Mend’s Trends for 2023
At this point, it’s not too much to say that open source software runs the world. The GitHub Octoverse 2022 report shows that 90 percent of companies use open source, which appears in the vast majority of applications today. That popularity has driven increased attention from threat actors, who operate by the principle, “If it’s important to you, it’s important to us.” The surge in malicious activity in the open source space, along with an ongoing rise in open source vulnerabilities, represents significant risk to organizations today.
But what about tomorrow? The threat landscape constantly shifts as cybercriminals innovate and evolve their craft. With that in mind, we asked several Mend experts for a little insight into what they expect to see in the coming year -– and some ideas on how to prepare.
Jeff Martin, VP of Outbound Product, Mend
Prediction:
In 2023 and beyond, we’ll start to really see a cybercrime AI arms race take shape. The application of AI for data pattern recognition — used for antimalware, antivirus, and traffic monitoring — is a boon for accurately identifying undesired behavior. On the flip side, bad actors are utilizing it for similar purposes, such as identifying weaknesses or even to create more effective phishing emails. Because it is unfortunately easier (and less expensive) to attack than to defend, we’ll see the bad actors benefiting more from AI on balance.
How to respond:
To prevent hackers from getting the upper hand, it will be crucial for defenders to ensure they’re handling the basics — known vulnerabilities, user education, zero trust frameworks and the like — to ensure that these more effective bad actors have a tough time finding anything to leverage into a breach.
Chris Lindsey, Sr. Solutions Architect, Mend
Prediction:
Over the course of the next year, we will unfortunately see more vulnerabilities like Log4j and Spring4Shell being exploited. A big trend that we’re noticing today is that malicious actors are buying up and changing the names of popular open source URLs, so a simple typo can go from directing you to the right thing to a malicious site — an attack vector known as typosquatting.
How to respond:
Having a good static application software testing (SAST) tool that quickly alerts you when it comes across malicious activity can help defend against these threats.
Prediction:
From an application security standpoint, we’re going to see open source getting more compromised. Cyberattacks will continue growing in frequency and scope.
How to respond:
If organizations adhere to good programming standards and app design, they can significantly reduce their chances of becoming the next victim.
Maria Korlotian, Development Team Leader, Mend
Prediction:
In 2023, we’ll see malicious actors continuing to improve on the creativity and sophistication of their attacks. For example, we recently spotted malicious code within a popular JavaScript package manager, in which the attacker uploaded a myriad of packages with malicious code targeted at supply chain scanners. When these packages were installed, it gave the intruder access to use the compromised computers for crypto mining at the expense of organizations’ resources, which could have been critical in some cases.
How to respond:
As these sorts of sophisticated attacks ramp up, it is imperative that organizations adequately invest into bolstering their application security. Those that fail to do so may think they’re saving on costs today, but there will likely be much more significant ones to deal with tomorrow.”
Discover more modern application security recommendations in our new white paper, “Top Tactics for AppSec Innovation.”
