Without knowing the threat, you can’t fight it. What does the future of hacking, security, and security testing hide behind the curtain? Let’s see and figure out the way to fight the danger.
Companies neglected security testing – and the consequences are coming
The everlasting struggle of choosing between security and privacy will rise in 2019. As consumers are giving away more sensitive information by using connected devices, the big balloon of data risks to burst. We’ve already seen plenty of this happening, first with the Equifax breach, then with Facebook data collecting algorithms issues.
As the number of compromised data records for 2016-2018 shows, most companies underestimate the challenge. Yahoo alone has compromised 3,000,000,000 profiles. All the leaks that happen are not a coincidence but a regular pattern.
Biggest bridges in 2014-2017 in billions. Bridges burn, we never learn.
Consequence # 1 – GDPR entered the software security game
As the tension between security and privacy grows, General Data Protection Regulation came in bringing a significant headache for risk managers and compliance officers. As we’ve seen from statistics, for all these years security has been thoroughly ignored. With GDPR, business owners can’t afford to ignore it any longer.
For software developers and testers, this presents a big challenge. Adding cookies, verifying the safety of data processing and storage, database testing — these are just a few things from developers’ agenda these days.
GDPR made things tougher for developers and business owners (not to mention marketing departments). On the other hand, regulation could be the big push that will force businesses to finally consider security as their main priority.
Consequence #2 – Ransomware As A Service
Ransomware is an attack-blackmailer that targets a computer or a computer network to get money from the owners.
In 2017, we’ve seen how powerful ransomware can be with attacks of WannaCry, Petya, and Not Petya. The WannaCry strike led to the collapse of 80 medical centers all over England and caused 20,000 canceled appointments. With the growth of blockchain and cryptocurrency technologies, the ransomware got a reliable source of anonymous and secure financial transactions that boosted the spread of the attacks.
Consequence #3 – AI-powered Hacking
While security and QA professionals get Artificial Intelligence to fight on their side, the hackers use AI to their advantage as well. The first significant AI-powered threat was created in 2016 when DARPA, a Pentagon research agency, outsmarted hackers at their own field by launching a Cyber Grand Challenge. They have created smart hacking algorithms that used comprehensive customer insights to spot and fix crucial system vulnerabilities. This is a great achievement which shows, on one hand, enormous possibilities for security project, on the other — proves just how dangerous AI-powered hacking algorithms can be.
In 2019-2020, smart services will be able to find the smallest system vulnerabilities and analyze complex user behavior scenarios, performing difficult calculations which take months for a professional human hacker to conduct.
Consequence #4 – Open Source is Not Safe
If you’ve been following software development trends for some while, you definitely noticed how open source tends to become a miracle cure-all for many software development issues. With recent GitHub acquisition performed by Microsoft, we only got another proof of how much big corporations are willing to invest in open repositories. However, the overall obsession with Open Source could decay as hackers prepare their attacks on development communities. In 2017, OpenAI Gym, an Open Source machine-learning toolkit, created by Elon Musk, faced a possible malware attack.
We can’t act surprised about it. When there is a possibility for anyone to enter and change the code, there is no guarantee all community members will play by the rules. It’s obvious that as Open Source grows further, the more tempting it becomes for hackers to break in the system — especially since open access makes it a piece of cake.
What are the results? For one thing, it threatens the dynamics of Open Source software development. Business owners will understand that it’s not necessarily the most cost-efficient method of software development because of the amount of required security investments. On the other hand, it will take Open Source to a new level of protection because developers and QA engineers will be forced to fight possible threats. If they win the battle, Open Source could become more attractive to bigger companies who before had their reservations about its safety.
Consequence #5 – Bounty Programs Lead Security Testing
As hackers grow smarter and adapt to new technologies, it became apparent to security departments that cooperation might be a key to safety. That’s why businesses and governmental organizations actively collaborate with ‘friendly’ hackers who identify critical system flaws and enable security teams to prevent attacks before they happen.
So far, we’ve seen a range of such platforms like HackerOne, used and developed with the support as U.S. Department of Defence, Shopify, GitHub, WordPress. The Department of Defense went even further and launched such programs as Hack the Army, Hack the Air Force, and Hack the Pentagon where hackers were approached to identify critical issues and received financial compensation for that. Last year DoD paid $10,000 in a single fee to two hackers, which was never done before by government.
The cooperation between hackers and security departments is a key to understanding possible security issues and preventing dangerous data breaches.
How can we use these security changes?
Security becomes different every day, as does software development. If we combine software development technologies with thorough research of possible hacking threats, we are able to write algorithms to prevent attacks before they occur.
That’s why our security testing team always closely cooperates with developers, analyzing the product and identifying possible vulnerabilities. These way, we don’t fight security attacks but make sure a threat is detected before actually becoming dangerous. If you have a project in mind that you’d like to test, drop us a line.