Top 6 technology trends that affect

software security
1. Everything is mobile

 With the advent of using mobile payment technologies and e-wallets to transfer money, the
focus is shifting from traditional money management.
 The storage of payment information on mobile devices has long been a driving force for
cyber criminals and, as more and more people conduct financial transactions online, the
attack surface grows.
 We also have to worry about mobile malware. Apple and Google app stores have both been
hit by mobile malware.
 For example, XcodeGhost malware is able to obtain sensitive data such as user credentials.
We can expect to see more attacks like this in the future.

What can be done? 

Because software security for mobile applications is a growing technology trend,

organizations should have their applications assessed before releasing them internally and
externally to bolster their security.

2. Smarter automobiles

 Machine learning is quickly becoming a core part of autonomous technology,

including cars.
 We have yet to see complete autonomy of cars, but we can still expect to see attacks
on automobiles.
 In fact, we’ve already witnessed attacks on cars and planes in recent years.
What can be done? 
 It’s scary to imagine your car’s computer system being hacked while driving to work.
 To prevent these attacks from taking place, manufacturers are diligently integrating
software security into their vehicles.
 They are recognizing that any automobile part that is connected to the network needs to
be protected.
3. Virtualization and cloud environments

 At a basic level, virtualization partitions a physical layer (say a server) into different
virtual layers (virtual machines).
 It helps a cloud environment provide software, data, or any computing resources
efficiently, and comes in the form of a software-defined network.
 Virtualization leads to a complex structure of layers in which each layer has to be
secured.
 With the advancement of virtualization within cloud environments, we are seeing an
increase in software security defects being reported, and this technology trend is
sure to continue.

What can be done?

 Organizations are heavily dependent on virtualization for core functions because it
provides easier deployment and management, improved disaster recovery, and
reduction in hardware costs.
 Delivering proper security mechanisms for these is a big technology trend.

4. Zero-day vulnerabilities

 A zero-day (also known as 0-day) vulnerability is a software security flaw that is not
known or not disclosed to the vendor.
 With a zero-day exploit, an attacker could cause serious damage ranging from planting a
malware to gaining unauthorized system access.
 Infrastructures are building components that are interconnected.
  This increases the attack-surface and gives attackers more room to exploit.

What can be done?

 Of course, we cannot predict what is going to be hit, and that is why software security needs
to be taken seriously from the very beginning of the SDLC.

5. Wearable, smart tech, and Internet of Things

 Internet of Things (IoT) is emerging at a rapid rate. We have more devices embedded with
network connectivity that are collecting and exchanging data.
 Wearable devices, including medical devices, are vulnerable to being hacked.
 They might collect sensitive information such as GPS coordinates. We’ve seen quite a few
cases related to ransomware.
 The technology trend is sure to continue as we connect more wearable and smart gadgets to
the internet.
 It is scary to imagine an attacker holding a patient ransom by controlling their pacemaker.

What can be done?  

 We need to perform rigorous security tests before making such devices available to the
public.
6. Internal security training

 Organizations are becoming more aware of the security problem.

 There is an increase in the demand for software developer security training so that they’re
able to build secure software from the beginning.
 This technology trend will grow exponentially as more organizations identify the need for
security training.

What can be done?

 Such training sessions are helpful to establish a “secure development” mindset among
developers who don’t currently care about security unless the system gets compromised.

Different Methodologies
 BSIMM (Building Security In – Maturity Model)
 The Building Security In Maturity Model is a study of existing
software security initiatives.
  By quantifying the practices of many different organizations, we can
describe the common ground shared by many as well as the
variations that make each unique.
 BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription.
Instead, it is a reflection of software security.
 By providing actual measurement data from the field, the BSIMM
makes it possible to build a long-term plan for a software security
initiative and track progress against that plan.
 Microsoft Security Development Lifecycle
 The Microsoft SDL introduces security and privacy considerations
throughout all phases of the development process, helping developers
build highly secure software, address security compliance requirements,
and reduce development costs.

 The guidance, best practices, tools, and processes in the Microsoft SDL
are practices we use internally to build more secure products and
services.

 Since first shared in 2008, we’ve updated the practices as a result of our
growing experience with new scenarios, like the cloud, Internet of
Things (IoT), and artificial intelligence (AI).

 OpenSAMM Software Assurance Maturity Model

 The Software Assurance Maturity Model (SAMM) is an open framework to help
organizations formulate and implement a strategy for software security that is
tailored to the specific risks facing the organization.

 The resources provided by SAMM will aid in:

 Evaluating an organization’s existing software security practices

 Building a balanced software security program in well-defined iterations
 Demonstrating concrete improvements to a security assurance program
 Defining and measuring security-related activities within an organization