Software security

The rapid ascendance of ChatGPT sparked a scramble in the cybersecurity space as multiple vendors rushed to embed the generative artificial intelligence tool into products designed to protect organizations from cyberattacks.

Microsoft combined its security network and global threat intelligence capabilities with GPT-4 to launch Security Copilot in March, and Cohesity last week announced plans to integrate its data security products with Microsoft services and OpenAI to better detect and classify threats. 

Microsoft is a strong supporter of ChatGPT maker OpenAI and has invested more than $11 billion in the company thus far.

OpenAI is not exclusive to Microsoft. Recorded Future released a tool last week that uses OpenAI’s large language models to help its threat intelligence customers detect threats automatically in real time by identifying breach indicators, vulnerabilities and misconfigurations.

It’s early days for the technology, but as technology vendors race to plug in generative AI, cybersecurity vendors will respond in kind. ChatGPT and generative AI won’t apply or warrant consideration in every layer of cybersecurity, but it is widely expected to impact critical areas, including product development and synthesizing disjointed streams of data to produce insights that will stir organizations into action.

“I think we're starting to see the early, early uses of it in the security world,” said Jon France CISO at (ISC)2.

Security vendors have weaved AI and machine learning into products and threat detection processes for decades, France said, and it’s proven quite successful at improving the signal-to-noise ratio, identifying anomalies or patterns that humans can’t do at scale.

ChatGPT and generative AI are expected to strengthen defensive capabilities by assisting with coding and alerting organizations to the most critical vulnerabilities or misconfigurations.

The flip side, of course, is that threat actors are also using the technology to craft seemingly authentic phishing lures and test its ability to write malware code.

The potential breakthroughs ChatGPT could achieve in cybersecurity are still largely under development. Justin Fier, SVP of red team operations at Darktrace, expects ChatGPT and generative AI to deliver more positive outcomes than negative, but it’s still too early to say exactly what that might be and how.

“Am I seeing the whole market being taken over by it? No. Do I think six months from now, 12 months from now, that’ll probably be a different case? Absolutely," Fier said. "I think we’re all still letting the dust settle.”

Potential use cases for good

ChatGPT may not completely reshape the underpinnings of cybersecurity defense, but many expect generative AI to make its mark in security. 

Keeper Security CEO and Co-Founder Darren Guccione expects products like ChatGPT to accelerate the development of new security products and processes.

“Everything is going to remain the same from an A-to-Z perspective, functionally the same, but things are going to catalyze and move much quicker with the advent of this technology as it embeds itself into product development lifecycles,” Guccione said. 

Previous AI advancements pulled into cybersecurity tools and practices, such as autonomous threat and vulnerability detection, could be a precursor of what’s to come.

Some cybersecurity professionals are asking ChatGPT questions or prompting the tool to write code, suggesting generative AI could be another indicator of health that professionals will have to contextualize for broader use, France said.

Conceptualizing and understanding data will be one of the biggest wins for ChatGPT, but professionals still have to ask the right questions, Fier said. Reaping the value of tools like ChatGPT requires technologists to understand what the technology can and cannot do.

“It’s not a sentient being. It’s not just going to run your [security operations center] for you and make decisions on your behalf,” Fier said.

Where AI shines in cybersecurity, according to many experts, is by taking on tasks that humans can’t.

“Us mere mortals, we can't really operate at the levels we would need to to work and operate efficiently,” Fier said.

This is where generative AI tools like ChatGPT can step up, by making the more rote or overwhelming parts of cyber defense easier.

“Things are changing so quickly within the environment, that us humans are just not up for that task," Fier said. "It's not our fault, we just can't, we don't have the compute power.”

A robust debate is emerging about the lofty goals and potential costs of actually implementing the Cybersecurity and Infrastructure Security Agency's long-awaited guidelines for secure by design. 

CISA, along with the FBI and National Security Agency, unveiled an extensive set of guidelines in concert with key international cyber authorities.

Officials are urging the global software industry to make substantial changes in how it develops applications in order to minimize flaws in code, make multifactor authentication a standard security feature and take other steps to reduce the risk of malicious attacks. 

“Companies, of course, are working towards building secure products, but [are they] really thinking about how they take true ownership of the security outcomes of their customers,” Bob Lord, senior technical advisor at CISA, told Cybersecurity Dive in an interview. “It’s a mindset change that will need to trickle down throughout the entire organization.”

Almost everyone involved says the software industry would like to build more trusted applications, but that requires a significant investment of time, money and expertise to make those necessary improvements. The fear is the loss of innovation, customer loyalty and ultimately profitability. 

