The year 2022 was a point of departure for the Russian information security industry when it faced the need to create its own foothold to ensure software protection. The introduction of secure development processes has become a key priority for all companies. They are expanding their information security practices with regard to the growing software output, increasing number of cyber threats, and new requirements of regulators. It is noteworthy that over the past year, even startups that until 2022 did not plan to focus on security have shown interest in DevSecOps (stands for development, security, and operations). Together with Anton Basharin, CTO of Swordfish Security, let’s gain insight into how the DevSecOps market is developing in 2023, what difficulties the market player are facing and how the regulators’ policy and cyber threats change.
Let’s take a look at important regulatory novelties that characterize the course of regulators’ policy development in 2023.
- The Federal Service for Technical and Export Control published recommendations for the configuration of Linux-based operating systems. These are temporary measures designed to be used in the state information infrastructure and critical information infrastructure facilities that have not yet transitioned to the certified versions of Linux. The federal service also published the ScanOVAL program, which allows for holding automated check-ups for vulnerabilities on servers and stations that operate on Linux systems.
- The Ministry of Communications and Mass Media developed recommendations regarding the security of the repository of Russian open-source software, which is being created as an experiment in accordance with government’s resolution No. 1804 of October 10, 2022. The document lists unified requirements for the security of such repositories.
- The Federal Service for Technical and Export Control adopted a document, Guidelines for Organizing the Vulnerability Management Process at an Agency (Organization). The recommendations are designed for state agencies, critical information infrastructure facilities, and other companies. The document outlines the procedure of managing vulnerabilities that consists of the following five key stages: detecting problems and assessing their relevance; analyzing errors; outlining elimination methods and priorities; fixing vulnerabilities; controlling changes.
- This summer, the Federal Security Service published an order that outlines the procedure of monitoring website security at critical information infrastructure facilities. The document says that the monitoring will be conducted continuously and without warning from the Federal Security Service. The scanning is necessary to assess the websites’ ability to counteract security threats. Only the perimeter of organizations will be inspected.
The legislative novelties are the best proof of the fact that this year, regulators, and in particular, the Federal Service for Technical and Export Control, pay greater attention to security. But it is important to separate the development of requirements and the control over their implementation (when companies are provided assistance in reducing the number of vulnerabilities). To achieve a good result, it is necessary not only to regularly monitor the companies’ security level, but also encourage players to show independence, learn to ensure security and not to sweep problems under the carpet. The current requirements complement each other in this sense. Overall, the legislation related to information security in 2023 came one step closer to practical security. Naturally, much remains on paper, but the regulators have begun to speak about the implementation of protection measures more often.
What is going in on the market
Many foreign vendors have partially or completely left the Russian secure software development market. According to the Center for Strategic Developments, in 2022, the share of foreign players reduced by 9% and was 30% due to long-term contracts signed by many companies. According to experts, this year, the withdrawal of foreign suppliers will be one of the main drivers of the market growth, but its importance will gradually decrease.
There are currently products by such vendors as Kaspersky, Positive Technologies, Swordfish Security, Rostelecom Solar, Profiscope, Luntry, and others. There are not too many market players and each of them has its own specialization, so the product portfolio is growing slowly, as well as the solutions, and demand exceeds supply. In addition, due to low competition, Russian solutions are sometimes more expensive than foreign ones. In the spring, media reported that the prices for Russian software grew by 30-50% within a year.
Due to the exodus of foreign vendors, two classes of products are now in limited supply: tools for detecting and analyzing vulnerabilities, and network firewalls. Russian consumers are currently left without tech support and updates, plus paid licenses have expired in some cases. At the time, most big players had built their basic DevSecOps, which mostly uses foreign tools.
Today, companies often fail to find alternatives – if only because organizations often request suppliers for almost identical products with familiar functions. It will take Russian vendors several years to replenish their tool portfolio or adjust tools they had to create hastily.
The deficient segments include static and dynamic application security testing tools (SAST and DAST), software composition analysis (SCA) tools, application security orchestration and correlation (ASOC) products, and securing containerized environments (CS). Yet, we can already see emerging solutions in these groups that are adapted to specific characteristics of Russian-produced software and can ensure its security under regulatory requirements. Certain products have existed in the market for several years but only now are becoming more widely used. For instance, our data have shown that the demand for solutions that implement the ASOC practice has increased by over 20%. Previously, potential customers were not eager to switch to domestic alternatives or simply go without using cybersecurity tools.
In the new reality, we can observe three major customer behavior models. Under the first one, companies utilize open source tools or take efforts to create counterparts of necessary products on their own to build an internal security system. The second model involves companies that either stay idle and take chances or purchase licenses in other countries and apply third-party patches. In the third scenario, customers await the release of proper Russian-made solutions or are already taking efforts to gradually build a new DevSecOps platform.
How hackers hack
In 2023, the nature of cyberattacks has changed, with two consistent approaches observed. The first one is exploited by unskilled attackers, who carry out simple attacks – that is, they generate sort of “background noise” that most often fails to cause any significant harm to companies. The second technique is utilized by professional hacker groups, which often have centralized control; their skills and tools have grown dramatically over the past year. These groups thoroughly plot attack strategies, using data obtained through cyber intelligence and often utilizing legitimate software and tools to conceal their activities. Tracking such attacks is becoming increasingly difficult as it requires specific tools and skills. According to a study by Positive Technologies, the second quarter of 2023 saw the share of targeted incidents increasing to 78% of their total amount as compared to 68% in the first quarter.
This year, professional hackers are actively exploiting malware that can bypass antivirus protection. The same data indicate that during this year’s first and second quarters, the share of attacks targeted at specific companies accounted for 64% and 57%, respectively. The most common types of malware attacks are ransomware, spyware, and remote control malware.
While executing attacks, these groups seek to disrupt businesses and critical infrastructure, obtaining confidential information to use it for further attacks. In this year’s first seven months, over 150 user personal data leaks were registered in Russia. Yet, Russian companies have boosted their cybersecurity as compared to last year: DDoS attacks that were common in 2022 rarely cause serious damage to organizations now. However, their number continues to grow, increasing by 40% in the second quarter of 2023, most of them targeted at the financial sector.
While seeking efficient attack vectors, hackers scan through digital infrastructure of companies to look for vulnerabilities. Interestingly, attackers are showing less interest in foreign-produced software security issues; they are paying increased attention to the vulnerabilities in domestic software, which companies use as part of import substitution or cannot protect amidst the lack of required cyber security tools, according to RTK-Solar.
2023 event trends have shown that the secure software development industry is going through a transitional period. The abrupt changes are forcing the market to make urgent and sometimes rough moves, such as efforts to promptly develop software, introduce products that are not fully applicable, comply with new regulatory requirements, or seek ways to circumvent restrictions to gain time. Plus, companies have to tackle hackers, whose techniques are growing more stealthy and conniving. The transition is occurring slower than many players would expect. Cybersecurity vendors and customers still have heaps of work to do; yet, we can already see intermediate outcome. We could expect more or less clear picture of the market by late 2024, when the security tool portfolio gets expanded and many organizations build at least a backbone of cybersecurity infrastructure based on domestically manufactured products.