Chris Wysopal is CTO at Veracode, the application security specialist. He’s put together a list of five application security predictions he thinks CIOs will face next year.
1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.
2. Microsoft follows Google and Mozilla and starts paying a bug bounty
Following Googleand Mozilla, more companies will offer to pay researchers for reporting bugs to them. Microsoft, which stated years ago that they wouldn’t ever pay for bugs, caves to industry pressure as they are hit with more uncoordinated disclosures than their peers.
3. A mobile app causes a major enterprise security breach
Rapid growth of mobile apps continues on enterprise-connected mobile devices. Inevitably, attackers leverage this juicy new attack vector to penetrate corporate perimeters and gain access to sensitive data. It also turns out that the malicious application that enabled the attack was downloaded through a well-known and trusted app store.
4. Government and corporations stock up on anti-leak security products to defend against insider attacks, but high profile leaks continue
The insider threat problem is so huge that a single security product category such as DLP coupled with new policies on removable media fails to make a dent on leaks. The comprehensive security programs focused on internal applications and internal networks take years to implement. New organisations copy the Wikileaks model to give more outlets for leaked information.
5. A critical infrastructure facility in the US suffers a damaging incident resulting from a Stuxnet-like stealthy targeted worm
Stuxnet demonstrated a sophisticated, aggressive attack capability that can be replicated. Removable media is once again used to bridge an air gap and a zero-day vulnerability in a SCADA system is used to cause physical damage.