As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of potential zero days in 2023. So to hear all this, and a whole lot more, press play now!
Episode 125
EPISODE 125
Guy Podjarny: “I think the decentralisation of security will continue. I mean, fundamentally, even in this financial kind of climate, what you see is digital transformation and modernisation and adoption of DevOps. Those continue to be that thing, that’s the number one, like we did, and we even more, invest more in that.
So, as you get different teams be more empowered to run fast or to run more continuously, the fact remains that you can’t secure software from the outside. You can’t secure the work that independent teams are doing from outside that contradicts itself. I would say, in 2023, we'll continue to see sort of the increase of DecSecOps, and what we're sort of seeing is you're seeing DecSecOps, make it into organisations that are maybe a little bit newer to DevOps, and they require more of a cultural adaptation to sort of decentralised security, and how security teams are happening.”
[INTRODUCTION]
[00:01:00] ANNOUNCER: Hi. You’re listening to The Secure Developer. It’s part of the DevSecCon community, a platform for developers, operators and security people to share their views and practices on DevSecOps, dev and sec collaboration, cloud security and more. Check out devseccon.com to join the community and find other great resources.
This podcast is sponsored by Snyk. Snyk’s a developer security platform helps developers build secure applications without slowing down, fixing vulnerabilities in code, open source containers, and infrastructure as code. To learn more visit snyk.io/tsd.
[EPISODE]
[00:01:48] Simon Maple: Hello, and welcome to another episode of the secure developer. My name is Simon Maple. I'm co-hosting this episode with Guy Podjarny. Guy, welcome.
[00:01:57] Guy Podjarny: Thanks, Simon. It's always nice to be sort of welcomed. Happy New Year.
[00:02:32] Simon Maple: This episode is going to be a 2022 recap, and we're going to talk a little bit about the kick-off of 2023, looking into what we can hopefully expect and maybe some predictions towards the end of that.
[00:03:03] Simon Maple: Okay, so what do we look back at 2022 then. What would you say are some of the key events that really, when we look back, shaped the 2022?
[00:03:14] Guy Podjarny: It was a bit of a mess. I mean, we all sort of finished 2021, thinking in 2022 will be the year of stability. Didn't quite sort of shape up that way. There's probably like a million things to talk about, kind of put aside maybe, like the shortlist premiership in history in the UK or sort of tanking. There's a bunch of those. But I think, probably the two dominant shapers of the year are the kind of market collapse that happened and the Ukraine war.
So, I think if we sort of maybe unravel them that – so the market corrected, collapsed, I guess depends on your observation. I think that's been very, very evident. All tech company’s valuations plummeted. Growth kind of demand got replaced with profitability, demand in it. And I think everybody is kind of tightening their belts and sort of spending less, and I think everybody's seeing it. But from a security lens, it showed some resilience. I mean, I think, maybe more even than in previous crises that we've had. I think we have sort of seen security to be relatively resilient to the spend, that people don't really think of security as extra spend, that optional spend, but rather, they keep spending on. It’s not unaffected. People still spend less money, still mindful, more of saving dollars. But I think it shows to be quite resilient and sort of understood to be one of the industries in which people will reduce their spend less.
[00:04:44] Simon Maple: Why do you think that is? Because obviously, as security is a cult centre, right? It's one of the places where sometimes it's easier to do that because you can argue somewhat that the more you spend on security, the harder it is to actually identify whether that return is worth it. Because ultimately, then the year do you get, have you been breached? Have you not been breached? And was that extra spend on security contributing to that or not? It's a tricky one too.
[00:05:12] Guy Podjarny: It's a very good question. And I think because to an extent, it's sort of easy to roll the dice than in security. Because unless you kind of get beaten, maybe you can get away with it. I think smaller companies are doing that. I think you see a lot of like, security is about protecting what you have. If you don't yet have enough, then maybe investing and ensuring you don't lose that is less important than investing in growing what you have in the first place.
But I think in larger organisations, I think it's just maybe like an appreciation, maybe sometimes lessons, hard learned. More and more people would have experienced. The breach would have seen their kind of competitors in the industry, maybe experiencing a breach and maybe just sort of more visceral. I guess, some amount of more explicit demand from customers. I mean, I think if you contrast today with, say, five years ago, especially when you're B2B, you're sort of selling to companies, the amount of scrutiny that companies run their vendors through today is I think, a lot higher than before. I think we've touched on it in some spot. Start-ups need to be SOC2 certified far sooner, far earlier. And FedRAMP is kind of building up. So, there's a lot of that. In some cases, like actual legislation and laws.
I think, it's being established as table stakes. If you want to use my software, I need to demonstrate how its there. I don't know that there has been – on the consumer side, I don't know that the same has happened. I don't know, if consumers are more mindful of security breaches. I think, maybe you can even make the case the other way around, that people get a little bit desensitised, just with the sheer number of sort of breaches, to whether it's sort of a company that would use a secure or not. Maybe they just gave up on thinking they wouldn't be.
[00:06:59] Simon Maple: You mentioned the Ukraine Russia war. How does the kind of like cybersecurity, cyber resilience play a part in that?
[00:07:06] Guy Podjarny: Yeah, I mean, I think that was definitely well, probably in a more appropriate to even call that the first trend. Unfortunately, we're sort of dragging this war with us into 2023, with fingers crossed, it's not a 2024 thing. Well, I think the Ukraine war was really interesting. We kind of touched on it a lot in the episode with Nicole Perlroth. If you missed that, she wrote, This Is How They Tell Me the World Ends, which is a great book. And it talks a lot about sort of cyber espionage and sort of between different basically cyber interplay between countries.
To me, the message from a cyber perspective, in the Ukraine-Russia, war is a positive one. I think, when it started, everybody was expecting the Russians to just kind of crush Ukrainian systems, as they've done back in, I think, 2016, and to take down their power grid, and then to really kind of dominate on the tech side. We basically haven't seen as much of it. If you talk to everybody sort of a bit more in the know, it's not for lack of trying. It's not, the Russians have kind of decided to play nice and just throw missiles versus try to kind of hack in. Instead, what do you sort of see is a lot of support. A lot of it from tech companies from Google, from Microsoft from Starlink for connectivity. A lot of it is basically applying security defences to key Ukrainian systems and individuals. Actually, being able to withstand a fair bit of the attack.
I see it as positive. I see it as a, sometimes in security to despair, and say, “We're never going to win. It's never going to work.” I think there’s some positive element to it.
[00:08:39] Simon Maple: Yeah. And actually, one session that I did with Liran on The Secure Developer, which I believe will be pushed out soon. It was in and around protestware trends. So, the idea that a maintainer can obviously make changes based on their beliefs, and in this case, obviously, they were against the Russia war. So, the peace not war node-ipc issue that came around was essentially this person protesting by making changes to that library, that of course, was used by many, many folks.