The Software Alliance, also known as BSA, praised CISA for putting together a global effort to implement secure-by-design practices. 

“Enterprise software companies take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats,” Henry Young, director of policy at BSA, said via email. 

Young referenced BSA advocating secure-by-design principles over a period of years, which are also included in the BSA Framework for Secure Software. Beyond supporting the principles, BSA is also backing CISA’s call for senior business leaders to take a leadership role in managing cyber risk. 

CISA officials told Cybersecurity Dive that corporate leaders need to take a top-down approach to ensure companies are supporting cyber risk management. 

Google, which publicly pledged support for the effort back in February, said it was glad to see governments across the globe prioritizing secure-by-design principles. 

“It’s our belief that good security starts with the companies building the technology that gets put into people’s hands,” Royal Hansen, VP of privacy, safety and security engineering at Google, said in an emailed statement.

Hansen said building products that are secure by default is “at the center of Google’s security approach,” and is engrained in how the company serves everyone “from businesses, to consumers and public officials.”  

Microsoft on the other hand, declined to comment on the rollout of secure by design, and instead shared a March 9 blog from Tom Burt, when he expressed support for the Biden administration’s national cybersecurity strategy.

While there is public support for the secure by design framework as a concept, Tom McNamara, CEO of Hopr, has doubts CISA’s ambitious goals can be turned into achievable action. 

“The problem with software code — whether it is in a software or hardware product — is that it rarely operates in a closed system,” McNamara said via email. “It’s part of an interconnected system (think wireless devices) that expose it to all kinds of unplanned interactions.”

For example, with IoT devices operating in cloud and modern production environments using interconnected systems, this is more true than ever before, according to McNamara. In these types of environments zero-day vulnerabilities are a fact of life. 

Secure by default will be even more difficult to reach, McNamara said, mainly due to economic concerns. 

CISA officials position secure by default as allowing customers to avoid making extensive configuration changes to products in order to reach an optimum level of security.  For example, MFA would be enabled by default. Software users would also not be required to pay additional fees for extra security, but rather those additional layers would be included in products before they ship.

Security, at what cost?

CISA's Lord acknowledges that companies have spent the last two decades making new investments in security technologies, including advances in sandboxing, automated security updates and other features designed to build resilience. 

But some industry leaders fear the time and investment required to reach such a high standard will have real costs in terms of the investment and time required to develop new products. 

“The amount of testing and quality assurance necessary to achieve the CISA standard for this would slow the introduction of technology products to market,” McNamara said. “Time to market matters.”

Chris Wysopal, founder and CTO at Veracode, a specialist in application security testing, said in order for secure by design to work as intended, security needs to be continuous and built-in throughout the entire lifecycle of a product. 

“Too often, deadline-driven development organizations skimp on security best practices that prevent vulnerable and exploitable software flaws,” Wysopal said via email. 

Wysopal warned that open source is becoming a systemic risk for the country. Continuously evolving open source libraries shift from appearing secure one day to vulnerable the next. 

Automated security testing needs to be built into tools used by developers and the secure by design process must be measurable to determine effectiveness. Transparency also needs to be built into the process to make sure regulators and customers are properly informed. 

Brian Fox, co-founder and CTO of Sonatype, said the rising level of attacks in recent years demonstrates that the software industry has been slow to keep pace with the security needs of customers and that significant changes will need to take place. 

“Based on the new level of attacks happening everywhere against software supply chains, it should be impossible to think that you can build software like we did 20 years ago, with hard-coded passwords and anonymous access to systems by default,” Fox said via email. “This guidance makes it clear that this is unacceptable for those organizations that haven’t been keeping up.”

An aspirational movement to shift the responsibility for security in technology products and services to manufacturers and vendors got a major boost. Cyber authorities in the U.S. and six other nations issued recommendations and tactics to ensure products are secure by design and default from the get-go. 

The principles, as outlined by the Cybersecurity and Infrastructure Security Agency and its peers in the U.K., Germany, Canada, Australia, New Zealand and the Netherlands, put more connective tissue and action behind the Biden administration’s recently revealed national cybersecurity strategy.

The joint guide encapsulates many recommendations previously shared by CISA and other authorities, including technical recommendations for software and infrastructure design and best practices for default security measures.

Laws and regulations that impose greater responsibility on the technology sector aren’t likely to come quick or easy. For now, there are not enforcement mechanisms tied to the principles. 

The agencies behind the effort are strongly encouraging every technology manufacturer to build products in a way that prevents the need for customers to constantly perform monitoring, routine updates and damage control on their systems to mitigate cyber intrusions.

