By Dan Cornell
Top 5 Software Security Predictions for 2008
1. More Software Security Vendor Acquisitions
As the industry matures there will be more consolidation. As larger mainstream vendors buy up software security companies that will give software security tools further distribution, but it will not necessarily result in deeper adoption as adoption up until now has been significantly driven by independent vendor evangelism.
2. Cross Site Scripting is the New Buffer Overflow
Buffer overflows used to allow attackers to run arbitrary code on servers, where valuable data lived. Now that most new server side applications are being written in safer languages such as .NET and Java buffer overflows are on the decline (See the changes between the OWASP Top 10 2004 and Top 10 2007). With Web 2.0 and other trends moving more data onto the client side, hosted in browsers, the ability to run malicious code in client browsers (XSS) will become paramount for attackers. Also cross site scripting as a class of problem encompasses many subtle variations that will persist even when obvious XSS flaws have been addressed - just like we saw with buffer overflows at attackers moved from stack overflows to heap overflows to format string attacks.
3. More Combined Attacks on the Horizon
4. Academia Will Start to Get In On the Act
Up to this point there has been comparatively limited work done in academia that was specifically focused on software security. In 2008 I suspect several prominent institutions will announce software security-specific efforts. This is great because it will hopefully start the long road toward security being taught throughout the computer science curriculum rather than as specialized add-on coursework.
5. Social Networking is Going to Have a Rough Year
With so many people becoming involved in multiple Social Networking sites, so much valuable personal data being stored in those sites and with increased programmability being made available, vulnerabilities will skyrocket as threats and countermeasures in this environment are not well understood.
2007 was a tremendously exciting year for application security and I think 2008 is going to blow it away. Tremendous strides have been made in education, testing and countermeasures but equal if not more progress has been made by attackers as they evolve their methods and - even more importantly - their goals.
PS - Picture is another I took in Costa Rica. It has been LOLGuana-ed up solely to aggravate Sheridan Chambers, who hates LOLCats more than anyone I know. Even I'm getting annoyed so I guess I ought to lay off for a while.