It's really interesting to see, we don't see too many of those where it's an actual incident that occurred through so an individual protesting. But it very much reminds me of the kind of, way back when, when left-pad came out, and it's an individual maintainer that almost held the JavaScript world hostage by removing their library. I wonder, maybe we leave this later for the predictions. But I wonder going forward, whether we will see more of these, maybe because of the climate crisis, or maybe because of, I don't know, maybe someone disagrees with the way the US election happened, or whatever it is. So, people then try and make an impact or try and raise awareness about issues through that is interesting.
[00:09:41] Guy Podjarny: Yeah, I agree. I think that when you look at the world when you sort of step outside of security, or even sort of tech industry, and you think the notion of individual protests or sort of trying to make noise or sort of empower citizen armies and the likes, trying to make a change is one that's growing. There's definitely a lot of shortage of things to complain about. Open source is sort of a democratised version of influence on the world, not that dissimilar to social media. And if someone has sort of a big whatever Twitter following, some subset of those will, even if they didn't start that way, get political and address or make a message, and that might have an impact. I think open source components are kind of the software equivalents of that, a bit more of a house of cards built on it. Yeah, but it's interesting.
I don't think anything really substantial has changed in the world in terms of our kind of mountains of dependencies. I think the registries have gotten better. So, maybe it's a little bit harder for someone to just like, pull a library from under your feet. But publishing a new version that has something like what we've seen with node-ipc, that kind of states and opinion, within themselves, potentially in a somewhat distracted fashion. I don't think there's anything that's been really put in place to prevent that from happening. There are maybe slightly faster response mechanisms, once it happens.
[00:11:03] Simon Maple: Do you think the consumer response has changed in terms of companies maybe having their own registries holding libraries local and things like that? Have you seen much change in that? Or do you see it even post left-pad or this incident, people acting in a different way towards consuming, latest and greatest, et cetera?
[00:11:19] Guy Podjarny: I think left-pad, which is at this point, I think maybe five years ago, four years ago, that left-pad happened. The situation isn't too different, especially sort of established organisation that would have some sort of local kind of artefact repository, and they would hold them. They would have copies of it, then the registries will be different. So, I think, literally kind of pulling a left-pad again, instead of just pulling a library out, I think will be harder to do.
I do think that publishing a problematic version, I don't think companies are really much more ready for that, because it comes back to like the inability to curate and scrutinise, all these indirect dependencies. What was really interesting about the protestware, I think, with peace not war, is that for many people in the tech industry, they agreed with the principle. It's somewhat similar to what we're seeing from extinction rebellion, with sort of more disruptive climate protests on it.
So, a lot of people might sort of not be happy with the means, and might not think it's sort of the right way to do it. But they might actually sort of align with the cause. And so, doing some form of like anti-war, anti-Russian aggression protest was related. But doing so through this type of software use, programmatic. I don't think that we're terribly protected against it. But I also feel like a little bit before that we've had, I think, in 2020, we've had kind of the chef incidents as well, with sort of pulled library from that world, because chef was sort of selling to the US government and there was sort of a lot of work. There were some sort of problematic behaviours around banning immigrants, children or pushing them out of the country with ICE. I think that was maybe the first big example of it. We've seen this probably second. And yeah, I would sort of anticipate some more.
I think the Ukraine-Russia war was a big deal. I guess the other thing that was really interesting in this year alongside the market is crypto, right? We just sort of had this sort of massive FTX debacle fraud, definitely one for the ages. But crypto was really, really, I guess, harmed and was a bit of a mess this year. A lot of the disillusionment, a lot of money lost both on the market aspect of it, but also, specifically with exchanges.
Really what we don't talk about almost at all, and it's really interesting how little we talked about given the sort of the sheer volume of money that gets lost in it, is the vulnerabilities. If you look around in crypto with all the different protocols, and especially, the ones that might be ridden the wave and maybe not been sort of as thorough, but also just a lot of smart contracts and all that, the number of breaches and breaches that leads to sort of 10s, sometimes hundreds of millions of dollars, definitely, regularly millions of dollars being stolen, is incredible.
There's actually been a lot of growth in that world that we're not really talking about too much. And we talked about – we're going to do an episode on that topic, just because it's super interesting. Even it’s not day to day applicable to a lot of people. But I think that crypto was another very interesting kind of shaper of 2022. But I'd say, market correction with security sort of thing quite resilient. The Ukraine war, maybe is a bit of a positive indication. And then the kind of the collapse of crypto with a lot of security concerns there would be the major ones.
Another interesting chain, it’s not a single event that has happened, but I think a lot of conversation is just the debate around centralisation versus decentralisation of data. So crypto, you could kind of argue that crypto is a piece of that as well. A lot of the security problems that occurred in crypto was actually in central exchanges. So, if you look at FTX, as an example, they've sort of mishandled a lot of purchasing of tokens and trading of tokens and just sort of the sheer management of money and the loans and stability. How do they secure it with crypto assets, or just risks upon risks? But all of those were actually not crypto behaviours. They were just a company that maybe negligent, maybe crooked. But that abuse the trust, and crypto decentralisation element itself was actually not in play. That would have actually addressed a lot of these things, because it would have decentralised.
But if you do that, then you have to hold the keys, and you have to secure those and that's problematic. So, it's interesting even crypto is that, but we're also seeing a ton of definitely, even towards the end of the year is a lot of conversations around for instance, like end to end privacy versus moderation, right? If you want the sort of the WhatsApp signal, sort of telegram style, end to end encryption, which a lot of applications provide today. There's like Skiff does that kind of emails. There's a few others. All of these end-to-end privacies, they’re great for privacy, and end to end encrypted. But it means a system cannot moderate the content. And there's been a lot of challenges around child pornography, and all sorts of like horrible things that generally the platforms today try to sort of filter for and back to the law enforcement, and they're missing that.
And I think, maybe a bit more publicly is the notion of central control of moderation. Most evident right now with Twitter, and the whole, definitely more of a spectacle than maybe it needs to be. But a lot of conversation about where is it that you should and when is it that you shouldn't intervene as a central entity.
Now, I'd sort of say that that’s on the edge of security, because security plays a role there in protecting the data and in saying, what type of power over the data does sort of a central entity have in the first place. And then if you did do that, then you have to protect data, you have to avoid it. In all of these things that I've mentioned right now. They're also just sort of run of the mill breaches. FTX had a breach, which presumably billions of dollars were transferred and stolen from. We'll see what happened there. Twitter had a big security breach. So, all of these things have, the more sort of straightforward security breach has happened alongside them as well.
[00:17:07] Simon Maple: Now, how about in terms of we've seen over the years, ransomware attacks that have been created. Any key ransomware attacks that we've seen in 2022?
[00:17:15] Guy Podjarny: There's a lot and it's an example of like desensitisation. There’s a lot of them. Healthcare was a big target. A lot of hospitals sort of taken, that, which was horrible when you sort of think about sort of the heartless element to it. But it’s basically organised crime most of the time. There was a massive attack on Costa Rica, I believe, which pretty much like, held the country ransom. And that's a good example, on basically the challenge of data and managing your data. If you're going to be in control of your own data, then you need to know how to secure it.
So, there's been a lot of that, and it ends up sort of being interweaved. I think ransomware today is kind of right up there with phishing. It's one of those things that will just continue to happen. It's creasing the system’s eyes. They don't really care what the target is. It's probably never going to be fully killed off. But we need to build better mechanisms with it.