The status quo, described as vulnerable by design, bears constant weaknesses, the agencies said. Meaningful change requires technology manufacturers and vendors to revamp design and development programs, and place a much greater priority on security.

“Only by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes,” the agencies said in the joint guide.

Secure-by-design

Secure-by-design development requires a significant investment of resources at each layer of the design and development process, the authorities acknowledged.

Manufacturers are urged to migrate to programming languages that eliminate widespread vulnerabilities and prioritize features that protect customers over those that might seem appealing but expand the attack surface.

“There is no single solution to end the persistent threat of malicious cyber actors exploiting technology vulnerabilities, and products that are secure-by-design will continue to suffer vulnerabilities,” the agencies said in the guide. “However, a large set of vulnerabilities are due to a relatively small subset of root causes.”

Secure-by-design principles may increase development costs, but they could also lower maintenance and patching costs long term, the agencies said.

The outlined secure-by-design tactics include:

• Memory safe programming languages, such as Rust, Ruby, Java, Go, C# and Swift.
• A secure hardware foundation that enables fine-grained memory protection.
• Secure software components, including libraries, modules, middleware and frameworks by commercial, open source and third-party developers.
• Web template frameworks that automatically escape user input to avoid cross-site scripting attacks.
• Parameterized queries to avoid SQL injection attacks.
• Static and dynamic applications security testing to detect error-prone practices.
• Peer code review
• Software bill of materials
• Vulnerability disclosure programs that allow security researchers to report vulnerabilities without fear of legal jeopardy.
• Complete CVE details, including root cause or common weakness enumeration.
• Infrastructure that is designed to adhere to defense-in-depth principles so the compromise of a single control doesn’t result in full system compromise.
• Measures and practices that meet CISA’s cybersecurity performance goals.

Secure-by-default

Technology vendors should make secure configurations the default baseline, and when customers deviate from those defaults it should be abundantly clear they are increasing the likelihood of compromise, according to the guide.

Products that meet this mark will automatically enable the most important security controls and provide customers the ability to use and further configure security controls at no additional cost.

“The complexity of security configuration should not be a customer problem,” the agencies said in the guide.

Additional security configurations should be included in the base product, much like seatbelts are included in all new cars, and not sold as a luxury option, according to the guide.

Secure-by-default tactics include:

• The elimination of default, universally shared passwords.
• A multifactor authentication mandate for privileged users.
• Single sign-on for IT applications.
• The provision of high-quality audit logs to customers at no extra charge.
• Recommendations on authorized profile roles and their designated use case.
• The prioritization of security over backwards compatibility.
• A consistent reduction in the size of hardening guides.
• An assessment of user experience burdens introduced by security settings.

Cyber authorities encourage organizations to hold technology manufacturers and vendors accountable for the security outcomes of their products.

“IT departments should be empowered to develop purchasing criteria that emphasize the importance of secure-by-design and secure-by-default practices,” the agencies said in the guide.

“Organizations should expect transparency from their technology suppliers about their internal control posture as well as their roadmap toward adopting secure-by-design and secure-by-default practices.”

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

The report opens a window into the role vulnerabilities play in exposing organizations to sophisticated threats. 

Log4j, which was disclosed in December 2021, demonstrated how unpatched vulnerabilities can expose the most advanced computer systems to attacks from criminal and nation-state adversaries looking for opportunities to exploit flawed applications. 

The increase is likely because researchers are investing more to uncover vulnerabilities and organizations are also conducting more audits to find flaws in software. 

“This overwhelming number of CVEs can be challenging for IT and security professionals to analyze meaningfully,” Tiago Henriques, VP of research at Coalition, said via email. “The incredible volume makes tracking increasingly tricky and the database is growing at an alarming rate.”

Most CVEs are exploited within 30 days of public disclosure.

Remote desktop protocol remains the most commonly scanned protocol, according to the report. In addition Elasticsearch and MongoDB database have high rates of compromise, with each showing up in a large percentage of ransomware attacks. 

Coalition based the report on a combination of information gathered through underwriting and claims data, scans of 5.2 billion IP addresses and a global network of honeypots, which are sensors that provide critical information on attacks. 

Threat actors have a new tool in their belts — ChatGPT.

ChatGPT is not foolproof,  but experts think its ability to customize and scale cyberattacks could threaten enterprises. Yet, the hype around ChatGPT is obscuring security concerns.

More than half of IT professionals predict that ChatGPT will be used in a successful cyberattack within the year, according to a BlackBerry survey of 1,500 IT decision makers across North America, the U.K. and Australia. 

More than 7 in 10 IT professionals think ChatGPT is a potential threat to cybersecurity and are concerned, according to the survey. 

