments). I’m also seeing quite a few mature AppSec companies creating stripped-down versions of their tools to be used in pipelines, with varying results, and newer companies that have CI/CD in mind when creating brand new products.

I’m very, very excited to see innovation in this area in 2020. Application Security is a young field, and I suspect there will be very new types of tools coming out to solve this problem in new ways, and I can’t wait to see it.

What are your current challenges and how do you plan to tackle these this year?

This year I have three career goals:

• to help guide and support a few new AppSec startups in hopes to help them launch new and innovative products
• to create DevSecOps and AppSec training that is affordable, accessible and fun
• to have a better work/life balance than I have had in previous years.

I will also continue to coach companies launching and improving their AppSec, DevSecOps and Azure security programs. Wish me luck!

What ways will you/your team measure success this year?
I keep personal and professional KPIs that I won’t share here, but I can say that I believe setting goals and measuring yourself (regularly) against them is a fantastic way to ensure you reach your version of success.

I also believe in setting and enforcing personal and professional boundaries (for example, I do not take meetings before 9:00 am because sleep is very important to me). Setting a list of yearly/quarterly/monthly goals, as well as a set of boundaries, is an activity that I feel would serve any person well in their career.

What event do you look forward to in 2020?
I always look forward to every WoSEC (Women of Security) meetup, especially the “WoSEC Crashes RSAC” meetup during RSAC this year! I’m also looking forward to several different locations of B-Sides, and I especially love the AppSec conferences from OWASP.