[00:18:01] Simon Maple: I think, when we look back at the market crashes that we talked about, to help companies react to a market crash, obviously, a number of companies, it's actually a reasonable – well, valuations drop, and things like that. So, for some start-ups and things like that, it's actually time whereby they look at how long they can go for now with their run rate, et cetera. It can actually be a good time for acquisition, right? In the security space, it's always interesting when you look at who's being acquired and when. What was your takeaways for maybe some of the bigger acquisitions that you saw?
[00:18:30] Guy Podjarny: 2022 was interesting. And actually, it's like small number of acquisitions. I guess, the general perspective, that evaluations haven't really fully corrected in the private markets yet. It takes a while for it to sort of stagger down from the public markets. That would sort of place that more in sort of 2023 predictions, which is, I think there's going to be a lot of vendor consolidation in security, and a bunch of security start-ups that go bust. It's not as easy to get people to pay.
Probably the biggest and most interesting acquisition that happened this year was Google buying Mandiant, which was a pretty, pretty monster move. Google, I think they acquired like three or so, three or four different security companies. But Mandiant, clearly the biggest on it. We had Tim Crothers on the show, I think, at the end of 2021. He's great. He talks about how they sort of build security internally. But I think that would be really, really interesting.
What I would say probably signals a lot is just the importance of security to the cloud vendors. You've already had Microsoft. They've already had a big security play. You see Google making this moves. Amazon, kind of more advancing to it through build and a variety of services. If you kind of harken back to what happened in the load balancers and sort of network equipment vendors, something quite similar happened. You sort of saw Cisco, for instance, start with sort of network routers and all that, but security is a massive business for them. It was to refresh the load balancer. So, I think if you control the network and the interface and the infrastructure, then I think providing security layers on top of that makes sense. Akamai did the same thing.
So, we’re sort of seeing a lot of s infrastructure players offering security solutions. And I think Google's move for Mandiant was an interesting kind of big, big move on that.Yeah, that was probably the interesting. We'll see a lot more in 2023.
[00:20:12] Simon Maple: Let's move into AppSec now, because of course, from a supply chain point of view, we saw a number of incidents, and actually towards the – let's move very, very briefly into 2021. At the end of 2021, we left the year with Log4j. But of course, or Log4shell, but of course, that really did push into 2022, with a lot of people who are still identifying and trying to fix where they have vulnerable versions of the Log4j library in their applications. That was a really interesting one, because in the Java space, Log4j was such a prominent library, it was used, not just directly, but transitively, indirectly, by so many other libraries. It was interwoven into dependency graphs, and very often in many, many places.
So, I think, if you're in the Java space, you're very, very likely affected by this issue. And that was probably one of the biggest vulnerabilities we've seen in certainly in the near time, in terms of who it affects. Even looking at this year, I think it was December 27, when a member of the CircleCI team identified that there was a potential security incident in CircleCI, which is very, very interesting. This actually happened through a canary token, which one of the security engineers added into the repository. So, the idea of adding a token there, whereby if that token was taken, it was placed there so that the security engineer would identify when that token was used outside. And as a result, they would know there as a security breach.
So yeah, the start of this year, I'm sure many, many people were affected by this one as well. Everyone was really being encouraged and told to recycle their tokens, their keys, any environment variables, and those kinds of things, as well. Supply chain security has had a number of very high-profile vulnerabilities, as well as others like Spring4Shell, which, of course happened earlier last year.
Spring4Shell, that was a much, much less exploitable issue. I think, one of the reasons why it was kind of hyped so much is because it was coming off the tail of Log4Shell.
[00:22:07] Guy Podjarny: In that world, right?
[00:22:10] Simon Maple: Exactly, yeah. I think, it required a number of greater steps for that actually, to be exploitable. But also, it wasn't used by so many libraries out there, and certainly not in the transitive capacity that Log4j and Log4Shell was as well. Yeah, for you?
[00:22:26] Guy Podjarny: I think there's no doubt that like supply chain has kind of been, I think the trend – for AppSec, 2022 was really shaped mostly by supply chain. Log4j was a big – Log4Shell was sort of a big start. It's interesting, by the way, how Log4j and Log4Shell are now almost like interchangeable. Whereas like the Log4j vulnerability, “Oh, you have Log4j.”
It's also interesting, like in OpenSSL before it and like in a variety of others, it's interesting to see that I don't think it really made a dent in the use of Log4j, my sense is that new applications are using Log4j just as much as they did before. I haven't seen any like really notable alternative that has somehow thrived. Because Log4j is now deemed to be less secure.
[00:23:08] Simon Maple: It's interesting, there's always been a few logging frameworks. So, that’s SLS4j, SLF4j, and things like that, as well and logging. One of the things I always look back at Log4Shell or Log4j, rather, is how quickly the Log4j maintainers has actually reacted. And one of the things that you want when you're consuming piece of third-party software is the ability for the maintainers to act fast, to produce releases so that you can continue them as fast as possible. And they did that very, very well, within a day, I believe.
[00:23:38] Guy Podjarny: Very, very quickly. Yeah, and responsibly and sort of publicly. So, I think there's a lot to sort of applaud and sort of say it was handled well, in terms of the handling of the vulnerability. The vulnerability itself was just like massively, massively severe. I would actually say that for Log4j, given its severity, and everybody's pretty aligned on it, they were surprised to not see in 2022. I was fully expecting a dozen major breaches that are directly kind of pointing to Log4Shell as a reason.
I'm actually I'm still a little bit baffled by why that didn't show. All the leading indicators to it did happen. We've sort of seen automated botnets exploited. Everybody kind of has a lot. A lot of small breaches, but somehow, at least it didn't bubbled to the top, something that sort of says, this was the problem. Maybe it's just because hacks are really not that simple. They're like, this is now a tool in everybody's arsenal, all the attacker’s arsenal to attack it.
[00:24:37] Simon Maple: And I guess one of the things that has come out of the supply chain security space, certainly a growth of the countermeasure, and a lot of this is really being pushed by the open source communities such as the OpenSSF, which I know you're deeply involved with as well. How has that been evolving over 2022?
[00:24:55] Guy Podjarny: The combination of these breaches that happen mostly in 2021, sort of CodeCov. Before that, Solar Winds, and then after that, Log4Shell. Those were probably the highest profile. They all really mobilised for action. Bunch of different parties, including, of course, eventually the executive order coming from the White House, to really kind of drive companies to require them to have a software bill of materials and to provide positive sort of assurances and know what they're using.
So, I think a lot of that happened in 2021. And in 2022, definitely have sort of seen that kind of form a structure, we're still in fairly murky waters in terms of really, truly understanding what is it that you need to do around supply chain security. But the urgency to act around supply chain security has been very kind of evident in 2022. We've sort of seen on one hand, the OpenSSF and various others, but I'd say OpenSSF is kind of the central hub. Really evolve the tools, the standards, the practices, that guidance, getting kind of government funding, and all of that, really substantially if you sort of contrast, January 21, versus where we are now in January 22. The clarity, the ability to act on supply chain security, and what you need to do is far better, even though it is nowhere near where it needs to be and it's still a very confusing space, but it has evolved.
