DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024. Part 2 covers risks and vulnerabilities.
DEVOPSdigest询问了行业专家,他们认为DevSecOps将如何在2024年发展并影响开发和应用程序安全。第2部分介绍风险和漏洞。
Start with: 2024 DevSecOps Predictions – Part 1
2024 DevSecOps预测-第1部分
AI-GENERATED CODE VULNERABILITIES
AI生成的代码漏洞
AI will play a significant role in generating code, allowing for faster development with fewer human resources. But as code inevitably becomes more like open-source software, AI-generated vulnerabilities will become a bigger concern. The speed at which AI-assisted developers work will underscore the importance of enhanced application visibility and security, as developers may lack the full understanding of their AI-generated output.
人工智能将在生成代码方面发挥重要作用,从而以更少的人力资源实现更快的开发。但随着代码不可避免地变得更像开源软件,人工智能产生的漏洞将成为一个更大的问题。人工智能辅助开发人员的工作速度将强调增强应用程序可见性和安全性的重要性,因为开发人员可能对其人工智能生成的输出缺乏充分的了解。
Shahar Man 沙哈尔人
Co-Founder & CEO, Backslash Security(link is external)
Backslash Security联合创始人兼首席执行官
Overconfidence in Generative AI code will lead to generated AI vulnerabilities: As more and more developers use generative AI to successfully help build their products, 2024 will see the first big software vulnerabilities attributed to AI generated code. The success of using AI tools to build software will lead to overconfidence in the results and ultimately a breach that will be blamed on the AI itself. This will lead to a redoubling across the industry of previous development practices to ensure that all code, written by both developers and AI, is analyzed, tested, and compliant with quality and security standards.
对生成式AI代码的过度自信将导致生成的AI漏洞:随着越来越多的开发人员使用生成式AI成功地帮助构建他们的产品,2024年将出现第一个归因于AI生成代码的重大软件漏洞。使用人工智能工具构建软件的成功将导致对结果的过度自信,并最终导致将责任归咎于人工智能本身的违规行为。这将导致整个行业以前的开发实践加倍,以确保开发人员和人工智能编写的所有代码都经过分析,测试并符合质量和安全标准。
Phil Nash 菲尔·纳什
Developer Advocate, Sonar(link is external)
Sonar开发者顾问
EMA’S 2024 CYBERSECURITY PREDICTIONS
EMA对2024年网络安全的预测
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Enterprise Management Associates(EMA)负责信息安全、风险和合规管理的研究副总裁Chris Steffen和EMA负责信息安全的研究分析师Ken Buckler在Cybersecurity Awesomeness Podcast上对2024年的网络安全进行了预测。
Click here for a direct MP3 download of Episode 41
点击这里直接MP3下载第41集(link is external)
AI VULNERABILITIES AI漏洞
In 2024, the software landscape will witness a swift surge in AI integration, posing challenges for organizations that must understand how these tools are adopted. DevOps professionals become frontline defenders, addressing risks from data privacy to new attack vectors. This will make a strategic Software Bill of Materials (SBOM) crucial to enhance transparency and proactively manage AI-related components, empowering organizations to navigate this transformative era confidently.
到2024年,软件领域将见证人工智能集成的快速增长,这对必须了解如何采用这些工具的组织构成了挑战。DevOps专业人员成为前线捍卫者,解决从数据隐私到新攻击载体的风险。这将使战略软件物料清单(SBOM)对于提高透明度和主动管理人工智能相关组件至关重要,使组织能够自信地驾驭这个变革时代。
Tyler Warden 泰勒·沃登
SVP of Product, Sonatype(link is external) Sonatype产品高级副总裁
COMPRISED AI DEVELOPMENT
完整的AI开发
Organizations inability to identify the lineage of AI is going to lead to an increase in software supply chain attacks in 2024. Over the course of the last year, organizations have been heavily focused on how to prevent cyberattacks on AI. There’s only one problem: everyone is focusing on the wrong aspect. Many security teams have zeroed in on threats against AI once it’s deployed. Organizations are concerned about a threat actor using AI to prompt engineering, IT, or security to take action that could lead to a compromise. The truth is that the best time to compromise AI is when it is being built. Much like the majority of today’s software, AI is primarily built from open-source software. The ability to determine who created the initial AI models, with what bias, which developer with what intent, is by and large far more critical to preventing gaps in an organization’s security posture. I suspect that few organizations have considered this approach, and as a result, we’ll see all kinds of interesting challenges and issues emerge in the coming months.
