The year 2020 saw a tremendous shift towards doing business online due to COVID-19, and cybercriminals have taken this opportunity to up their attacks, both in frequency and scope.
The FBI reported that the number of complaints about cyberattacks to their Cyber Division is up to as many as 4,000 a day. That represents a 400% increase from what they were seeing pre-coronavirus.
In June, Microsoft also reported that COVID-19 themed attacks, where cybercriminals get access to a system through the use of phishing or social engineering attacks, have jumped to 20,000 to 30,000 a day in the U.S. alone.
Particularly alarming were next-generation cyber attacks aimed at actively infiltrating open-source software supply chains, which saw a 430% increase since last year, according to the 2020 State of the Software Supply Chain report published in August.
“Attackers are always looking for the path of least resistance. So I think they found a weakness and an amplifying effect in going after open-source projects and open-source developers,” said Brian Fox, the chief technology officer at Sonatype. “If you can somehow find your way into compromising or tricking people into using a hacked version of a very popular project, you’ve just amplified your base right off the bat. It’s not yet well understood, especially in the security domain, that this is the new challenge.”
However, proper tooling, such as the use of software composition analysis (SCA) solutions, can ameliorate some of these issues. SCA is the process of automating the visibility into open-source software for the purpose of risk management, security and license compliance.
To improve open-source security, the Linux Foundation launched a new initiative called OpenSSF in August. OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all as open-source software has become more pervasive in data centers, consumer devices, and services.
The concept of DevSecOps in which security tools are used earlier in the development workflow, in developers’ IDEs, but also in their code management systems and their build tools, has grown in importance.
To further DevSecOps, GitHub launched a new code scanning capability in October that scans code as it is created and provides reviews within pull requests and other GitHub experiences. Soon after, IBM released its Code Risk Analyzer that can be configured to run at the beginning of a developer’s code pipeline and it reviews and analyzes Git repositories for known issues with any open-source code that needs to be managed.
Despite new tools emerging, a report published in October by WhiteSource found that 73% of developers sacrifice security for speed.
“There are a lot of advantages to the proliferation of automated tools throughout the DevSecOps pipeline. However, managing and orchestrating all of them has also become a process in itself, that can take up a lot of time, and also create further friction between teams using a variety of different tools,” said David Habusha, vice president of product at WhiteSource.
Also, 2020 saw the enactment of the California Consumer Privacy Act on January 1st. As of September, when we covered the topic, there were no major fines issued. However, the GDPR regulation that has been in effect since May 2018, has picked up steam.
As of February 2019, nine months after GDPR took effect, only 91 fines had been issued, and most of them were small fines, while as of August 2020, there have been 347 fines issued, totalling close to $209 million.
“For GDPR it took almost one year before the bigger fines started taking effect. Because of the fact that CCPA went into a stretch period with COVID, it was a kind of silent launch. In the next six months we will see more and more of the people, the activists trying to enact their rights and we will see more of the effects of this regulation,” said Jean-Michel Franco, the director of product marketing for Talend.