While IT departments begin to decipher potential use cases, teams must also be aware of how generative AI might be used to target their company.

“As with any new or emerging technology or application, there are pros and cons,” Steve Grobman, SVP and CTO at McAfee, said in an email. “ChatGPT will be leveraged by both good and bad actors, and the cybersecurity community must remain vigilant in the ways these can be exploited.”

Anyone with access to a web browser can use ChatGPT, lessening the knowledge gaps and lowering the barrier to entry, Grobman said. 

With ChatGPT’s help, threat actors can generate well-written messages in bulk that are targeted to individual victims. This typically improves the odds of a successful attack, according to Grobman.

Following the rollout of ChatGPT, people have struggled to distinguish between AI-generated and human-written text. More than two-thirds of adults could not tell the difference between a love letter written by an AI tool versus a human, McAfee data published this month found.

OpenAI released a text classifier to help organizations identify AI-generated text, though the tool is unreliable. Plagiarism detection company Turnitin and several other vendors have started testing detection capabilities for AI-assisted writing as well. 

Phishing and prevention

The main goal for businesses regarding phishing attacks is to prevent employees from clicking random links or sending company information.

More than half of IT decision makers believe ChatGPT’s ability to help hackers craft more believable phishing emails is a top global concern, according to a BlackBerry survey.

Educating employees on how ChatGPT and other similar tools are used by threat actors can increase caution and empower employees to avoid these types of attacks, according to Paul Trulove, CEO at security software company SecureAuth. 

In addition to education, businesses can adopt a zero-trust model, which requires potential attackers to verify their identity and only provides successful intruders with access to limited resources, Trulove said in an email.

While this strategy may be met with internal resistance, managing access through zero-trust makes it harder for attackers to compromise enterprise systems, Trulove said.

Lowering the barrier to entry and shadow IT

Phishing attacks aren’t the only potential nightmare scenario. Cybercriminals could use AI-powered tools to offer malware Code-as-a-Service, according to Chad Skipper, global security technologist at VMware.

“The nature of technologies like ChatGPT allows threat actors to gain access and move through an organization’s network quicker and more aggressively than ever before,” Skipper said in an email.

Nearly half of IT decision makers believe ChatGPT’s ability to enable less experienced hackers to improve their technical knowledge is a top global concern, according to a BlackBerry survey.

In the past, it used to take hours for cybercriminals to gain access to a network, but now code can be generated within seconds, Skipper said.

Threats can also come from within an organization through the form of shadow IT. 

Businesses should remind employees about intellectual property protection, according to Caroline Wong, chief strategy officer leading the security, community and people teams at pentesting company Cobalt. 

“OpenAI does warn users not to share confidential information, so it’s important to reiterate that anything they use it for should be considered public,” Wong said in an email.

More than two-thirds of workers said they were using AI tools without first informing their bosses, according to a Fishbowl survey of almost 11,800 Fishbowl users.

“To mitigate risk and tackle the shadow IT issues, organizations must turn on the lights and gain visibility into every process and packet, limit the blast radius with segmentation, inspect in-band traffic for advanced threats and anomalies, integrate endpoint and network detection and response and conduct continuous threat hunting,” Skipper said.

 

A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report from SecurityScorecard and the Cyentia Institute. 

Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5.

The research comes as organizations hit indirectly by attacks on a software supply chain are growing in frequency. Vulnerabilities that expose unsuspecting customers or ransomware attacks that create can chaos spell trouble not only for the targeted party, but for downstream customers.

“Visibility is a barrier to first parties in identifying potential vulnerabilities, as is the sheer volume of vendor relationships for organizations across sectors that indirectly exposes them to cyber risk,” Mike Woodward, VP of data quality and trust at SecurityScorecard, said via email.

The SecurityScorecard research is based on the analysis of more than 235,000 primary organizations globally and about 73,000 vendors and products that are used by them directly or used by their vendors. 

A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

“The rise in remote work has opened up more opportunities for bad actors to strike,” Maley said via email. “Remote employees are usually operating on public, accessible networks where hackers are able to gain easy entry.”

Consider cyberthreats variations on a theme — the new and novel are rare. 

Instead, at their core, many of the top cyberthreats organizations encounter stem from human error and mistakes. That's why experts are quick to call out the perils of phishing and spear phishing attacks. 

Those initial mistakes can serve as a bridge to a larger incident. 

