As we bid farewell to another year, it is crucial to reflect on the threats of cyberattacks and ransomware and think of how to mitigate them moving forward. However, this year feels a bit different – marked by the unknown of what challenges AI will bring to the security landscape in the new year.
This comes on top of persistent supply-chain security vulnerabilities, insider threats, and more that have only grown this year.
The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a roadmap with five key efforts aimed at the responsible and secure deployment of AI.
Firstly, the agency commits to responsibly employing AI to fortify cyber defense, adhering to applicable laws and policies. Second, CISA aims to assess and ensure the default security of AI systems, fostering safe adoption across various government agencies and private sector entities. The third effort involves collaborating with companies to safeguard critical infrastructure from potential malicious uses of AI, addressing threats, vulnerabilities, and mitigation strategies.
In its fourth effort, CISA emphasizes collaboration and communication with other agencies, international partners, and the public to develop policy approaches concerning security and AI. Lastly, the agency plans to bolster its workforce by expanding the number of qualified AI professionals through education and recruitment efforts.
The dominant player in the AI space, OpenAI, also recognizes the need for training and secure AI use.
OpenAI this year introduced the Cybersecurity Grant Program, a $1 million initiative designed to advance and quantify AI-driven cybersecurity capabilities while promoting high-level discourse in the field.
Seeking collaboration with security professionals globally, the company aims to rebalance power dynamics in cybersecurity through the strategic use of AI technology and fostering coordination among like-minded individuals. The overarching goal is to prioritize access to advanced AI capabilities for security teams, with a commitment to developing methods that accurately measure and enhance the efficacy of AI models in the realm of cybersecurity, thereby ensuring collective safety.
Also, this year showed that many applications still have many vulnerabilities and many more projects aren’t actively maintained, particularly in the open-source space.
In January, application security testing solution provider Veracode released a report showing that nearly 32% of applications are found to have flaws at the first scan, jumping to almost 70% once they have been in production for five years. The report also stated that after the initial scan, most apps enter a safety period of about a year and a half, where 80% do not take on any new flaws.
In 2023, there was a 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s annual State of the Software Supply Chain report.
The report highlights a concerning statistic, finding that merely 11% of open-source projects are actively maintained. Despite this, Sonatype emphasizes that 96% of vulnerabilities in open-source software are preventable.
The report revealed that 2.1 billion downloads of open-source software occurred, and among them were instances where known vulnerabilities existed, and newer versions addressing these issues were available. This underscores the need for increased attention to maintaining and updating open-source projects to mitigate potential security risks associated with outdated software versions.
Organizations are taking the initiative to fix the vulnerabilities
Recognizing the widespread security challenges, major corporations are proactively launching initiatives to address and counteract the proliferation of security issues in today’s digital landscape.
In March, the White House released a new plan for ensuring security in digital ecosystems. It hopes to “reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society.”
Achieving this will require shifts from how we currently view cybersecurity. The Biden-Harris administration plans to rebalance the responsibility of security from individuals and small businesses and onto organizations that are best positioned to reduce risk for all. They also plan to rebalance the need to defend security risks today by positioning organizations to plan for future threats.
In October, Google enabled passkeys as the default authentication method in Google accounts. Passkeys offer a convenient and faster way to log in using fingerprints, face scans, or pins. They are 40% quicker than traditional passwords and boast enhanced security due to advanced cryptography, according to Google in a blog post. They also alleviate the burden of remembering complex passwords and are more resistant to phishing attacks.
Soon after, Microsoft announced its Secure Future Initiative, which consists of three main pillars: defenses that use AI, advances in software engineering, and international norms to protect civilians from cyber threats. Microsoft aims to establish an “AI-based cyber shield” to safeguard both customers and nations, expanding its internal protective capabilities for broader customer use. In response to the global shortage of cybersecurity skills, estimated at around 3 million people, Microsoft plans to leverage AI, particularly through tools like Microsoft Security Copilot, to detect and respond to threats. Additionally, Microsoft Defender for Endpoint will utilize AI detection methods to enhance device protection against cybersecurity threats.
Luckily, as technology advances, developers and organizations can turn to established frameworks and best practices released this year.
In June, the Open Worldwide Application Security Project (OWASP) announced the launch of OWASP CycloneDX version 1.5, a new standard in the Bill of Materials (BOM) domain that specifically targets issues of transparency and compliance within the software industry. The recent release expands BOM support beyond its existing coverage of hardware, software, and services. The primary goal is to enhance organizations’ capabilities in identifying and addressing supply chain risks, offering a more comprehensive tool for managing and mitigating potential vulnerabilities.
In September, the National Institute of Standards and Technology (NIST) released a draft document detailing strategies for incorporating software supply chain security measures into CI/CD pipelines. In the context of cloud-native applications employing a microservices architecture with a centralized infrastructure like a service mesh, the document outlines the alignment of these applications with DevSecOps practices.