DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024. Part 3 looks at more issues and solutions.
DEVOPSdigest询问了行业专家,他们认为DevSecOps将如何在2024年发展并影响开发和应用程序安全。第三部分探讨了更多的问题和解决方案。
Start with: 2024 DevSecOps Predictions – Part 1
2024 DevSecOps预测-第1部分
Start with: 2024 DevSecOps Predictions – Part 2
2024 DevSecOps预测-第2部分
LARGE LANGUAGE MODELS IMPACT SECURITY
大型语言模型影响安全性
In 2024, as Large Language Models (LLMs) become increasingly ubiquitous, we can anticipate a growing concern in the realm of developer security.
到2024年,随着大型语言模型(LLM)变得越来越普遍,我们可以预见开发人员安全领域的问题会越来越多。
There are two key aspects that warrant attention:
有两个关键方面值得注意:
■ Emergence of Malicious Open-Source Packages: In the past, crafting a malicious open source package required a level of domain expertise. However, the widespread availability of LLMs has lowered the entry barrier, making it feasible for anyone with a computer and an internet connection to create malicious packages. Consequently, we should expect a surge in cyberattacks, characterized by increased sophistication and a broader linguistic spectrum due to the ease of language adaptation.
恶意开源软件包的出现:在过去,制作恶意开源软件包需要一定的领域专业知识。然而,LLM的广泛可用性降低了进入门槛,使任何拥有计算机和互联网连接的人都可以创建恶意软件包。因此,我们应该预料到网络攻击的激增,其特点是由于语言适应的容易性而增加了复杂性和更广泛的语言范围。
■ Security Measures for LLM Adoption: With the integration of LLMs into various processes, companies will need to fortify their security defenses. For those consuming LLMs through APIs, traditional threats such as injection vulnerabilities will persist, but new risks will emerge, like verifying the input and output of LLMs to ensure they don’t compromise the organization’s network or contain malicious instructions. Companies opting to run LLMs in-house will encounter the challenge of managing a new technology stack, involving permissions, restrictions, and more.
LLM采用的安全措施:随着LLM集成到各种流程中,公司将需要加强其安全防御。对于那些通过API使用LLM的人来说,注入漏洞等传统威胁将持续存在,但新的风险将出现,例如验证LLM的输入和输出,以确保它们不会损害组织的网络或包含恶意指令。选择在内部运行LLM的公司将面临管理新技术堆栈的挑战,包括许可、限制等。
In summary, the wider adoption of LLMs will have ripple effects, not only on hackers seeking to exploit vulnerabilities but also on security services working to safeguard digital assets and networks.
总之,LLM的广泛采用将产生涟漪反应,不仅对寻求利用漏洞的黑客,而且对致力于保护数字资产和网络的安全服务也会产生连锁反应。
Ori Abramovsky 奥里·阿布拉莫夫斯基
Head of Data Science, Check Point Software Technologies(link is external)
Check Point Software Technologies数据科学总监
EMA’S 2024 CYBERSECURITY PREDICTIONS
EMA对2024年网络安全的预测
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Enterprise Management Associates(EMA)负责信息安全、风险和合规管理的研究副总裁Chris Steffen和EMA负责信息安全的研究分析师Ken Buckler在Cybersecurity Awesomeness Podcast上对2024年的网络安全进行了预测。
Click here for a direct MP3 download of Episode 41
点击这里直接MP3下载第41集(link is external)
AI IMPROVES API SECURITY
AI提高API安全性
API security evolves as AI enhances offense-defense strategies: In 2023, AI began transforming cybersecurity, playing pivotal roles both on the offensive and defensive security fronts. Traditionally, identifying and exploiting complex, one-off API vulnerabilities required human intervention. AI is now changing this landscape, automating the process, enabling cost-effective, large-scale attacks. In 2024, I predict a notable increase in the sophistication and scalability of attacks. We will witness a pivotal shift as AI becomes a powerful tool for both malicious actors and defenders, redefining the dynamics of digital security.
API安全随着人工智能增强攻防策略而发展:2023年,人工智能开始改变网络安全,在进攻和防御安全方面发挥关键作用。传统上,识别和利用复杂的一次性API漏洞需要人工干预。人工智能正在改变这一格局,使这一过程自动化,实现具有成本效益的大规模攻击。到2024年,我预测攻击的复杂性和可扩展性将显著增加。我们将见证一个关键的转变,因为人工智能成为恶意行为者和防御者的强大工具,重新定义了数字安全的动态。
Shay Levi 谢伊·李维
CTO and Co-Founder, Noname Security(link is external)
首席技术官兼联合创始人,Noname Security
OPEN SOURCE PRODUCT SECURITY TEAMS
开源产品安全团队
In 2024, we see the rise of dedicated open source product security teams within organizations. As open source continues to expand its footprint within commercial products, product security groups will begin building out dedicated teams focused exclusively on the security of the open source components that make up much of the source code in their products.
