My security predictions for 2023

Looking ahead at what security will be in 2023

Jan 01, 2023

Start writing today. Use the button below to create your Substack and connect your publication with Emilio's rants

“A computer looking into a crystal ball, digital art” / DALL-E

With another year starting, it is proper for me to jot down my security predictions for 2023. I understand there are plenty of them out there, so I’ll keep it short and focused on cloud and software development. As my buddy

Shomik Ghosh

(Partner at Boldstart.vc) mentioned in his

Software Snack Bites

and quoted on this Techcrunch article, companies will be forced to do more with less given the current economy. Most companies will slow down if not pause all hiring until all signs pointing towards a recession decrease. With that, my predictions start here:

Text within this block will maintain its original spacing when published

Caveat: I believe that when it comes to security, we all live in a glass house. So this is by no means me casting any stones.

Security spending will be challenged

By this, I don’t mean that in general companies will slash their security budgets. What I am referring to is that instead of the normal ‘buy 100 security solutions to make us secure’, security teams will be challenged to procure and manage only what is critical. Oh, and by the way, this will happen with a decreasing or static size of security teams. I believe this is a good thing, the general thinking of ‘more is better’ when it comes to security has really put security and their IT/engineering counterparts where things are, dealing with a lot of noise but not true meaningful risk management.

A pause here will be good for everyone. This will lead to thinking more effectively and only prioritizing what’s top of threat models.

Cloud adoption will accelerate

However, cloud adoption will not be detracted by the current economical landscape, in fact, I believe companies will accelerate the move to the cloud. That is, because cloud adoption will enable that ‘do more with less’ approach. Companies will now, more than ever, seek to move to the cloud to adopt better/more automation, cost management (FinOps), replace on-prem applications with SaaS versions of them, and increase velocity/agility to drive increased revenues.

That means, security teams will be forced to give up the ‘4 walls’ mindset and actually get serious about cloud security. So I expect to see more resources being left open to the world and breaches happening from that as well as misconfigured identities allowing attackers to gain entry. This however, means that the cloud and data security (CSPM and DSPM) business will see an increase this year. No surprise here as companies like Datadog, Wiz, Orca, Palo Alto Networks (Prisma Cloud), Lacework, etc., are all seeing the results of the need for securing all these new cloud environments.

My advice here for security teams is to embrace the cloud environments and learn how to protect them. Partner closely with your engineering counterparts who are building these environments and together integrate tooling, preferably using what’s already there, for example if Datadog is being used for visibility, it makes a lot of sense to use it for security the environment it already has plenty of data about. Avoid products/vendors that fall in my Why do security products fail? article.

SaaS misconfigurations will rise

As noted, more and more companies will be forced to switch their on-prem applications to their SaaS counterparts to decrease spending on infrastructure and maintenance (administration) of these systems. That means, more systems will be interconnected in ways that companies are used to. These integrations can push or pull quite a bit of data causing a pathway for abuse or data breaches. That’s why I believe SaaS security companies such as Astrix and DoControl will see an increase in business. My advice to IT and security teams is to embrace the SaaS model and enable your employees with the agility and flexibility to work from anywhere without compromising security. Threat model your SaaS implementation and integrations and build controls around them.

Code, code, and code!

By doing more with less, code will be king. That is, companies will be forced to accelerating their product strategies to keep customers engaged (customer retention) and acquire new logos. Given the economy, this will be critical in order to stay afloat. But that does not necessarily mean that companies will hire 30%+ more people to achieve this. My prediction is as mentioned earlier, more and more companies will make a shift towards Platform Engineering. Everything will be managed via code and that will create interesting security challenges.

Software supply chain - will become even more critical. I expect to see more critical open source packages disclose vulnerabilities or be compromised with the insertion of ‘bad’ code. Security teams will be challenged with this because in order to truly protect your software supply chain you can’t act alone, you must partner with the Engineering teams and bring forward solutions that integrate seamlessly with what is there and do not introduce new workflows to developers that they’re not used to.
We will see more applications less infrastructure - With the adoption of cloud, more and more applications will be moved closer to users by using technologies like Serverless and new frameworks like Wasm. I predict that we will begin seeing successful attacks against these Serverless and frameworks like Wasm. Application security, as a practice, will become even more critical and security teams will be challenged to find proper controls like RASP/WAF technologies that developers can love.
Access should not sacrifice user experience and security - With the move to code, the paradigm of access to environments and/or applications will change. I predict that we will see an increase of teams replacing traditional VPNs with more modern solutions like Tailscale, Teleport, etc. and access controls managed by products like Opal, Entitle, etc. These products are disrupting the current approach to access and identity management. Companies will be looking for better automation and ease of use when it comes to these problems that current traditional products do not offer.

You use third-parties for what?

Given recent breaches caused by third-parties of critical companies being compromised, I expect that attackers will continue to focus on juicy targets like those while users will start to think about ‘is it worth it?’. I predict security and engineering teams will re-think their threat models about some of their existing solutions and quickly capture which ones of those have third-parties performing critical actions (or have critical access). For those that do, I predict to see some movement to newer solutions that do not have the legacy need to require third-parties.

New security products, new security philosophy?

My last prediction is that we will continue seeing a rise of the new era of security products. Those are security products that do not necessarily just sell to security, these are security products that developers will love and procure with or without the buy-in from security. This is where the rubber will actually meet the road for security teams. Security teams will be forced to either get onboard or will be casted away. I already hear from engineering leaders that they want to build security DNA into their teams so they do not have to deal with their security teams, that is very telling and puts a different perspective into ‘engineers do not care about security’. But that will be for a later post.