It’s pretty difficult to make information security predictions, and even more difficult to verify them afterwards: we can only judge the effectiveness of information security by the number of public security incidents that were uncovered, while the majority of data breaches remain undetected.
However, we can try to make some web security predictions based on common sense profitability (profit/cost ratio) for hackers:
1. XSS will become a more frequent and dangerous vector of attacks
It’s very difficult to detect high or critical risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as an SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals.
2. Third-party code and plugins will remain the Achilles’ Heel of web applications
While the core code of well-known CMSs and other web products are fairly secure today, third-party code such as plugins or extensions remain vulnerable even to high-risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endanger the entire web application. Obviously hackers will not miss such opportunities.
3. Chained attacks via third-party websites will grow
Nowadays, it’s pretty difficult to find a critical vulnerability on a well-known website. It is much quicker, and thus cheaper, for hackers to find several medium risk vulnerabilities that in combination allow complete access to the website. Another trend is to attack a reputable website that the victim regularly visits. For example, when chasing for a C-level executive, hackers may compromise several high-profile financial websites or newspapers, and insert an exploit pack that will be activated only for a specific IP, user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can notice the attack.
4. Automated security tools and solutions will no longer be efficient
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used independently or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to fully detect all the vulnerabilities. It’s not enough to patch 90% or even 99% of the vulnerabilities – hackers will detect the last vulnerability and use it to compromise the entire website.