And what we've also seen, is we've seen a lot of CISOs actually take action. The first action is not a new action. So, the ones people kind of got over the shell shock, no pun intended there, they realise that the first thing they need to do is to sort of know which open source components they're using, and where is it they're doing bad. We've definitely seen sort of a surge of importance there. A lot of confusion around sort of SBOM and formats and basically confusing form for substance, focusing too much on the way you will hold your SBOM versus like, well start by just knowing what's inside. But a lot of these things are being flushed out.
So, I'd say, 2022 readiness level as an industry, and as companies around supply chain security has dramatically improved. But it's like it'd be a massive stretch to call it mature now. It's kind of gone from really nascent to forming, I would say.
[00:27:20] Simon Maple: Which is an interesting problem for CISOs right now, right? Because you talk to most CISOs, and if you ask them what their top three concerns are, or top three issues that they're trying to solve right now, very often, one of them is supply chain security. It’s interesting, when you mentioned about the first piece isn't a new piece, it's just about understanding what you've got. That's a lot trickier than it sounds, right? If you look at a lot of organisations, and a lot of engineering organisations, they're not there yet, for a lot of them. And while many of them do have SCA tools, for example, and of course, supply chain security isn't new for SCA tools. Snyk, for example, Bill of Materials is something that we've done from day one, right?
[00:27:56] Guy Podjarny: A lot of it is fundamentally and it happens without doing that.
[00:27:59] Simon Maple: Absolutely. I think, it's now, when you look at Log4j and things like that, it's about being more prepared. And perhaps we'll talk about this maybe in the predictions as well. But about being more prepared for the next thing like that that happens. And creating that SBOM really provides you with that preparation that you need for that next issue that comes along to understand where you're affected. It was surprising to see how few people had that listing of what they're using. How close do you think the majority are to that kind of, if you want to call a nirvana, because we don't want to make it seem like it's an impossible stage. But how far are people on that journey?
[00:28:36] Guy Podjarny: I think the number of people who know they need to do this is far higher. So, it's been kind of happening over the last sort of few years. But I'd say, today, if you're a sort of a security professional, definitely if you're sort of in app or product security, but probably in other spaces, you know you need to kind of get a handle on which open source components you're using, and whether they're vulnerable, above and beyond, all the other aspects of supply chain security, at least that you know.
Then, it also kind of go as far as saying that I think there's been a real improvement in people doing something around this in 2022. How many people are doing it well? I think that takes longer to happen. It's important to remember that supply chain security, like the progress we've seen was, despite the macro trends we talked about before, which really kind of hold back adoption of new things.
Adding a new budget item in 2022 was pretty hard to do. So, the fact that people did it somewhat, is already kind of quite impressive. And maybe if this was in sort of the bull market area, we would have seen even more rapid adoption. I'd say awareness is much, much higher, some action is a fair bit higher, and doing it right is still not dramatically improved, partly because of all these challenges, partly because it's just hard and partly because there aren't that many people that can give you a confident answer to sort of say, “What does it mean to handle supply chain security well?” And those things just take years to mature.
I mean, we try to educate with some of the guests here. We've had Adrian Ludwig talk about how Atlassian handles that comeback specifically to talk about supply chain. We had John Meadows earlier on talking about, it was probably one of the top thinkers kind of in supply chain world and Iran to the working group, that is about sort of the end users of a lot of the OpenSSF tools. For the OpenSSF, who had been Lena Smart from MongoDB, and Emily Fox works on sort of the CNCF security practices. Both talk about handling it in the company, but also sort of industry practices. It's far more than just OpenSSF.
We try to sort of educate and share, and I think the thought leaders have sort of a picture sharpening in it, from there to like disseminating it through the industry. These things take time, will accelerate it as much as we can, but takes a while.
[00:30:57] Simon Maple: While we're talking about people that you've chatted with on the podcast, other good core practices, best practices that you heard from folks in 2022, what would you stand out to be?
[00:31:06] Guy Podjarny: Yeah, we had some amazing year. We ended up sort of talking about the year as a whole. But there were some amazing kind of guests and advice here. I think earlier on we had Bryan Payne talk about Netflix and building that security. Netflix is such a fascinating culture. They've done something pretty incredible. We talked about sort of DevSecOps, and empowering security and all of that. There's really few environments that are more empowering than the one of Netflix and so Bryan talked about sort of building a security practice in such an empowering environment was fascinating and is also just a very sharp guy.
Rupa actually talked about that a lot. She's specifically right now at Amplitude, but she's multiple times came in and built for DevSecOps program and ran that. So, they both touched on it for a bit. I really enjoyed the conversation with Peter Oehlert, probably butchering his last name now. He came on the show when he was running product security at Smartsheet, a few years back. And then now he's the Chief Security Officer at Highspot. And we had a really interesting conversation about that move that sort of like how is the difference to go from product security to the chief security. I need to worry about all these other things as well, which I thought was great.
We had a bunch that were sort of more specialised. One that really jumps out is Sean Poris who talked about how the Yahoo Paranoids, and you know how that security team has really kind of mastered the whole world of bug bounties. And he gave good advice about how to build up that program, but also about sort of the level of proficiency they have later on, the relationships that have with the some of the hackers, and kind of relating that. It's the first time that I've sort of heard the connection between security champions program and bug bounties. It's almost like the bug bounty community is one aspect of community that you're sort of managing that helps you be secure, and security champions and other. They're both almost like crowdsourcing or sort of crowds tapping to improve security.
So, there was some great, great advice and those were very concrete episodes. The episodes this year were not by chance dominated by supply chain security, just because that is kind of what we need to get a handle on the most. And then I was kind of happy to talk about a bit, security implications of more than sort of the geopolitical events that are happening. But we wouldn't be remiss not to sort of celebrate some of the sort of great advice that we got from individuals about the core fundamentals of doing security well in a modern surrounding.
[00:33:26] Simon Maple: One of the other amazing things that happened, which kind of swept the tech community by storm was ChatGPT. Many people asking it to write poems and stories and blogs and everything else. But I think there was a day or two where there’s very little got done, I think around the tech space where everyone was trying it out. You can see the lag in the server almost where. It's really under heavy load. And it really gave pretty accurate at times, and amazing results. But if we take a very specific look at this, this isn't unusual for this space. But when we think about automated code generation, automatic code generation, there's a couple of spaces here with Copilot and ChatGPT now, whereby people were looking at ChatGPT to actually create code, and create functions and pieces of snippets of code that they could use. Really, really interesting space. And of course, GitHub’s Copilot had done this in the past, as well, right?
How do you see this kind of — first of all in 2022, the impact it has how ready or dangerous it is, right now for developers to have access to? And maybe we talk about 2023 a little bit later, but what was your impression of it?
