Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Kusari 2024 Predictions: 2024 Software Supply Chain Security Predictions

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

2024 Software Supply Chain Security Predictions

By Mike Lieberman, Co-Founder and CTO, Kusari

Software supply chains are complex and attacks are increasing at around 742% every year. Every step of the supply chain is like a Russian doll with components and libraries overlapping and creating dependencies inside layer upon layer of building blocks, inside the building blocks of software. As a result, it's rare to find a security team that's 100 percent confident that they are free of vulnerabilities. Most are playing whack-a-mole to keep their products from being targeted.

This is a huge problem that costs businesses significant resources to mitigate and, in the worst case, respond to when a vulnerability is exploited. It damages revenue, reputation, and the ability to work in certain sectors entirely.

As we enter into 2024, the rise of AI/ML open source projects will only add to the complexity of software supply chain security.

Software build disclosures and attributions will be paramount

In 2024, the burden of identifying vulnerabilities throughout the software supply chain will be exacerbated by the pushback on services to disclose how they are built. Additionally, AI making decisions during the supply chain will make provenance very difficult to discern. Particularly with in-line patching on source code, attribution will be something folks really need to ascertain.

Security and development teams will deepen collaboration

In 2024, we will see more security professionals engaging with developer teams earlier on in the development process. It is less costly for everyone involved if a potential software supply chain issue is caught on day one of a build instead of the day before a go live. The expectations on both developers and cybersecurity professionals keeps increasing. It is impossible for all developers to become experts in everything from software to cybersecurity. The same goes for cybersecurity professionals; it is impossible for them to have a deep understanding of all software in order to catch everything. Next year, a much needed balance will start to develop between these two groups, especially as AI introduces new vulnerabilities that they will need to catch as early as possible.

Open source AI projects will increase vulnerabilities

2024 will bring a serious cyberattack or data breach related to AI. The rush to capitalize on the productivity benefits of AI has led to teams cutting corners on security. We're seeing an inverse correlation between an open source AI/ML project's popularity and its security posture. ChatGPT and other tools have already made it easier to create malware and provide steps for conducting various types of attacks. Further, many organizations are also turning to open-source LLMs to build their tools. These types of repositories (or packages that help with data analysis) are likely targets for cybercriminals as AI popularity grows. In the year ahead, we will see AI allowing cybercriminals (even script kiddies) to wreak havoc in the software ecosystems by carrying out typosquatting and dependency confusion attacks more easily, placing an even greater burden on cybersecurity professionals.

AI will also help address more complex cybersecurity scenarios

On the other end, AI will help organizations readily address cybersecurity by being able to detect and highlight common bad security patterns in code and configuration. Over the next few years, we will see AI improving to help provide guidance in more complex scenarios. However, AI/ML must be a signal - not a decision maker.

Already, we are seeing controversy around whether open source AI models make society safer or put the world at greater risk. Earlier this year, the White House released an AI executive order that tasked the National Telecommunications and Information Administration (NTIA) with studying the open source question and recommending actions. As the open source community awaits regulatory decisions, it is clear that enterprises must take action now to protect against growing vulnerabilities. How these organizations respond to and use AI in 2024 will be a deciding factor in their security posture.

##

ABOUT THE AUTHOR

Michael Lieberman 

Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. He has extensive engineering and architecture expertise with an emphasis on cloud-native technologies and security and privacy use cases. Prior to Kusari, he held engineering leadership positions with Citi, Mitsubishi UFJ Financial Group (MUFG), and Bridgewater Associates. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is also co-chair of the Cloud Native Computing Foundation Financial Services User Group and an OpenSSF TAC and SLSA steering committee member.

Published Tuesday, January 23, 2024 7:35 AM by David Marshall
Get This Featured White Paper: Unmasking the Top 5 End-User Computing (EUC) Challenges
You may also be interested in this white paper: Index Engines' CyberSense Validated 99.99% Effective in Detecting Ransomware Corruption
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
GenAI
DTW-NA
innovatrix
capacity-europe
CGDC
vExpert
Calendar
<January 2024>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910