Security, what opportunities and challenges for 2019?


Use the start of the year to contemplate how the previous year went, and prepare for the upcoming year is an important exercise to put things into perspective and reevaluate some of our choices.

2018 was a busy year for our industry, the number of changes that we have witnessed for the past year alone seems more than the past 10 years combined.

Cloud

Cloud has for instance moved from this geeky oddity, to an exciting opportunity and now to an established product and a solution that is reshaping many of our practices.

Cloud is both a great opportunity and an interesting challenge. It helps for instance solve some difficult problems in security, like inventory, patch management, etc.

It is also a challenge as it requires coping with a fast changing environment and an increasingly complex technological landscape.

Take Kubernetes for instance, it is at the moment the most established container orchestration solution, but also the one with steepest learning curve. It has a dedicated package management (Helm), it offers a plethora of services, from replica sets to ingress rules to role based access control and it can be augmented with even more complex solutions like Istio and Knative.

This means that there is both a lack of tooling and skills when it comes to understanding and securing these types of infrastructure.

Mobile

Mobile continues to become the new way users consume services, we continue to see reinforcements in previously seen trends.

Javascript has become a viable choice to build a mobile applications, Typescript and Kotlin increased their presence in the mobile world, React already had a strong story, thanks to React Native. Vue.js and Angular are now also making a presence thanks to newly emerging multi-platform frameworks, like Native Scripts for instance.

New performance hungry features are becoming more popular, like machine learning and augmented reality.

Web

2018 was an exciting year for the Web development HTTP/3 is getting standardized, Referer policies are more commonly used. WebAssembly is now supported in all major browsers. DNS now has a TLS version and PHP is having a comeback thanks to Laravel. Not sure if it is a good thing though, but Laravel is great.

XSSes are finally dead ... just wishful thinking, still here and still the top most seen vulnerabilities. CSP, XSS auditors, safe templating frameworks helped, but not there yet, curious to see what the new trusted types and Sec-Metdata will have as an impact.

Concepts

Security has always been -and still is- a cost center, a compliance tick box, that annoying guy who always says NO!.

Trying to rethink some outdated practices is becoming crucial as we are getting outrun by the pace at which things are changing. For instance, concepts like password renewal policies are outdated once we use 2 factor authentication, secure defaults are good, but not good enough, secure by default and hard to misuse is better, perimeter security no longer make sense if you don't have a perimeter

Many security practitioners have stopped attending security conferences for instances, because there is nothing new, we keep complaining about the same errors others are making without really providing an answer to solve them. Go to a programming conference or to an open-source project conference and you will be submerged by a vague of innovation and change.

It is our duty to self-reflect on what our industry is doing wrong and we should rethink our position is a fast-paced environment.