Progress and Challenges in Securing The Web Ecosystem in 2023 - A Year in Review
The year 2023 marked a turning point in web security, with the industry witnessing both groundbreaking advancements and formidable challenges. This report offers a panoramic view of the web ecosystem, highlighting the collective efforts and pivotal breakthroughs across the sector. Dive into a detailed exploration of the year's most impactful developments in securing the web ecosystem.
Quick Stats - The tl;dr
- The cost of a data breach has reached another record with the average cost per incident now a staggering $4.45M (million dollars per incident) - IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- The DevSecOps advantage sits at around $1.7M (million dollars). In other words, those organizations with an effective DevSecOps team or solution decrease their incident costs by $1.7M on average. - IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- “By 2028 the global cost of cybercrimes is estimated to increase by 69% to a whopping US $13.82 trillion” - Top Cybersecurity Trends In 2023
- The Zero Trust framework or “do not trust, verify” is gaining momentum. As a result, more reliance on effective identity management, access control, and secure authentication has Gartner estimating growth of the market to $10B (billion dollars) by 2026. Along with Passkeys, SSO improves the general user experience and further drives adoption and investment.
The Dark Side
- "Cybercriminals launched approximately 7.9 million Distributed Denial of Service (DDoS) attacks in the first half of 2023, representing a 31% year-over-year increase.” - NETSCOUT Identified Nearly 7.9 Million DDoS Attacks in 1H2023 According to Its Latest DDoS Threat Intelligence Report
- Security incidents due to vulnerable open source dependencies are sadly still a significant problem. According to Sonatype, “Sonatype logged 245,032 malicious packages this year alone, indicating that one in eight open source downloads now pose known and avoidable risks.” Avoidable? This highlights a clear problem in how open source is used. The reason Sonatype states that these are largely avoidable is that 96% of the time, there was already a fix for the vulnerability, but the vulnerable dependencies were never updated. Another example of this was recently reported by The Register concerning the Log4j vulnerability.
- There are a lot of concerns around artificial intelligence, too many for a single bullet point. For us at BoxyHQ, concerns around AI's handling of personal data and enterprise data is especially poignant. The power and utility of AI systems lie in their ability to collect and process vast amounts of data and finding in it anomolies and patterns in a metter of weeks or days. Tasks that would take us years. On the slip side of this same coin lies the risk that this vast amount of information could be mishandled, leading to unintentional breaches or leaks. This could result in sensitive information falling into the wrong hands, leading to identity theft, financial fraud, and other forms of abuse. One way to combat this is through open sourcing the AI systems and algorithms, allowing for greater transparency and accountability. This is we are keenly following the work of the folks at the Open Source Initiative (OSI) in defining the definition for Open Source AI.
The Happy Path
- With eight out of ten security professionals stating that security is critical and as a result investment in securing infrastructure on the up, it is not all doom and gloom. When surveyed 59% of organisations reported that they did not suffer a security breach in the past year and 64% said they do not expect a breach in the coming year. In fact, because of this increased investment, 88% of respondents stated that their data security is either very strong or somewhat strong. - New Survey Uncovers How Companies Are Confronting Data Security Challenges Head-On
- AI and Cybersecurity automation are changing the game. According to IBM’s AI and cybersecurity report those corporations who invested in these technologies have saved $1.67 million this year alone. - Top Cybersecurity Trends In 2023
- With the news that IBM demonstrated useful Quantum computing with the 133-qubit Heron Quantum Processing Unit (QPU), it is encouraging to read that in 2023 1.7% of TLS 1.3 traffic served by Cloudflare used post-Quantum encryption.
Authentication in the Enterprise
Before looking at security news in the wider web security ecosystem, we want to focus on two topics that are of particular importance and relevance to us here at BoxyHQ.
Let’s start with authentication. For around 84% of companies, the security of their authentication systems is a top 5 priority. The vast majority of these companies, around 45%, rely on single sign-on, followed by multi-factor, two-factor, and continuous authentication at around 36%.
Even though there is a general trend to consolidate cybersecurity tools, around 76% of companies need to support and integrate with multiple identity providers. The reasons for this range from specific use cases such as IT requirements, hardware, and operating systems, to failover, cyber insurance requirements, and multi-vendor support.
This is one area where BoxyHQ can help. Read more about our SSO solution.
How people authenticate is also rapidly evolving. More and more services are turning away from password-based authentication and towards multi-factor authentication, FIDO (Fast Identity Online), and more narrowly, Passkeys.
What is the difference between 2FA and MFA? 2FA is a subset of MFA which requires exactly two distinct forms of identification. Multi-Factor Authentication on the other hand can require three or more such as a password, biometric data, and an OTP. The practice commonly revolved around something you know (password), you are (biometrics), and you have (a cellular phone).
Passkeys especially have seen increased adoption during 2023 thanks to the FIDO2 standard, increased support for WebAuthn (a collaboration between the FIDO Alliance and the W3C) in modern browsers, hardware support, efforts by providers such as Apple, Microsoft, Google, and 1Password, and sites such as GitHub, Microsoft, Google, Tailscale, Shopify, and Amazon among others adding support for passkey based authentication.
