Welcome to our webinar recap: “2024 Software Security and Compliance Predictions,” featuring insights from Russ Eling of OSS Consultants and Alex Rybak from Revenera. In this webinar, we delved into the trends we saw in 2023 and what we expect from 2024, emphasizing the significance of automation in security, the influence of AI on code generation, and the growing prominence of specialized teams for managing security issues. Join us as we navigate the future landscape of software security and compliance.
Prediction #1 – We finally get legislation
In 2024, the software development landscape is on the cusp of transformation, with the anticipated enactment of significant legislation. After years of discussion, documentation, and regulatory conversations, the industry is preparing for laws that are expected to be enacted during the year. These changes are set to establish an initial industry agreement on what it means to sign off on software, particularly concerning those selling to the US government, the EU, or any public sector. The focus will be on defining responsibility and, more crucially, accountability.
However, there are looming questions: What happens if something is omitted? What if a flaw is discovered downstream? What is the organization’s responsibility then? The attestation form, currently being circulated by CISA and under review and feedback from the industry, is on the verge of being finalized for the first round. Once implemented, there will likely be feedback, iterations, and improvements to follow.
Alongside the legislative changes comes the need for a deeper understanding of the Software Bill of Materials (SBOM). Questions arise, such as how deep the SBOM needs to be. Should it include first-level dependencies, or do we need transitive dependencies? What if there are snippets of code or other intellectual property items like documents and images? A consensus is necessary, varying by industry, regarding what’s expected for regulated versus non-regulated industries.
Considerations will also be made about the standard of care, determining the depth of analysis required for certain industries such as automotive, medical devices, or critical infrastructure, versus a direct-to-consumer widget. These changes will redefine the industry’s understanding of software accountability and responsibility, marking a significant step forward in the evolution of software development.
Prediction #2 – Exponential growth in AI generated code
In 2024, we’re witnessing exponential growth in AI-generated code, a phenomenon that has been compared to a pandemic sweeping the development community. According to a recent GitHub report, the number of generative AI projects more than doubled by June 2023 compared to all of 2022. This upward trajectory is expected to continue throughout 2024. But how can we prepare for this additional growth?
Managing License Compliance
The rapid growth of AI-generated code presents new challenges, particularly in terms of license compliance. Organizations adopting AI technology must carefully evaluate the code being integrated, especially considering the potential for safety critical and regulated contexts.
Embracing AI Technology:
The focus needs to be on educating development teams and ensuring they are set up for success. It’s not about preventing the use of AI tools but rather establishing guardrails on how to use them properly. Organizations need to have a conversation between engineering, legal, and engineering security to understand their concerns, risks, and how to mitigate them. This combined approach allows developers to use the technology to continue innovating and getting to market quickly. If companies fail to adapt and embrace AI, they risk falling behind their competitors. It’s essential to evolve with the changing landscape, or face being left behind.
Prediction #3 – Shift left and automation becomes a required solution capability
The term “shift left” might seem less frequent, even faded in developer discussions due to the current increased focus on automation. Developers today are overburdened with tasks, making it nearly impossible to manage all the responsibilities the industry demands. Therefore, automating left is becoming increasingly prominent in 2024, aiming to move from early indication of security concerns to their prevention. However, some organizations have merely shifted old security testing methods or license compliance scanners, which were previously late in the process, earlier into the development cycle.
In 2024, there will be a more profound interest in shifting left as an initial deployment. It’s about understanding the risks, how much to automate, and how much to manage manually to ensure comprehensive coverage.
OSPO-as-a-Service
.
Prediction #4 – Continued shift of ownership and accountability
The burden on developers to manage security tools, SCA tools, understand how to remediate security issues, and conduct training continues to increase. This leaves less and less daily work time dedicated to innovation.
Nearly 30% of Fortune 100 companies have formed Open Source Program Offices. Now, open source is being done strategically, not just ad hoc and reactive. Companies are beginning to assess OSPO/SBOM maturity. This trend indicates that organizations are beginning to realize the need for someone to own the process. It can’t just be left up to every single product team operating independently and hoping to achieve a common outcome.
For organizations not sure how to proceed, or those who want to start right away, OSS consultants offer a managed OSPO service that can jump in immediately with experts and other resources, such as tooling. This allows companies time to staff and train an internal team while still addressing critical functions.
OpenChain is another option for those wanting to start their own. OpenChain is a global community of organizations collaborating to create trust in the open-source supply chain.
Prediction #5 – Security-by-design / by-default becomes the de-facto approach
Historically, organizations addressed vulnerabilities after customers began using products, requiring users to apply updates themselves. Implementing secure-by-design methods can help stop this loop. Products secure by design ensure customer security as a core business goal. Manufacturers implementing security throughout a product’s lifecycle will become the norm in 2024.
This is easier with new products. You start with threat modeling, architect properly, and put controls in place. But what about existing products? Work with the security team to understand how your product works, where it’s deployed, and what data it captures.
Ultimately, this approach minimizes future disruption by getting it right the first time (or the second time after releasing the product).