Cybersecurity Dive asked researchers and analysts what cyberthreats they expect to emerge this year and if they have any predictions on what attacks we'll see. Is there a trend or prediction you think we should highlight? Email us at [email protected]

(Responses have been edited for length and clarity)

Rick Holland, CISO and VP of strategy at Digital Shadows:

Don't expect massive change regarding next year's cyber threats. The threat landscape doesn't dramatically change year over year — it doesn't have to. Why reinvent the wheel when targeting the same unpatched applications and misconfigured remote services work so well? 

Extortion will continue, actors will target vulnerable supply chain partners, malicious crypto apps will steal millions, and hacktivists will continue to support their causes. All of this has happened before. All of this will happen again.

Geopolitics has driven the threat landscape since the dawn of time and will continue to do so in 2023. The implications from the Russia/Ukraine war and the China/Taiwan tensions aren't outliers, new flashpoints will emerge, and there will be implications for cyberspace.

Nicole Darden Ford, CISO for Rockwell Automation:

With rising geopolitical tensions, we expect cyberattacks to continue as a weapon of choice and critical infrastructure as a growing target. 

This is all the reason, public and private entities should follow cybersecurity guidance by government entities, such as CISA, to mitigate risks.

Mauricio Sanchez, research director at Dell’Oro Group:

Ransomware/data exfiltration will remain prevalent threat vectors via end-user compromise (classic phishing attacks) and IT misconfigurations.

Nation-state supported attacks will increase. The perennial attacks from North Korea and Iran will be joined by an increased number from Russia and China.

Attacks against OT/IoT will increase leading to another Colonial Pipeline class event.

Michael Diamond, technology analyst at Futurum Research:

From a cyberthreat perspective, of course, not all attacks and motivations are created equal. I think for mainstream attacks, I would still put phishing or spear phishing attacks at the top of my list since they are easy to deploy, effective and the path of least resistance. 

Fundamentally, we are still answering myriad emails and texts a day and attackers have become more sophisticated. 

Also, as more organizations are trying to permeate more analytics across the organization in reporting and platforms, the risks are higher since the sheer amount of data that is out there at their fingertips is greater than ever before. 

Chester Wisniewski, principal research scientist at Sophos:

Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies. The criminals have largely been too lazy to embrace and abuse many of the existing solutions offered by modern artificial intelligence, but I think we may be turning a corner. 

In fact, the publicly available models like Dall-E and ChatGPT3 require no effort to abuse, which I suspect means that they will be quickly adopted by criminals if they can help advance their aims. 

I’m not sure they can all be armed — Dall-E isn’t particularly useful outside of creating memes and clipart for PowerPoint decks — but ChatGPT3 could easily be weaponized to help criminals write more convincing phishing and business email compromise scams. 

The majority of user training has focused on users looking for clues that the perpetrators are not likely native English speakers, but ChatGPT3 gives criminals a freely available tool to help eliminate that suspicion for many users.

Other than that, ransomware, blah blah blah, crypto scam, yada yada yada.

Jon Geater, chief product and technology officer at RKVST:

Software vendors can no longer hide their shortcomings, and software users can no longer hide from their responsibilities if they choose to deploy something inappropriate. 

Although there’s still a way to go, we are definitely now on a road on which the digital supply chain is recognized as being as critical as the physical one: Suppliers must supply quality, and consumers must take control of their own risk.

Regarding supply chain attacks, most of the problems come from mistakes or oversights originating in the supply chain which then open the target to traditional cyberattacks. 

It’s a subtle difference, but an important one. I believe that the bulk of discoveries arising from improvements in supply chain visibility next year will highlight that most threats arise from mistake, not malice.

Security is the most influential factor in the software purchasing process for half of US businesses, according to a report by Capterra. The report is based on a survey of 289 respondents who are responsible for software purchasing decisions. 

Businesses are willing to pay a premium for secure software that is well designed and intuitive, however 45% of businesses have stopped using software applications when security concerns arise. 

More than three-quarters of respondents considered data backups a must-have feature when choosing software. Other key features include security notifications, followed by the ability to encrypt data in transit and at rest.

The report comes at a critical time for the U.S. software industry, just weeks after the Biden administration released its national cybersecurity strategy, which has admonished the industry to accept secure-by-design as the new default posture for product development. 

The administration said it plans to shift the burden of liability to make sure security flaws are tested and remediated before the product is sent to customers. 

Some technology companies, such as Google and IBM, have publicly embraced the call to hold industry responsible for creating secure software. 

The Capterra study showed companies are increasingly willing to change their purchasing decisions when software fails to meet their security needs.

“Customers experiencing a security issue with a vendor are likely to consider looking elsewhere in today’s hyper competitive software environment,” Zach Capers, senior security analyst at Capterra, said via email. 

The report also found businesses are increasingly demanding a software bill of materials as a must-have feature in making purchasing decisions.