Passkeys use what is known as public-key cryptography, and have been around since the seventies. In fact, it is the same technology that powers SSL/TLS. Unlike TLS which authenticates systems, Passkeys identifies and authenticates people. With this method, there are two keys, a private and a public key. The private key is stored on your device and is never sent over the network, unlike a password. When you want to log into a website, the site will send a challenge to your device. On the device, you will be asked to perform a simple action such as unlocking your device or providing a fingerprint.
Once successful, the device will sign the challenge using the private key and send the signed challenge back to the server for verification. The benefit of services such as 1Password is that you do not have to create a separate private key on each device, but can sync the same private key across devices using a 1Password secure vault. With this said, organisations can choose not to support passkey syncing. This allows an organisation to tie authentication to a physical device, for example, a company-issued smartphone.
It is still early days, but Passkeys holds a lot of promise for a passwordless future.
Minimum Viable Secure Product (MVSP)
The MVSP framework defines a list of fundamental application security controls that should be integrated into enterprise-ready products and services. Launched in October 2021 by launch partners Google, Okta, Salesforce, and Slack the working group has since grown to also include Netflix, Unisys, and BoxyHQ among others.
As is done every year, this year saw a review of the security controls that form part of the framework. Most notably, expanded guidance around external vulnerability reporting to protect bug hunters, and discouraging additional costs for access to basic security features. The latter aligns with the secure-by-design whitepaper which also saw its second iteration published in October 2023.
If you are a small business or startup and are considering selling your products to enterprise, some of the benefits of adopting MVSP include:
- Up to 68% reduction in the time required for third parties to complete a procurement assessment process. Google has reported that it has seen this in its procurement process.
- Increase in data-driven decision-making in earlier phases.
A decrease in procurement time can make a critical difference in the success of startups.
Talking about reduced time to market, have you seen the BoxyHQ open-source SaaS starter kit on GitHub?
Other Security News from around the Web
- On March 16, 2023, Socket.dev introduced “safe npm”. From their announcement post: “Socket’s “safe npm” CLI tool transparently wraps the npm command and protects developers from malware, typosquats, install scripts, protestware, telemetry, and more—11 issues in all.” - Introducing "safe npm"
- June 27, 2023, further strengthening the case for the adoption of Passkeys, The FIDO Alliance published guidance for the deployment of Passkeys in the Enterprise. - Deploying Passkeys ion the Enterprise
- On June 27, 2023, Darcy Clarke wrote about as they termed it, “The massive bug at the heart of the npm ecosystem” also referred to as manifest confusion concerning the NPM JavaScript package registry.
- On July 24, 2023, Daniel Appelquist posted on the W3C blog announcing the secure the web forward workshop. Based on the results of a survey on MDN Web Docs concerning web security, “60% of developers find the addressed security aspects 'Somewhat challenging' or 'Very challenging'.” This makes it clear that collaboration and education concerning these topics are sorely needed to ensure that we secure the web forward. - Securing the web forward workshop
- On September 12, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) published its Open Source Security Roadmap. To quote from the announcement: “The roadmap lays out four key priorities to help secure the open source software ecosystem: (1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem.” - CISA Open Source Software Security Roadmap
- On September 18, 2023, Gitlab released a critical security release of both its community and enterprise versions. As highlighted in their release page: “An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies.”
- On October 23, 2023, a cross-site request forgery security vulnerability in the popular Axios NPM module was disclosed and has since been patched in version 1.6.0
- On November 27, 2023, BoxyHQ launched their Single Sign-On, Directory Sync, and Audit logs SaaS service on Product Hunt.
- Originally proposed in September 2022, the European Union has made updates to a possible final Cybersecurity Resilience Act to be finalized and enacted in early December 2023. One of the notable changes is the exception of open-source projects from the act. - Infosec in Brief | EU Cybersecurity Act
- On December 9 2023 the European Union reached a provisional agreement with the Council for the adoption of the first EU Artificial Intelligence Act.
- Two new code hosting platforms have seen the light of day, further improving the problem of a single point of failure for open-source software. These are Codeberg, a German not-for-profit, and Vlt (/vōlt/) which is under active development.
Industry Reports
- The State of Authentication Report
- The 2023 State of API Report
- The State of API Security
- The State of the Software Supply Chain
- The State of Open Source Software aka GitHub Octoverse
- The State of Web Development
- The Cost of Data Breaches Report - IBM
- 2023 Cyber Threat Report
- AI and Automation for Cybersecurity [PDF Download] - IBM
In Conclusion
- Keeping up with the ever-evolving web security landscape is crucial for developers.
- The focus on Minimum Viable Security will continue to increase as security becomes increasingly important to companies.
- Adoption of new means of authentication such as Passkeys and more generally, passwordless authentication will continue to grow.
- Artificial intelligence's role in security and addressing threats from cybercrime will continue to rapidly evolve and be utilised by more and more security teams.
- Quantum computing is entering the space and like AI is something to keep an eye on.
- As with MVS, more and more companies will adopt a Zero Trust mindset and framework when it comes to securing their, and their customer’s data.
We hope you found this post insightful and that you now have ample reading material for the long festive weekend. As most of us head out to a well deserved break, we at BoxyHQ wish you a peaceful, relaxing and safe festive season.
One last thing for John Wick fans. 🎄