组织无法识别AI的血统将导致2024年软件供应链攻击的增加。在过去的一年中,组织一直非常关注如何防止对人工智能的网络攻击。只有一个问题:每个人都关注错误的方面。许多安全团队已经将AI部署后的威胁集中在了AI上。组织担心威胁行为者使用AI来促使工程,IT或安全采取可能导致妥协的行动。事实是,妥协人工智能的最佳时机是在它被构建的时候。就像今天的大多数软件一样,人工智能主要是由开源软件构建的。确定谁创建了最初的AI模型,有什么偏见,哪个开发人员有什么意图的能力,对于防止组织的安全状况出现漏洞来说,总的来说更为关键。 我怀疑很少有组织考虑过这种方法,因此,我们将在未来几个月内看到各种有趣的挑战和问题。
Javed Hasan 贾韦德·哈桑
CEO and Co-Founder, Lineaje(link is external)
Lineaje首席执行官兼联合创始人
GENAI ATTACKS GENAI攻击
As the use of GenAI becomes more pervasive, the likelihood of someone inputting sensitive information increases. I wouldn’t be surprised to learn that, in 2024, a GenAI platform is hacked and some juicy data is discovered. People need to think about where the sensitive information they share goes before it ends up in the wrong hands — but they probably won’t before it’s too late.
随着GenAI的使用越来越普遍,有人输入敏感信息的可能性也在增加。我不会感到惊讶,在2024年,GenAI平台被黑客攻击,发现了一些有趣的数据。人们需要考虑他们分享的敏感信息在落入坏人之手之前会去哪里-但他们可能不会在为时已晚之前。
Anna Belak 安娜·贝拉克
Director, Office of Cybersecurity Strategy, Sysdig(link is external)
Sysdig网络安全战略办公室主任
GenAI leaks will put software supply chains at risk. Careless use of AI will lead to massive secrets leaks, resulting in all kinds of creative supply chain attacks. The known prevalence of poorly managed passwords, keys, and other sensitive information means that any code, configuration, or file someone sends to a GenAI API is a disaster waiting to happen.
GenAI泄漏将使软件供应链面临风险。不小心使用人工智能将导致大规模的秘密泄露,导致各种创造性的供应链攻击。众所周知,密码、密钥和其他敏感信息普遍管理不善,这意味着有人发送到GenAI API的任何代码、配置或文件都是等待发生的灾难。
Anna Belak 安娜·贝拉克
Director, Office of Cybersecurity Strategy, Sysdig(link is external)
Sysdig网络安全战略办公室主任
SDLC ATTACKS SDLC攻击
Amidst the rising attention of open source security, a newer threat will continue to grow in 2024. We won’t see just vulnerabilities but a surge in malicious components strategically designed to attack the Software Development Life Cycle (SDLC) itself. Developers’ machines and environments will become the new battleground as bad actors seek entry into organizational estates. This underlines the urgent need for a robust defense system against attacks and equipping developers with the necessary tools to do so.
随着对开源安全的日益关注,一种新的威胁将在2024年继续增长。我们不仅会看到漏洞,还会看到恶意组件的激增,这些恶意组件旨在攻击软件开发生命周期(SDLC)本身。开发人员的机器和环境将成为新的战场,因为不良行为者试图进入组织财产。这强调了迫切需要一个强大的防御系统来抵御攻击,并为开发人员提供必要的工具。
Tyler Warden 泰勒·沃登
SVP of Product, Sonatype(link is external) Sonatype产品高级副总裁
HACKERS TARGETING DEVELOPERS
黑客攻击黑客
Hackers will prioritize targeting developers. As the development environment and the developers themselves continue to be highly valuable assets, they have become the primary focus for malicious actors. With their privileged access to corporate computer systems, developers are now the top target for hackers. These cybercriminals are well aware that development and CI/CD environments are often less secure compared to internet-facing production environments. Consequently, phishing campaigns will increasingly be aimed at developers, aiming to pilfer their authentication tokens and other critical secrets utilized in the development cycle.
黑客将优先瞄准开发人员。由于开发环境和开发人员本身仍然是非常有价值的资产,他们已经成为恶意行为者的主要焦点。由于拥有访问公司计算机系统的特权,开发人员现在是黑客的首要目标。这些网络犯罪分子非常清楚,与面向互联网的生产环境相比,开发和CI/CD环境通常不太安全。因此,网络钓鱼活动将越来越多地针对开发人员,旨在窃取他们的身份验证令牌和开发周期中使用的其他关键机密。
Eric Fourrier 埃里克·福里耶
CEO and Co-Founder, GitGuardian(link is external)
GitGuardian首席执行官兼联合创始人
DEVOPS CYBERCRIMINALS 网络犯罪专家
Cyber Adversaries Will Unleash DevOps Expertise: We will see skilled cybercriminals with advanced expertise in DevOps, IT, and Security, unlike anything we’ve seen before. These adversaries will leverage their target’s existing IT stack to meet their malicious needs. They’ll do this by manipulating security controls to establish and maintain persistence and evade detection — without the need for malware.
