Year in Review: Security

Published: December 27th, 2023

As we bid farewell to another year, it is crucial to reflect on the threats of cyberattacks and ransomware and think of how to mitigate them moving forward. However, this year feels a bit different – marked by the unknown of what challenges AI will bring to the security landscape in the new year.

This comes on top of persistent supply-chain security vulnerabilities, insider threats, and more that have only grown this year.

The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a roadmap with five key efforts aimed at the responsible and secure deployment of AI.

Firstly, the agency commits to responsibly employing AI to fortify cyber defense, adhering to applicable laws and policies. Second, CISA aims to assess and ensure the default security of AI systems, fostering safe adoption across various government agencies and private sector entities. The third effort involves collaborating with companies to safeguard critical infrastructure from potential malicious uses of AI, addressing threats, vulnerabilities, and mitigation strategies.

In its fourth effort, CISA emphasizes collaboration and communication with other agencies, international partners, and the public to develop policy approaches concerning security and AI. Lastly, the agency plans to bolster its workforce by expanding the number of qualified AI professionals through education and recruitment efforts.

The dominant player in the AI space, OpenAI, also recognizes the need for training and secure AI use.

OpenAI this year introduced the Cybersecurity Grant Program, a $1 million initiative designed to advance and quantify AI-driven cybersecurity capabilities while promoting high-level discourse in the field.

Seeking collaboration with security professionals globally, the company aims to rebalance power dynamics in cybersecurity through the strategic use of AI technology and fostering coordination among like-minded individuals. The overarching goal is to prioritize access to advanced AI capabilities for security teams, with a commitment to developing methods that accurately measure and enhance the efficacy of AI models in the realm of cybersecurity, thereby ensuring collective safety.

Also, this year showed that many applications still have many vulnerabilities and many more projects aren’t actively maintained, particularly in the open-source space.

In January, application security testing solution provider Veracode released a report showing that nearly 32% of applications are found to have flaws at the first scan, jumping to almost 70% once they have been in production for five years. The report also stated that after the initial scan, most apps enter a safety period of about a year and a half, where 80% do not take on any new flaws.

In 2023, there was a 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s annual State of the Software Supply Chain report.

The report highlights a concerning statistic, finding that merely 11% of open-source projects are actively maintained. Despite this, Sonatype emphasizes that 96% of vulnerabilities in open-source software are preventable.

The report revealed that 2.1 billion downloads of open-source software occurred, and among them were instances where known vulnerabilities existed, and newer versions addressing these issues were available. This underscores the need for increased attention to maintaining and updating open-source projects to mitigate potential security risks associated with outdated software versions.

Organizations are taking the initiative to fix the vulnerabilities

Recognizing the widespread security challenges, major corporations are proactively launching initiatives to address and counteract the proliferation of security issues in today’s digital landscape.

In March, the White House released a new plan for ensuring security in digital ecosystems. It hopes to “reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society.”

Achieving this will require shifts from how we currently view cybersecurity. The Biden-Harris administration plans to rebalance the responsibility of security from individuals and small businesses and onto organizations that are best positioned to reduce risk for all. They also plan to rebalance the need to defend security risks today by positioning organizations to plan for future threats.

In October, Google enabled passkeys as the default authentication method in Google accounts. Passkeys offer a convenient and faster way to log in using fingerprints, face scans, or pins. They are 40% quicker than traditional passwords and boast enhanced security due to advanced cryptography, according to Google in a blog post. They also alleviate the burden of remembering complex passwords and are more resistant to phishing attacks.

Soon after, Microsoft announced its Secure Future Initiative, which consists of three main pillars: defenses that use AI, advances in software engineering, and international norms to protect civilians from cyber threats. Microsoft aims to establish an “AI-based cyber shield” to safeguard both customers and nations, expanding its internal protective capabilities for broader customer use. In response to the global shortage of cybersecurity skills, estimated at around 3 million people, Microsoft plans to leverage AI, particularly through tools like Microsoft Security Copilot, to detect and respond to threats. Additionally, Microsoft Defender for Endpoint will utilize AI detection methods to enhance device protection against cybersecurity threats.