在2024年,我们看到组织内专门的开源产品安全团队的兴起。随着开源在商业产品中的足迹不断扩大,产品安全团队将开始组建专门的团队,专注于开源组件的安全性,这些组件构成了他们产品中的大部分源代码。
Donald Fischer 唐纳德·菲舍尔
CEO and Co-Founder, Tidelift(link is external)
Tidelift首席执行官兼联合创始人
CONTAINER PROTECTION 集装箱保护
In 2024, I think we’re going to see DevOps teams work more closely with their CISOs or IT security leads to protect containerized environments. Regulations such as GDPR, PCI, and HIPAA are making it increasingly important for organizations to protect and back up data that is vulnerable to increasingly sophisticated cyber threats like Ransomware, and more often than not, that data is in containers. Nearly 9 out of 10 companies today are using containers in development to drive rapid innovation. Although Kubernetes is known to have strict security protocols that help block access to components outside of a cluster, it’s definitely not impenetrable. Misconfigurations, missing container replacements, and gaps with backing up create vulnerabilities that attackers are actively exploiting. Warm cloud backups to speed up recovery times during any future downtime incidents, regular scanning, and running containers with the least privileges possible should all be priorities in the year ahead.
在2024年,我认为我们将看到DevOps团队与他们的CISO或IT安全主管更紧密地合作,以保护容器化环境。GDPR、PCI和HIPAA等法规使得组织保护和备份易受勒索软件等日益复杂的网络威胁影响的数据变得越来越重要,而且这些数据通常位于容器中。如今,近十分之九的公司正在开发中使用容器来推动快速创新。虽然Kubernetes有严格的安全协议,可以帮助阻止对集群外部组件的访问,但它绝对不是不可渗透的。错误配置、缺少容器替换以及备份缺口会造成攻击者正在积极利用的漏洞。在未来的任何停机事件中,热云备份可以加快恢复时间,定期扫描以及以最低权限运行容器都应该是未来一年的优先事项。
Faiz Khan 法伊兹汗
CEO, Wanclouds(link is external) 万云CEO
DEVOPS ADOPTS CLOUD-BASED CODE SIGNING
DEVOPS采用基于云的代码签名
In 2023, the CA/Browser Forum passed a new baseline requirement for how code signing certificates and keys are to be securely stored. This was a direct result of several high profile cyberattacks related to compromised code signing keys and processes. While code signing has become essential to proving the authenticity, integrity and security of software, it is still an afterthought for many development organizations. DevOps teams will use the new CA/B Forum requirements to reinvent their code signing processes. The popularity of SaaS code signing with a cloud-based HSM will enable simplified and centralized code signing processes, support distributed developers and meet the CA/B Forum requirements – promoting speed, agility and security through the software development lifecycle.
2023年,CA/浏览器论坛通过了一项新的基线要求,即如何安全地存储代码签名证书和密钥。这是几次高调网络攻击的直接结果,这些攻击与受损的代码签名密钥和流程有关。虽然代码签名对于证明软件的真实性、完整性和安全性至关重要,但对于许多开发组织来说,它仍然是事后的想法。DevOps团队将使用新的CA/B Forum要求来重塑他们的代码签名流程。使用基于云的HSM的SaaS代码签名的普及将实现简化和集中的代码签名流程,支持分布式开发人员并满足CA/B论坛的要求-在软件开发生命周期中提高速度,敏捷性和安全性。
Murali Palanisamy 穆拉利·帕拉尼萨米
CTO, AppViewX(link is external) AppViewX首席技术官
CLUSTERED ARCHITECTURES 集群架构
As businesses increasingly adopt containerized and microservices architectures for their application delivery, I believe that a notable shift towards enhanced segmentation within clusters is on the horizon. This evolution is particularly evident in the growing prominence of Kubernetes as a primary delivery method in the cloud. Organizations are poised to invest significant efforts in fortifying the security and segmentation of clustered architectures at the container level. This proactive approach recognizes the pivotal role of secure containerization and microservices in modern software development. The future landscape is one where the nuances of clustered environments are carefully addressed to not only optimize performance but, more crucially, to bolster the resilience and security of applications as they navigate the dynamic and interconnected realms of containerized and microservices-based infrastructures in multi-cloud vendor environment.