网络对手将释放DevOps专业知识:我们将看到熟练的网络犯罪分子在DevOps,IT和安全方面拥有先进的专业知识,这与我们以前见过的任何事情都不同。这些攻击者将利用其目标的现有IT堆栈来满足其恶意需求。他们将通过操纵安全控制来建立和维护持久性并逃避检测-而不需要恶意软件。
Sam Rubin 山姆·鲁宾
VP of Unit 42 Consulting, Palo Alto Networks(link is external)
帕洛阿尔托网络公司Unit 42 Consulting副总裁
ZOMBIE API
There is a problem with API sprawl that will become worse in 2024: the rise of Zombie APIs within enterprise organizations, and the security threat these troublesome APIs pose. Zombie APIs are endpoints that are no longer maintained yet are still active. They may be unused endpoints, old features never officially deprecated, or forgotten development or testing environments. And as infrastructures scale larger and add complexity, API sprawl worsens. Zombie APIs are a type of technical debt that could pose a legitimate threat if left to rot.
API蔓延的一个问题将在2024年变得更糟:企业组织内僵尸API的兴起,以及这些麻烦的API带来的安全威胁。僵尸API是不再维护但仍处于活动状态的端点。它们可能是未使用的端点,从未正式弃用的旧功能,或者被遗忘的开发或测试环境。随着基础设施规模的扩大和复杂性的增加,API也会蔓延。僵尸API是一种技术债务,如果任其腐烂,可能会构成合法的威胁。
Joshua Scott 约书亚·斯科特
Head of Security and IT, Observability, Postman(link is external)
Postman安全和IT主管,可观察性
API ATTACKS API攻击
As more enterprises rely heavily on their software application architecture, APIs are essential for business-critical solutions. Even though the number of APIs introduced in the market is increasing day by day, API security is not scaling at the same rate. In 2024, DevSecOps teams need to prepare for an increase in API Security breaches from authenticated attackers that have signed up as legitimate-looking customers or partners. Firewalls and gateways alone aren’t going to cut it. Instead DevSecOps need to build an effective API Security strategy that measures and manages the API attack surface from the inside – by employing continuous API threat detection and incident response monitoring.”
随着越来越多的企业严重依赖其软件应用程序架构,API对于业务关键型解决方案至关重要。尽管市场上引入的API数量每天都在增加,但API安全性并没有以同样的速度扩展。在2024年,DevSecOps团队需要为API安全漏洞的增加做好准备,这些漏洞来自已注册为合法客户或合作伙伴的已验证攻击者。仅凭防火墙和网关无法解决问题,DevSecOps需要构建有效的API安全策略,通过持续的API威胁检测和事件响应监控,从内部测量和管理API攻击面。”
Robert Dickinson 罗伯特·狄金森
VP of Engineering, Graylog(link is external)
Graylog工程副总裁
Secure API development will become more prevalent in 2024 as organizations struggle to manage the automated attacks targeting their API ecosystem. For an unlucky number of organizations, data breaches will be the result of a compromised API. While SDLC practices are well intended, they aren’t equipped to address complex attacks targeting flaws in the design and implementation of an API or application’s business logic. Most organizations don’t have visibility into their APIs because they lack complete and up-to-date API schema definitions. API pen tests rely on the API schema for test generation, which means that undocumented APIs are missed during testing. Conventional pen testing is ineffective at identifying broken object level authorization and other abuses related to API business logic. In its place, organizations will implement API testing, enabling them to review an API in the development lifecycle for the risks listed in the OWASP Top 10 for API Security.
安全的API开发将在2024年变得更加普遍,因为组织将努力管理针对其API生态系统的自动化攻击。对于一些不幸的组织来说,数据泄露将是受损的API的结果。虽然SDLC实践的意图是好的,但它们不具备解决针对API或应用程序业务逻辑的设计和实现中的缺陷的复杂攻击的能力。大多数组织无法看到他们的API,因为他们缺乏完整和最新的API模式定义。API笔测试依赖于API模式来生成测试,这意味着在测试期间会遗漏未记录的API。传统的笔式测试在识别损坏的对象级授权和与API业务逻辑相关的其他滥用方面是无效的。取而代之的是,组织将实施API测试,使他们能够在开发生命周期中审查API,以了解OWASP Top 10 for API Security中列出的风险。
Lebin Cheng 程乐斌
VP, API Security, Imperva(link is external)
Imperva API安全副总裁
CLOUD API ATTACKS 云API攻击
APIs in the cloud are an increasingly popular threat vector for cybercriminals as, if breached, they expose sensitive data. Part of the appeal is that they are often the easiest way for hackers to access a company’s network. The increasing popularity of API attacks will accelerate the number of organizations deploying security test automation solutions to combat the problem. The number of cloud-based API attacks will surge in 2024 and GPU farming, where a set of servers allocate resources to perform calculations in the minimum amount of time, will become another popular target of cloud-based attacks.