[00:34:33] Guy Podjarny: Yeah, well, first of all, it was fun. So, to me there were sort of these two waves. It started with the Copilot conversation, which kind of tracks back to 2021. Maybe it was even announced before that. But I think really in 2022, through the year, you've sort of heard a lot of sort of code generations. You've heard, the ones that fall in love with it. I think the ease of it is amazing and it sort of delivers on what we want. And then you've heard the critique, like, okay, how does it deal with IP issues, if you're sort of inspired by code that is written under a certain license? What does it mean, when you're sort of generating code based on it? How often is it like literally some sort of state secrets? How does it sort of amplify some code learning that it pushes it sort of out there? And then fundamentally, accuracy. I mean, it generates really good-looking code. Does it actually do what you think it does?
It was really interesting, like in the second half of the year, or maybe the last sort of quarter, ChatGPT kind of took the world by storm, and we're just sort of reading from a script that ChatGPT wrote here. That's how we're running this episode. Now, we couldn't really do that, because it's not time sensitive. It can’t do on 2022. Otherwise, we totally would have done that. It would have sounded really, really good, but it's the same type of critiques. Okay, if you're sort of generating – actually, before ChatGPT was DALL-E with the popularised, the sort of the image generation. A lot of those sort of same conversations.
Okay, if you're sort of inspired by a Van Gogh painting, and you're painting something as Van Gogh, does that not infringe up some sort of rights? Is that not forgery? For a lot of younger artists, that's a problem. And fundamentally accuracy, like, you can ask it to sort of give you a really, really interesting article. And in fact, initially, I think it was OpenAI that initially wanted to publish like a scientific style — but if it was OpenAI, or Google who went and sort of published like a generative AI, scientific paper. The problem was that they sounded really compelling. They were kind of full of crap. They just sort of made up something that sounded really interesting, but wasn't necessarily correct. It's all language models. It doesn't really understand what it is saying.
I thought that was really, really interesting. It's like, it's back to sort of form versus substance. Maybe like the SBOM. It creates amazing form. And sometimes if you're still writing, sort of SEO blog post about open source licenses, whatever it is you’re writing about, whatever topic you want, that may be exact, full accuracy. It’s not that big a deal and you can just sort of use the AI generate it. But if you're writing code, I think that's going to be a problem.
[00:37:12] Simon Maple: This reminds me of a session, I think it was entitled, Developers as a Malware Vehicle or something like that, whereby developers essentially – the old example, the Stack Overflow keyboard, where you have copy and paste, three buttons, control, copy, and paste. So, many developers will look to Stack Overflow when there are issues, when they need to find best practices. Or in the Java space, for example, working out how to copy a file or contents of a file to something else. It's something that we don't just keep in our brains. We just need to copy paste it from somewhere.
Now, where there are issues in that which are put on Stack Overflow, and people just grab that, it's very, very easy to just copy vulnerable code or select vulnerable code. And a great example of that was, remember Zip Slip which the Snyk security team discovered in and around hundreds and thousands of vulnerable examples online. There were certain conditions, obviously, whereby certain SDK or environments wouldn't provide an unpacking of an archive. And as a result, people had to do it manually. But the fact that they actually did it manually in a vulnerable way, which other people copied, and it just exploded, really.
If I was to probably go to ChatGPT, and ask for that same thing. I wonder – that's a good test, actually. I wonder if it will give me a vulnerable way of doing that or not. And I think when we talk about the accuracy, the ability to provide a secure way, I wonder how accurate that would be as well.
[00:38:31] Guy Podjarny: Yeah. And there's a bunch of kind of critique on it, because indeed, it just copies code off the internet. As much as we criticise, or sort of worry about people using an open source library, a package of some sort, and finding out who has a vulnerability, because everybody's using it. At least there is something to point to. So, it's like, here's a vulnerability. Here, now, it's been fixed. And now you just need to get the sort of the new version. You can talk to people about it. Which is far better than just having everybody copy paste it. So, it is still an improvement. To an extent, code generation is moving us in the wrong direction, in that sense.
I guess my expectation, and again, maybe with a bit more of a prediction of view here is, I think, the convenience of it, the appeal of how much it sort of helps, is way too big to discount. So, in that sense, we will continue seeing generative AI in everything, and specifically in code and we'll continue using it. There are no free lunches, and we need to understand what are the implications of them.
I think this year has kind of brought generative AI in a variety of fronts to the forefront and to people's mind. I think in 2023, we'll sort of see a lot of maybe kind of critique of it, probably and through ‘23 and ‘24, starting to see some solutions towards those. It's worth noting that while DALL-E and Copilot and ChatGPT are mainstream, this happens everywhere in many, many smaller events. Specifically, I'm involved with this company called Synthesia, which do like video generation, like text to video, which generates a video of you saying something in a different language for training purposes and a variety of others. So, that's really interesting. In 2021, and 2020, Deepfake was this kind of whole concern around generating videos. That's still continuing and that tech is evolving. So, it really is touching every aspect of it, or lives in almost certain industries.
[00:40:27] Simon Maple: Let's take a different slant on 2022 now and talk about some of the other exciting innovations and progress that other companies and cybersecurity have been making in 2022. What were you excited to read about in 2022?
[00:40:40] Guy Podjarny: There's been a ton of innovations and a lot of it, we thought the supply chain kind of drowned a bunch of it. But there's a lot more that happens there. Probably the space that I'm kind of most sort of seen progressing and I'm excited about is the whole world of authorisation. This dates a bit back to ‘21. But in 2022, we've seen a lot of adoption as well. I think there was a realisation, that authorisation is something that sort of needs a better system. That the idea of saying, “Hey, I'll just give you like a million settings and you can choose who can do what is not actually kind of usable.”
Sp. what you've seen is you've sort of seen like a world of different authorisation solutions happening in different places, specifically, as it relates to 2022 and some of the podcasts. We had Patrick, Patrick Doherty, who actually now works at a company called Oso, which do authorisation as code, built into the code. And before, he talked about how we used that at Intercom, and that's kind of actually what lured him into coming in and working for the company. But that was interesting, the idea of codifying, relating the code logic of am I allowed to do this? And then writing in code, what is the sort of logic to do it? Instead of dispersing it and having it can be copy/pasted through the system is interesting.
There are a bunch of other companies, some that I mentioned and some of these I’m helping those start-ups are ConductorOne is interesting. They're more tackling the authorisation for the admin side. You think about it, you have tools like Okta, and the likes that help you say, “Hey, I'm using like a thousand SaaS services. I don't want to like configure who can log into what, in every one of these services.” So, I use something centralised that says, “Well, these users have access to these apps.” But then you kind of take it to the next steps as well, what are these users allowed to do these different apps? You're back in like, you have to configure that on a per app basis. So, they're trying to tackle that. That's an interesting world of authorisation. Maybe I'll mention one more called Otterize. They're super early. There's an open source kind of version of it. They're trying to do something called intent based access control, in which if microservice A wants to access microservice B, instead of microservice B, issuing some key, some token that says, “Here's what this token allows you to do.” Microservice A says, “I want to call these three functions in service B.” And then the system uses these intents, like on a mobile phone or something like that, and just generates the sort of the constraints of what is and isn't allowed.