随着企业越来越多地采用容器化和微服务架构来交付应用程序,我相信集群内增强细分的显著转变即将到来。这种演变在Kubernetes作为云中主要交付方法的日益突出中尤为明显。组织已经准备好投入大量的精力来加强容器级别的集群架构的安全性和分段。这种积极主动的方法认识到安全容器化和微服务在现代软件开发中的关键作用。未来的格局是,集群环境的细微差别不仅要优化性能,而且更重要的是,要加强应用程序的弹性和安全性,因为它们在多云供应商环境中导航动态和互连的容器化和基于微服务的基础设施领域。
Erez Tadmor 埃雷兹·塔德莫尔
Cybersecurity Evangelist, Tufin(link is external)
网络安全宣传员,Tufin
APPLICATION SHIELDING 应用程序屏蔽
Application shielding will continue to grow in adoption as organizations realize its value in the DevSecOps framework. Application shielding helps DevSecOps teams work more efficiently by embedding protections to secure source code and IP from reverse-engineering and tampering attempts; IT and security teams will need a mobile app protection platform that meshes with a DevSecOps framework or risk being further siloed from development team efforts.
随着企业认识到应用屏蔽在DevSecOps框架中的价值,应用屏蔽的采用率将继续增长。应用程序屏蔽通过嵌入保护措施来保护源代码和IP免受逆向工程和篡改尝试,从而帮助DevSecOps团队更高效地工作; IT和安全团队将需要一个与DevSecOps框架相匹配的移动的应用程序保护平台,否则开发团队的工作将面临进一步孤立的风险。
RJT Keating RJT基廷
SVP of Corporate Development, Zimperium(link is external)
Zimperium公司开发高级副总裁
HARDWARE ACCELERATORS 硬件加速器
As DevSecOps matures in 2024, we foresee a deeper fusion with hardware accelerators, optimizing security task efficiency. This synergy will accelerate development workflows and strengthen security postures, narrowing potential attack vectors. For containerized applications, this progress is crucial — enhancing governance, ensuring the deployment of secure containers, and swiftly neutralizing threats. Such advancements are key to advancing the security and performance duality, especially in high-stakes, performance-sensitive environments.
随着DevSecOps在2024年成熟,我们预计它将与硬件加速器进行更深入的融合,从而优化安全任务效率。这种协同作用将加快开发工作流程,加强安全态势,缩小潜在的攻击向量。对于容器化应用程序来说,这一进展至关重要-增强治理,确保安全容器的部署,并迅速消除威胁。这些进步是提高安全性和性能双重性的关键,特别是在高风险、对性能敏感的环境中。
Keith Cunningham 基思·坎宁安
VP of Strategy, Sylabs(link is external) 战略副总裁,Sylabs
MORE OPTIONS FOR DEVELOPERS
为开发人员提供更多选项
Developers will begin to have more options to protect and restore scripts, configurations, and code for applications they are developing across the application development lifecycle. This, in turn, will help make the critical services and configurations essential to run modern data applications available and recoverable in the event of simple human error or malicious actors.
开发人员将开始有更多的选择来保护和恢复他们在整个应用程序开发生命周期中开发的应用程序的脚本、配置和代码。反过来,这将有助于使运行现代数据应用程序所必需的关键服务和配置可用,并在发生简单的人为错误或恶意行为时可恢复。
Andy Fernandez 安迪费尔南德斯
Director, Product Management, HYCU(link is external)
HYCU产品管理总监
2024: THE YEAR OF SBOM
2024年:SBOM年
2024 will be the year of the Software Bill of Materials (SBOM). In 2024, the software landscape is poised for significant changes, with a growing emphasis on SBOMs. As concerns about supply chain attacks continue to escalate, compliance measures will tighten, due to the increasing frequency and visibility of such incidents. The proactive adoption of SBOMS is not only a response to heightened awareness, but a crucial step in securing the software supply chain. This upcoming year, increased emphasis will be placed on preventing and disclosing supply chain threats, as well as an increase in compliance requirements, like US Executive Order 14028, across the globe.
2024年将是软件物料清单(SBOM)的一年。在2024年,软件格局将发生重大变化,SBOM将越来越受到重视。随着对供应链攻击的担忧不断升级,合规措施将因此类事件的频率和可见度增加而收紧。主动采用SBOMS不仅是对提高认识的回应,也是确保软件供应链安全的关键一步。在即将到来的一年里,我们将更加重视预防和披露供应链威胁,并在地球仪范围内增加合规要求,如美国行政命令14028。
Nick Mistry 尼克·米斯特里
SVP, CISO, Lineaje(link is external) SVP,CISO,Lineaje
原文始发于devopsdigest:2024 DevSecOps Predictions – Part 3