云中的API是网络犯罪分子越来越受欢迎的威胁载体,因为如果被攻破,它们会暴露敏感数据。部分吸引力在于它们通常是黑客访问公司网络的最简单方法。API攻击的日益流行将加速部署安全测试自动化解决方案以解决该问题的组织数量。基于云的API攻击数量将在2024年激增,GPU农场(一组服务器分配资源以在最短时间内执行计算)将成为基于云的攻击的另一个热门目标。
Mike Wilson
CTO, Enzoic(link is external) 首席技术官,Enzoic
OPEN-SOURCE LIBRARY VULNERABILITIES
开放源代码库漏洞
A growing list of supply chain attacks make them a hot topic for development organizations today. There’s an underlying design issue exploited by these attacks and it is that all modern software is built on top of other third-party software components, often without clear visibility on the code quality of all the downloaded packages. A single code vulnerability introduced by a library can be used for large-scale attacks against multiple softwares using this library. Because the main code of popular open source software becomes well-reviewed and tested, attackers will focus more on finding previously unknown code vulnerabilities hidden in widely-used but lesser known open-source libraries. It’s a very effective and subtle attack vector to compromise many organizations at once. In tandem with the risk and threats, the importance of a deeper code analysis will grow that also covers the code of libraries.
越来越多的供应链攻击使其成为当今开发组织的热门话题。这些攻击利用了一个潜在的设计问题,即所有现代软件都构建在其他第三方软件组件之上,通常无法清楚地看到所有下载包的代码质量。由库引入的单个代码漏洞可用于针对使用此库的多个软件的大规模攻击。由于流行的开源软件的主要代码经过了严格的审查和测试,攻击者将更多地关注于发现隐藏在广泛使用但鲜为人知的开源库中的以前未知的代码漏洞。这是一种非常有效和微妙的攻击媒介,可以同时危害许多组织。随着风险和威胁的增加,更深入的代码分析的重要性也将增加,这也包括库的代码。
Johannes Dahse 约翰内斯·达瑟
Head of R&D, Sonar(link is external) 研发主管,Sonar
DevOps and DevSecOps staff will need to place greater emphasis on monitoring third-party libraries and tools used in software development for security vulnerabilities. Since third-party software is often used in trusted applications, many of which have administrator or elevated privileges, organizations should also implement microsegmentation to contain the spread and blast radius of attacks.
DevOps和DevSecOps工作人员需要更加重视监控软件开发中使用的第三方库和工具的安全漏洞。由于第三方软件通常用于受信任的应用程序中,其中许多应用程序具有管理员或高级权限,因此组织还应实施微分段以遏制攻击的传播和爆炸半径。
Sameer Malhotra 萨米尔·马尔霍特拉
CEO, TrueFort(link is external) TrueFort首席执行官
SAAS APPLICATION ATTACKS
SAAS应用程序攻击
As many businesses shift to remote or hybrid work post-pandemic, a significant amount of SaaS applications have been downloaded for work use. In 2024, SaaS applications will present the next biggest attack surface that organizations have not yet addressed. Businesses are increasingly relying on cloud-based solutions for critical operations, which is expanding the attack surface and broadening the canvas for cybercriminals to exploit vulnerabilities. Moreover, the rise in popularity of Generative AI will make social engineering attacks become easier for SaaS identity account takeovers. Security teams will need to assess all the applications that have been installed by employees, determine which are necessary for business operations, and understand the attack surface each presents. In the new year, organizations will need to “clean up” their SaaS security posture and remove all unnecessary applications with extensive permissions. Security teams will need to develop a comprehensive SaaS security program to monitor application installations and manage security controls so they can avoid a major SaaS data breach in the new year to come.
随着疫情过后许多企业转向远程或混合工作,大量SaaS应用程序已被下载用于工作。到2024年,SaaS应用程序将成为组织尚未解决的下一个最大的攻击面。企业越来越依赖基于云的解决方案来进行关键操作,这扩大了攻击面,并扩大了网络犯罪分子利用漏洞的范围。此外,生成式人工智能的普及将使社交工程攻击变得更容易被SaaS身份账户接管。安全团队需要评估员工安装的所有应用程序,确定哪些应用程序是业务运营所必需的,并了解每个应用程序所呈现的攻击面。在新的一年里,企业将需要“清理”其SaaS安全状况,并删除所有不必要的具有广泛权限的应用程序。 安全团队将需要开发一个全面的SaaS安全计划来监控应用程序安装和管理安全控制,这样他们就可以避免在新的一年里发生重大的SaaS数据泄露。
原文始发于devopsdigest:2024 DevSecOps Predictions – Part 2