So, I think authorisation is a space that will see a lot of innovation in 2023. We've seen a lot of progress in 2022. A lot of these things, because they're secure infrastructure, they take a while to roll out. But I think authorisation is probably the area that I've been most enlightened by, from a security lens in 2022.
[00:43:26] Simon Maple: I know because we talk about this quite a lot in and around holistic, app scanning, holistic app measuring of risk, and really pulling context. That is very interesting to your ways. Have you seen much movement around that in 2022 both, I guess, in the demand, as well as things that are being innovated around?
[00:43:44] Guy Podjarny: I think the notion of holistic application security has maybe starting kind of creep into the mainstream, in it. We've been talking about it at Snyk for a couple of years now. It's a progress. If you say I want to secure your app as a whole, there are a lot of pieces to that whole. So, it's not one fell swoop and you connect them all. You either choose the pieces, and you connect them together so that your code relates to your libraries, relates to your containers, relates to your sort of cloud configuration, and you can kind of give me a security insight around the whole thing. You kind of go depth first or you go kind of breadth first and you sort of capture all of those. But you're pretty shallow in your analysis, I guess kind of like the sort of the ChatGPT type.
I think we've seen a lot grow here. Maybe one thing that you can kind of jot down as a 2022 achievement is maybe the acceptance of the ASPM acronym. We've sort of been saying application security posture management or ASPM for a couple of years now. And with maybe like one or two start-ups in the space, and I think now you're starting to see Gartner and others have used that term. I don't think it's sort of like officially endorsed the term, but it's emerged. They're sort of these two terms that came along. There’s cloud native application protection platforms or CNAPP, which takes more of this sort of, hey, let's take cloud security and sort of lump in a lot of artefacts scanning and things like that in it, but we want it holistic. And then you have the more maybe AppSec lens of it. Of saying, “Hey, let's look at application security and securing applications. But as a whole, let’s include infrastructure. Let’s include sort of the cloud, and those settings, which evolves more as ASPM.”
So, the two terms overlap a decent amount. Clearly, you know, we sort of look at things a bit more from the left, the developer view, and sort of think of ASPM. We've seen real progress in the space, but because it's really hard to get right, it's hard to really give you like a full view, and actually be sort of accurate about it. I think progress is still like a little bit slower than it couldn't be. I'd also say that the supply chain security attention has slightly replaced it, because there's some overlap between the two. When you talk about supply chain security, you are also talking about knowing which pieces are going where. Like that open source library using. How did it traverse through the build system? Where did it land? And so those fall a bit more under the supply chain security title. And I think we've seen more traction there. And in 2023, more of that will happen. But I think we're sort of coming back a little bit to some of the analysis of what's inside the app and how it's moving.
We've seen some sort of – there were smaller, but loosened some acquisitions here. We've seen at Palo Alto acquire Cider. We've seen Checkpoint acquire sort of a small start-up in the space as well. So, there was some progress, but they're still in the fringes, not at the core.
[00:46:23] Simon Maple: An area that we're going to likely see growing in 2023.
[00:46:26] Guy Podjarny: I mean, you had a great conversation about Nuclei doing, but I think that's another sort of interesting security, like novel security approach there.
[00:46:32] Simon Maple: It's a really novel approach to the way of looking at dynamic testing. And yeah, it was Rishi Sharma. We talked to on The Secure Developer episode early this year. We really talked about a lot of the work that he was doing in 2022. And before, one of the really interesting ways, we're talking about things as code previously. One of the really interesting ways it looks at whether it's pen testing, whether it's more of a DAST style testing, or even a bug bounty style testing. It looks at security as code. There looks almost like a pen testing with DAST as code.
One of the aspects I've really, really liked about that is the community angle of that, and the way that the community really pushed and helped build a lot of the templates and a lot of the code that's in there. So, one of the core pieces of what they do in Nuclei and Project Discovery, it's very similar to a TerraForm style of templating that is used for vulnerabilities versus infrastructure. Anyone can create these templates that try and find known vulnerabilities essentially, in your environment. And these templates can be shared and built upon. This can then be run well within your pipeline. So, it's very synchronous way of driving that. It's a much more interesting way of looking at dynamic testing. The fact that it has such a community angle, and a community driver behind it was super interesting for me.
[00:47:46] Guy Podjarny: I'm really excited about sort of the whole Nuclei world. Look forward to hearing the episode with Rishi on it.
[00:47:52] Simon Maple: So, forward then to 2023. When we think about some of the biggest challenges, or even trends that we're expecting to see in 2023. What would you put your money on, Guy?
[00:48:00] Guy Podjarny: I think trends wise, the biggest one, maybe there's a little bit of a lens or sort of bias of the conversations I'm having. I think the decentralisation of security will continue. I mean, fundamentally, even in this financial kind of climate, what you see is digital transformation, and modernisation and adoption of DevOps. Those continue to be, that I think that's the number one –we even invest more in that.
So, as you get different teams to be more empowered to run faster, to run more continuously, the fact remains that, you can’t secure software from the outside. You can't secure the work that independence teams are doing from outside that contradicts itself. So, I would say, in 2023, we'll continue to see sort of the increase of DevSecOps. And what we're sort of seeing is you're seeing DevSecOps make it into organisations that are maybe a little bit newer to DevOps, and they require more of a cultural adaptation to sort of decentralised security, and how security teams are happening.
So, we've started seeing a lot of that in 2022. I think the market sort of downturn has slowed it down somewhat. But I think in 2023, we'll see it more. Specifically, I'd say that cloud security will start shifting left as well. It's amazing. As humans, we forget quickly. I was saying shift left in the world of AppSec back in 2002. For a lot of people, it's still a relatively new term. I think in application security, it was forming as a practice because it was a mess, because there were a lot of problems. There were a lot of vulnerabilities. And then it took a while for people to realise, okay, hold on. We're responding to problems after they have occurred. How can we avoid those problems? And the application security industry has kind of evolved to try and build the right solutions and eventually, while the developers are not using it. And eventually, actually, kind of, hopefully Snyk played a role here as well is getting developers to actually embrace the security practices.
I think cloud security is going through sort of a, hopefully slightly faster sort of journey here, which, right now, it's just a mess. The focus is on just reigning in these kind of unwieldy cloud environments that have all these different security mistakes on it and keep on changing kind of under our feet. I think for a lot of people, CSPM right now is the sort of the key element. But the ones that are further along the journey, and then over time, more and more, we're starting to say, “Well, I can't keep responding to problems after they've occurred. I have to start preventing them. And as more of my cloud becomes software, I need to sort of start shifting left.
I need to start kind of running these security inspections or security checks around cloud security earlier in the process, and have that be the cornerstone of my kind of cloud security practice.” So, we're starting to see it in 2022. I think in 2023, we'll see a big push there for cost savings, and also just for sort of sheer majority of DevSecOps and cloud security.
[00:51:06] Simon Maple: Yeah. And you mentioned that, cost savings and budgets tightening there, what impact do you feel that will have in terms of what organisations are capable of doing in 2023?
