Synopsys: Seven major trends in the software security industry in 2022

In the past two years, global cybersecurity threats have become increasingly complex, with a variety of attack methods and inestimable economic losses. Cybersecurity has become one of the thorny issues faced by global companies and governments.

Instability has become the new normal, and cybersecurity challenges continue to exist. On the one hand, new technologies continue to emerge and application scenarios become more diversified; on the other hand, security threats coexist, and some of these security issues even break out in unexpected areas. Many companies are strengthening their review of software security and technology supply chains. As the new year approaches, Synopsys shares the emerging trends it has observed with everyone, hoping to help companies make more informed decisions when advancing software security programs.

1. Security of AI-driven systems becomes an important practice for development and security teams

"AI has rapidly evolved from a promising technology to mainstream adoption in nearly every area of ​​IT and consumer," said Jason Schmitt, general manager of Software Integrity and Security at Synopsys. "As a result, the security of AI-driven systems will become another important goal for development and security teams as they understand the nature and scope of algorithmic operations targeting AI."

2. Software transparency will increase

As supply chain attacks grow, attention to software bills of materials (SBOMs) has increased. According to the latest version of the Building Security into Software Maturity Model (BSIMM), BSIMM12, software bill of materials activity has increased 367% over the past 24 months.

"In 2022, more organizations will want to understand what components their software consists of," said Sammy Migues, chief scientist at Synopsys. "Enterprises will ask vendors to account for all the software in their applications and devices, where it comes from, how it is built and tested, and how it is maintained."

3. Enterprises gradually realize that AppSec is the key to risk management

In the past, AppSec was viewed as a hindrance to business progress. Now, enterprises are beginning to realize that AppSec is inseparable from the way they build, deploy, and run software.              

"Organizations are beginning to realize that AppSec is a critical part of risk management and that properly implemented AppSec programs deliver business benefits," said Jonathan Knudsen, senior security strategist at Synopsys. "Successful AppSec means fewer software vulnerabilities, which means less risk, higher productivity, and happier customers."

In addition, in the field of AppSec, enterprises have been adopting static analysis tools, interactive application security testing tools, and software composition analysis tools in order to make decisions quickly and cultivate a DevSecOps culture. Enterprises do not want to waste developers' time combing through a large amount of duplicate defect information or fixing unexploitable defects. Therefore, integrating the results from multiple tools and providing a prioritized defect list will become a priority.

4. Cloud security strategies are becoming increasingly mature, and container orchestration technology continues to increase

In the year ahead, cybersecurity awareness training will remain critical for businesses of all shapes and sizes to prevent cyberattacks.

"Cloud security strategies will continue to mature in the coming months and years as more enterprises adopt cloud solutions," said Amit Sharma, security engineer in the Software Integrity and Security Group at Synopsys. "Automation and configuration can help protect sensitive data in the cloud. We will see continued growth in the use of orchestration technologies like Kubernetes, and an increase in demand for container and Kubernetes security solutions."

5. Infrastructure as Code adoption will accelerate in Asia Pacific

"Infrastructure as code has been around for years, but adoption in Asia Pacific has been slower than in other regions, but this is expected to change in 2022," said Ian Hall, director of Asia Pacific Client Services, Software Integrity and Security at Synopsys. "Infrastructure as code and cloud-native architectures are now the norm. As a result, organizations will need to revisit their security programs in place to prevent past strategies from becoming ineffective as they migrate to new architectures. These technology changes mean that employees will need to be better trained so that they have the skills they need to effectively support and protect systems."

6. More automotive industry cybersecurity standards will be introduced

In 2021, many automotive industry cybersecurity standards were introduced, including ISO/SAE 21434, Automotive SPICE for Cybersecurity, and TR-68:3. OpenChain ISO 5230, which focuses on the security of open source software, has also been released. In addition, there are more related standards being developed, including ISO 5112, ISO/SAE 8475, and ISO/SAE 8477. All of these different standards and technical references provide guidance to the automotive industry to build safer cars.

"In 2022, we will see the automotive industry continue to adopt these standards and technical references," said Dr. Dennis Kengo Oka, chief automotive security strategist at Synopsys. "Major activities include establishing new cybersecurity policies and processes, hiring security personnel and assigning cybersecurity roles and responsibilities, and conducting cybersecurity activities across the enterprise. We also expect to see more streamlined workflows."

7. Software security compliance requirements continue to increase

The Data Security Law and Personal Information Protection Law promulgated by China in 2021 will help regulate data processing activities, ensure data security, and protect personal privacy more effectively.

"In recent years, laws and regulations related to data protection have been introduced around the world. Software companies are also increasing their investment in compliance," said Guoliang Yang, technical director of software application security in China at Synopsys . "In the BSIMM12 report, 77% of respondents said they have transformed compliance constraints into requirements. This helps improve traceability and visibility during audits. In the future, compliance will become increasingly important in software quality and security management."

Only by promoting digital transformation can we truly enable high-quality development. Now, digital transformation has become a must-answer question for major industries in China and even the world. This is inseparable from the drive and application of software. Therefore, whether the software is secure is directly related to the success of digital transformation. Whether it is to improve efficiency or for compliance, software security cannot be ignored; whether it is enterprises or consumers, the attention to software security will only increase.