Luckily, as technology advances, developers and organizations can turn to established frameworks and best practices released this year.

In June, the Open Worldwide Application Security Project (OWASP) announced the launch of OWASP CycloneDX version 1.5, a new standard in the Bill of Materials (BOM) domain that specifically targets issues of transparency and compliance within the software industry. The recent release expands BOM support beyond its existing coverage of hardware, software, and services. The primary goal is to enhance organizations’ capabilities in identifying and addressing supply chain risks, offering a more comprehensive tool for managing and mitigating potential vulnerabilities.

In September, the National Institute of Standards and Technology (NIST) released a draft document detailing strategies for incorporating software supply chain security measures into CI/CD pipelines. In the context of cloud-native applications employing a microservices architecture with a centralized infrastructure like a service mesh, the document outlines the alignment of these applications with DevSecOps practices.

Article Tags

AI, CISA, Google, Microsoft, OpenAI, OWASP, security

About Jakub Lewkowicz

Jakub Lewkowicz is a multimedia journalist who loves all things tech. Polish-born and Long Island-bred, he is an Online and Social Media Editor for SD Times. He is also a Carnegie Hall pianist and music producer.

View all posts by Jakub Lewkowicz

Cookie	Duration	Description
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_S6PB8V57DG	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_846073_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_jsuid	1 year	This cookie contains random number which is generated when a visitor visits the website for the first time. This cookie is used to identify the new visitors to the website.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
iutk	5 months 27 days	This cookie is used by Issuu analytic system to gather information regarding visitor activity on Issuu products.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
WMF-Last-Access	1 month 14 hours 26 minutes	This cookie is used to calculate unique devices accessing the website.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_pxhd	session	Used by Zoominfo to enhance customer data.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
mc	1 year 1 month	Quantserve sets the mc cookie to anonymously track user behaviour on the website.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
__Secure-YEC	1 year 1 month	No description
_heatmaps_g2g_100754890	10 minutes	No description
_techvalidate_session	session	No description
cf_7166_id	20 years	No description
cf_7166_person_last_update	session	No description
f5avraaaaaaaaaaaaaaaa_session_	session	No description available.
GoogleAdServingTest	session	No description
Gyazo_cfwoker	7 years 2 months 17 days 7 hours	No description
incap_ses_451_2783402	session	No description
incap_ses_769_2783402	session	No description
loglevel	never	No description available.
m	2 years	No description available.
nlbi_2783402	session	No description
prism_252377639	1 month	No description
TS011605d9	session	No description
ustream-guest	session	No description available.
visid_incap_2783402	1 year	No description
xtc	1 year 1 month	No description

AI

AI and Software Development

Observability

Guide to Observability

CI/CD

A guide to CI/CD

Cloud Native

Cloud Native Content

Data

A Guide to Data

Test

Automation

Mobile

Mobile Testing

API

Sponsored by Parasoft

Performance

Load & Performance Testing

DevSecOps

A Guide to DevSecOps

Enterprise Security

A Guide to Security

Supply Chain Security

Supply Chain Security

Dev Manager

Dev Managers Content

Agile

A Guide To Agile

Value Stream

A Guide To Value Stream

Productivity

A Guide To Productivity

DevOps

DevOps Content

Microservices

A Guide to MicroServices

AI

AI and Software Development

Value Stream Management

A Guide To Value Stream

Year in Review: Security

Article Tags

Subscribe to SDTimes

About Jakub Lewkowicz

Related Articles

The key to successful secrets management is to make the best way the easiest way

Snowflake releases Arctic, a cost-effective LLM for enterprise intelligence

New Relic introduces new monitoring solution for AI applications

Amazon Bedrock adds ability to import custom models