Why does vulnerability management fail? There are a couple of reasons:

• Enterprise IT teams can’t keep up with all the vulnerabilities because secure coding hasn’t been, and still isn’t, a priority across all organizations that write software. In a recent F5 security event where 300 participants responded to live polling, 21% of respondents said they have implemented a DevSecOps program, 43% said “somewhat,” and 37% had not begun to implement DevSecOps.
• The complexities of vulnerability mitigation, spanning from a “simple” hotfix to a full upgrade that requires scheduled downtime, prevent defenders from remediating vulnerabilities before attackers target them.

Unmitigated vulnerabilities cause breaches, the spread of malware like ransomware, and allow for the growth of bots that are now debilitating the Internet with attack traffic. The Internet’s arteries are clogged with malicious attack traffic—depending on the sensitivity of the target, 50% to 90% of all application traffic consists of malicious attacks. If we value a stable Internet, we need to do something drastic about vulnerable software.

In the face of this chaos and these challenges, we predict that broad consensus will build across the SecOps and DevOps communities (who also struggle with talent turnover and managing code they didn’t create and don’t understand) that the right path forward is to rewrite software of a certain age. The only exceptions will be old code that is still managed by people who wrote it, securely. However, despite this consensus, focusing on revenue over everything else means that investing in rewriting won’t happen at scale. Brands that do could reap trust and integrity rewards similar to Microsoft’s Trustworthy Computing initiative in 2002. What will happen is SecOps and DevOps coming closer together on common goals because, after all, security is the biggest threat to availability. Sara Boddy

Prediction 5: Companies will face more challenges with certificate management

With pressure from big players like Apple and others to reduce the lifetime of certificates, organizations will be challenged to build infrastructure to manage them. With the average number of certificates increasing in the enterprise space, tools like Let’s Encrypt’s certbot, Lemur, and Venafi will roll out in greater numbers.

We also predict that key protection—the other side of certificate management—will continue to be a blind spot for many organizations. Locking down access to keys is usually done with access control lists (ACLs), but with increased east-west attacks, these ACLs are less effective. Securing with OpenSSL passphrases or hardware security modules in larger organizations will be a trend as well. Cloud tools like Microsoft’s Azure Key Vault or Amazon Web Services’ creatively named Key Management Service will continue. Microsoft even added support for Key Vault in Visual Studio Code, a strong indication of how much usage has increased. On-premises hosting will endure in larger organizations, but cloud solutions are opening an avenue for smaller organizations to adopt a more secure footprint. Peter Scheffler

Prediction 6: Attackers will start hijacking smart homes

We predict that taking smart homes hostage will emerge as a threat. Imagine coming home and being unable to get into your house because an attacker has hijacked your smart automation system. Sure, you could use a physical key, if you still carried one. But that’s somewhere in a kitchen drawer because you live in the modern age and keys are a quaint remnant of days gone by. Individual systems—such as digital car locks—are already being exploited. It’s folly to think that home automation vulnerabilities won’t eventually hit the headlines. We know that ransomware pays, and this is just another opportunity to make quick cash by taking control of something important to end users. Lori MacVittie

Prediction 7: Unauthorized data manipulation will become more common

Data has become increasingly important for every facet of modern business. It separates facts from opinions and powers decision making. Unfortunately, this also means that attackers can manipulate data to trigger our biases and cloud judgement, whether the data is about elections, trending topics, or ratings on an ecommerce platform. Manipulation like this can lead to detrimental decisions, both in business and in daily life.

As with most forms of cyberattack, scale, and therefore automation, is key to data manipulation. We have seen bots being used to scrape, snipe goods, conduct DDoS, exfiltrate data and even to skew metrics in digital assets. These techniques will compound issues arising from data manipulation in 2021. Similar to other bot-based attacks like sneakerbots, automated data manipulation will continue to blur the definition of what constitutes an attack. Shahnawaz Backer

Prediction 8: New cybersecurity regulations will be implemented

We’re definitely going to see some new regulations in the cybersecurity/privacy space. Considering all the shenanigans of 2020 and the continued mutterings around tech breakups, it seems that changes are coming. We could see an expansion of the California Consumer Privacy Act of 2018, either within California or laterally to other states or the federal level. Could we see a law like the EU’s General Data Protection Regulation in America? Maybe.

We could also finally see a federal breach notification act or expansion of breach notification that moves beyond leaking individual information to include corporate secrets (after all, the SUNBURST attack didn’t involve personal data and therefore isn’t subject to breach notification). Most political discourse moves through social media platforms, yet much of it is bot traffic pushing fake news. We can expect lawmakers to look at adjustments to Section 230 of the Communications Decency Act, which makes the person who writes the fake news responsible and not the social media platform that amplifies it. We could see stricter rules around ensuring that creators of user-generated content are clearly identifiable as human, and that harmful content (whatever it’s deemed to be) is curtailed. We could also see this crossing over into privacy regulation, since political messages have also been sent via microtargeted ads based on psychological profiles, which are hidden to everyone not directly involved. It’s going to be an interesting year. Raymond Pompon