[00:51:18] Guy Podjarny: Unfortunately, I don't think like the market correction is behind us. We sort of opened 2021 with another kind of big layoff announcements from Salesforce from Amazon, from more to come I'm sure . So, I think budgets are still being tightened. And while security is better off than others, it continues to be affected by that as well. If they're spending less money, they're spending less money on security as well.
I'd say that, from a buyer perspective, it does a couple of things that maybe work together. One is desire for consolidation of vendors, which, frankly, has been a constant trend, like nobody wants a hundred different security tools in their system. They want to merge them. But I think when you talk about tighter budgets, then it's easier to just sort of strike a more sort of volume deal, that covers more of what a certain platform provides. We're definitely seeing it at Snyk. We're sort of seeing people even more inclined to sort of say, “Hey, can I just get a hold of these things from you?” We lead with the best of breed product and that's really what we pitch. But we're seeing much more of that demand or sort of saying, “Well, if I got everything from you, but can we sort of arrange a certain price?”
So, I think there'll be a lot of that sort of, single vendor, let's double down on them in an attempt to save money. I guess the other aspect of the same motion is almost like a ying and yang to that decentralisation company I mentioned before, which is more like work is decentralised, and every team can pick the best tools for their job, then they can do their job best. But it's more expensive, because you need to have all these different attuned solutions. The more centralised approach where it says, like, this is the tools you have to use, like it or not, actually oftentimes allows for more indeed, budget management and negotiations and the likes.
So, I'd say that, while I'll stand behind the sort of that decentralisation continues, there's probably going to be a little bit of a counter force to it in 2023, as people slightly centralised for a cost savings in a short term.
[00:53:20] Simon Maple: Of course, you've got the other piece as well, whereby one of the concepts of actually limiting the number of tools or actually having a developer use the same set of tools, or at least a platform of tools, can actually help their efficiency as well. Because they're not having to think, “Okay, this is a container. I need to run this specific piece of tool or software on it. Oh, yeah, remember that has restrictions. I need to run that in this particular way.” There's fewer moving parts in terms of what developers need to do.
It's unlikely to have absolute best of breed across every single tool. That would be a pretty special company if they're able to do that. But getting the right tool where it's a very developer focused tool, a developer will be more effective if they have fewer moving parts and more predictable way of delivering code, right?
[00:54:04] Guy Podjarny: I mean, for sure. I think we need to separate between the sort of the financial constraint and the general advantage of platform. So, generally speaking, at any given time, if you had to accrue tools, instead of having two separate ones, if you have two on the same platform, all things being equal. You'd rather use the ones that are sort of on the same platform, because they're more aligned, they're more in tune, they're sort of less effort. So, platforms have a real value.
We talked about holistic kind of security. They can bring together a lot of knowledge. So, that's the reason, for instance, at Snyk, as if we're building it as a platform. I think, specifically, from a budget perspective, it has the other advantage where for some companies, the tools are actually not that sort of well-integrated. They just sort of offer a whole bunch of the tools. And people might just be tempted by that just for the commercial negotiation opportunity. So, the best-case scenario is you have a great single vendor that also has it as a platform and you're sort of happy with the tools. And then on top of that, it's sort of a single vendor, but I think we'll see some push to towards centralisation above and beyond that.
I think when we go past the sort of the platform of the DevSecOps, which I think are sort of more the core, I think we'll see a lot of continued investment in supply chain security. We're nowhere near done there. It's still sort of in that reality in which urgency continues to be high, but clarity continues to be low. But I expect progress ended in 2023. My guess is that by the end of 2023, we will still say, it's not entirely clear what you need to do. But I think it'll be better. But I think supply chain security not going anywhere. My expectation is that it would still be the dominant topic. That and cloud security will still be the dominant topics of 2023.
[00:55:41] Simon Maple: What about new areas of innovation in and around tech? Are there things that you feel will be easier to solve by the end of 2023?
[00:55:48] Guy Podjarny: Yeah, I mean, I think every new technology kind of introduces its own security problems and its own security vendors, as we just complained about. But I think in the immediate term, and sort of some of this is like continuation of what sort of been happening, but API security has been going strong. It will continue to be strong. I think the thing about API security is, it's just security. API is just instead of the interface of it. I think a lot of API security solutions, they lead with API. I think the ones that would sort of win are the ones that they provide a good sort of endpoint security, or whether firewall security and all that, and they just lead with API's. So, I think we'll see a lot of that.
Within API, GraphQL is an interesting space. And you're sort of seeing some start-ups in the space trying to sort of say, “Hey, GraphQL security as the lead.” But again, over time, I think those are just entry points to, I need to secure the interfaces on my application. So, I think API security goes there. Secrets, we kind of manage to sort of not mentioned that. The presumed breach that they have there. But we've had a million of these secret leaked tokens. What I look forward here is a change of the workflow. You can’t go kind of scattering money all over the place, and then complain that people don’t steal it. You need to not have these tokens kind of thrown around and just sort of available wherever they can be, and then just sort of try to really, slap the hands of anybody trying to pick them up. That's not a workable solution.
So really, we need better workflows. We started seeing them in 2022 and I think we'll see more and ’23. Workflows that basically hide the token from its users in the first place. 1Password made an acquisition in the space. Hashi is endorsing something. I think it's called Doppler. There's another tool called Doppler. So, the space, where basically, it's like secret access as code, and everything is as code. But it just removes the needs to have those tokens.
So, those two, I think, are more immediate pains, API, and secrets. And then yeah, we have some interesting kind of long term. I think in 2023 is like, if you're in the cutting edge, then you can look at data pipeline security. DBT and kind of the whole data pipeline world is turning data transformation to code. There are security risks in there as well. Super nascent space. Crypto, as we talked about, at the moment, not everybody's writing a smart contract. At some point, everybody would be. Would every ecommerce purchase that you make, involve a smart contract? Maybe. So, when that happens, we'll need security.
Right now, it's more security infrastructure. There's just protocol security is like the fundamentals are still in need of attention. But over time, I think we'll see them. But those are longer term. Those are probably beyond 2023.
[00:58:27] Simon Maple: Let's continue with the kind of, I guess, the predictions in terms of what we're expecting in 2023. I guess from a supply chain security point of view, we already saw the executive order from Biden's administration, which really pushed the idea of supply chain security around SBOMs and the ability for any organisation really that’s supplying software to be at a share, the bill of materials that it's using to construct that software.
Now, there's good chance, of course, that that could actually go way broader than the US. There's a number of governmental organisations that are looking into this already. I think the EU and many others as well. Possibility for that perhaps to come more law in other countries outside the US?
[00:59:05] Guy Podjarny: Yeah, for sure. First of all, to become law in the US, because right now, it's an executive order. And I think we have one bill that has already passed and had sort of a slightly unfortunate language around how to define sort of our responsibilities in open source security. But there's an already work happening in the US. The US is leading the charge, but definitely kind of elsewhere, we're seeing more of those regulations. And basically, what's interesting about them is supply chain is leading it because supply chain has, oddly, although we just talked about the lack of clarity, has some clarity of it. People can relate it to physical supply chains. But really what you're sort of seeing is you're seeing security requirements become law. I think that'll be interesting.
I think, we’ll definitely see some legislation in 2023, notably in the US. But yeah, I would back your prediction there, which is we'll see at least some elsewhere. Maybe it's more debate elsewhere. And legislation comes in ’24. But we'll probably see in 2024 is we'll see court cases in the US. I bet that will happen. But yeah, first you need legislation for someone to sue. So, I think that's a good prediction on it.
Related to that, I think a little bit as we talked about the sort of the bill of materials of open source components, the other trend that I'm sort of seeing that I think will really strengthen in 2023 is more the service registries and just sort of knowing which services do you have. The CMDB used to be the cornerstone of any sort of infrastructure management. You need to have this sort of change management database of knowing which systems you have, and what changes occurred to them in the cloud, and the world of SaaS and all that. It's become really, really hard. I mean, it's still the core, I think. ServiceNow is business. And I don't think it's still very, very useful. But it's not quite the right approach when it comes to product security.
So, what you're seeing is you're seeing the rise of service registries, things like Backstage and Atlassian has Compass, and there's a few others. I think those will grow in attention. We're sort of – I've definitely seen an uptick in adoption towards the end of the year and I think we'll see a lot more. They're kind of the microservice, product security minded sort of CMDB equivalent to just know which services do you have, what changes have done on them, that that relates. One of the things you'll keep on them as indeed the software bill of materials.
It’s sort of related, you see, slightly kind of crosses over to like cyber asset management, things like Axonius or JupiterOne, which is a bit more sort of DevOps minded, are examples of kind of companies that traverse those two areas. So, I'd sort of say DevOps-minded service, like CMDBs, or cyber asset management, overlapping with service registries would kind of have their day in the sun in 2023.
[01:01:40] Simon Maple: Okay, for an easy one, there's going to be another major open source vulnerability disclosed in 2023, maybe a zero day. But I feel like the prediction here is not so much if, it's more of a case of what we do when, I think with Log4j, again, it exposed us as an industry, how unprepared we were, for the identification of how an issue affects us. And again, the speed at which we can actually act on that. I feel like, when it came to Spring4Shell, I think the Java space, it's a little bit like backups, right? You can make backups every single day. But unless you're actually going through the practice of, can I actually use that backup and can I do it? You won't ever actually learn how to do it properly and how to go through the motion.
And I think Log4Shell was almost a dress rehearsal for Spring4Shell that in the sense where Log4Shell was a much bigger deal. People in the Java community had already done something like that. And so, they were kind of following a very similar incident.
I feel like people were better prepared. But I feel like if the exact same thing happened again, we would still be in that scramble mode. And I think there's still a lot that we need to do and learn as an industry, in terms of that incident management of zero day. But also, just again, that fundamental understanding of what we have, so that it's treated like any other vulnerability. We need to understand how it affects us, the implications it has, the impact, and then go from that. Most importantly, to actually remediation to a fix. And that's the path that's obviously the most important area to focus on. But I feel like where we are in reality today is it's still quite far from that. The scramble will always be there.
[01:03:14] Guy Podjarny: So, your 2023 prediction, which I think I’m aligned with is, there's probably going to be another, maybe it's not Log4Shell sort of calibre, or maybe it is, but it's going to be a major one. And we'll realise we still don't have our act together, for the most part.
[01:03:29] Simon Maple: I think you almost, like, see little peeks of support and interest in around security around orgs, when they realise the impact that something that this could have and the importance of it. But then after a little while, we go back into that
[01:03:42] Guy Podjarny: You get out of shape. Sadly, that's true. And I think there's probably going to be a similar one on the cloud security side and configs, like small ones happen all the time. I think the advantage of cloud is that it's a central system. Versus open source, which kind of gets distributed. So, if there's a vulnerability in a cloud vendor, then the cloud vendor fixes it. And if it's misconfiguration, then it tends to be a specific organisation. So, you don't see cloud vulnerabilities. There are more death by a thousand cuts, versus big explosive kind of here's another vulnerability, and everybody can point to it that you kind of get an open source land.
We've actually seen confluence at one, maybe two events, sort of big vulnerabilities in 2022. They’re vulnerabilities, but there were software vulnerabilities and actually Atlassian fixed them kind of right away. But if you were hosting that software, then it had that sort of same, A, there are so many affected servers, versus if you're sort of hosting in the cloud, which is just sort of like a non-event. It's like there was a vulnerability in the service, the service fix the vulnerability. It's all good now, right? And they're going to look to see if anything happens.
Maybe, I’ll get back a little bit to one that we talked about before, which is I'd say my last prediction here would be the generative AI will indeed kind of play a role in it. I think one aspect of it would be just starting to – as we sort of see generated AI code generation, creating problems. For instance, we'll probably find examples. I'd predict that we'll find examples, concrete example of generating vulnerabilities. But we'll also see generated fixes of actual code. So, I think we'll see a lot of that happening in – well, the initial, kind of the start of that happening in 2023.
[01:05:23] Simon Maple: Excellent. Well, we'll see. We'll look back in about a year's time and see how accurate we were. But for now, Guy, this has been a great episode, and really interesting to kind of look back fondly on 2022, the goods, the highs and the lows. But yeah, we'll leave it there. Let’s live 2023 to see how accurate those were.
[01:05:40] Guy Podjarny: Indeed, yeah. Thanks for hosting it. I’ll throw one more, maybe unfair prediction, because I know it's going to happen, which is, to all the listeners, what you'll do is you'll see a lot more of Simon as well coming in, kind of joining us as co host, which I think we sort of announced before. But looking forward to that, Simon, hosting more episodes with you, and having these types of chats.
Maybe like a shoutout to the listeners, which is, sort of a big thank you for all the sort of the big listens. There’s been a big kind of boost of downloads and listens, and such in 2022, which we're sort of grateful for. As always, just let us know, whether it's on the Twittersphere. We're still there as well, or just on thesecuredev@ snyk.io. Just let us know, if there's anything you want to see more of this year, less of, have new ideas of things you want us to try. We keep trying them out, but really, we need your feedback to know what we're going to get right and not. Awesome. With that, let's kick off the new year.
[01:06:36] Simon Maple: Excellent. We'll speak to you soon on the next episode.
[01:06:38] Guy Podjarny: Indeed. I hope you join us for the next ones.
[OUTRO]
[01:06:45] ANNOUNCER: Thanks for listening to The Secure Developer. That's all we have time for today. To find additional episodes and full transcriptions, visit thesecuredeveloper.com. If you'd like to be a guest on the show, or get involved in the community, find us on Twitter at @DevSecCon. Don't forget to leave us a review on iTunes if you enjoyed today's episode.
Bye for now.
[END]
Up next
Episode 126
What Is Software Supply Chain Security And Why It's Important
Episode 127
Software Supply Chain Security - Key Terms, Players, And Projects You Need To Know About
Episode 128
Tackling Software Supply Chain Security As An Organization
Episode 129
The Future Of Software Supply Chain Security
Episode 130
Defining Cloud Security With Rick Doten