New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends

SnykSec - Jan 19 - - Dev Community

Transforming what we learned in 2023 to new learning in 2024 will be an exciting and fulfilling journey. In 2023, we saw a huge surge in the use of AI, including cyberattacks utilizing AI and machine learning. We are also seeing an increased awareness in the need for application security posture management (ASPM). Snyk has also launched its own ASPM solution — Snyk AppRisk — designed to help AppSec teams implement, manage, and scale their security programs.

This year, we asked the DevRel and SecRel team at Snyk and security experts from around the industry to drop in their personal and professional New Year's security resolutions for 2024.

Micah Silverman, Head of SecRel, Snyk

In 2024, I want to improve my personal OpSec. Here’s my resolution list:

  1. I will use my password vault exclusively for passwords. No relying on my memory for ANY passwords.
  2. I will audit my password vaults at least once a quarter to delete anything insecure and to manage shared vaults.
  3. For all online services, I will enable 2FA features where possible.
  4. I will attend at least two security conferences this year, whether I am a speaker at them or not.
  5. I will learn all I can about modern AI and use it responsibly. I’m already a hobby practitioner. I am going to start with Google’s AI learning track.

I have several hobby and professional projects used by thousands of people. In 2024, I want to improve the security posture of these apps. Here’s my resolution list:

  1. I will transition all apps that rely on environment variables for secrets to better solutions, like HashiCorp vault or similar (see CircleCI breach).
  2. I will make sure that Snyk scans are automated at the CI/CD stage.

Sonya Moisset, Senior Security Advocate, Snyk

Some resolutions that you can adopt for your team:

  1. Prioritize mental health for security teams and leaders, promoting a healthy work-life balance and creating a safe environment for discussing security concerns.
  2. Focus on expanding your skill set by learning about emerging technologies, such as quantum computing, advanced encryption techniques, AI-powered tools and platforms, and AI privacy, ethics and responsibility
  3. Stay ahead of emerging technologies: Keep an eye on emerging technologies, such as AI and generative AI-based technologies, which are being used by adversaries to attack enterprises. Be prepared to adapt your security strategies accordingly.
  4. Prioritize continuous AI security training within your team. AI technology evolves rapidly, and so do the associated security threats. Dedicate time and resources to ensure that your team is well-versed in the latest AI security best practices, emerging threats, and mitigation strategies. Encourage participation in workshops, training programs, and industry conferences focused on AI security.
  5. Embrace AI-driven security solutions: With adversaries increasingly using AI and generative AI-based technologies, organizations can resolve to adopt advanced AI-driven security solutions to stay ahead of evolving cyber threats
  6. Invest in cutting-edge cybersecurity companies: Invest in innovative cybersecurity companies that leverage AI to detect and eliminate threats, aligning with the increasing priority and spending on security in the business sector
  7. Cybersecurity awareness training through gamification: Resolve to deliver cybersecurity awareness training to employees using gamification techniques, such as interactive games and simulations, to make learning about security best practices engaging and effective.

Liran Tal, Director DevRel, Snyk

  1. Personal security resolution: Bemindful to my kid’s privacy awareness on the internet, and the high trend of phishing and misinformation.
  2. Work security resolution: Managing secrets is hard! Anything from .env files, to enabling 2FA and working with a password manager. Treat your secrets properly!

Vandana Verma Sehgal, Senior Security Advocate, Snyk

Personal security:

  1. Passwords: I commit to using strong, unique passwords for each online account and consider using a reputable password manager.
  2. Multi-factor authentication (MFA): I will activate MFA wherever possible to add an extra layer of security to my accounts.
  3. Research: l will support cybersecurity research initiatives and share findings within the community.
  4. I will advocate for and participate in cybersecurity education programs at the community and university programs
  5. There have been a lot of issues with home-connected IoT devices. I will make sure that I will keep all my IoT and personal devices secure.
  6. I will learn more about ASPM.
  7. I will learn software supply chain security deeply.

Corporate OpSec:

  1. Incident response plan: Organisations should develop, test, and refine an incident response plan to minimize the impact of security breaches.
  2. Third-party vendor assessment: Organisations need to do a thorough assessment of all the vendors used by the organisation.
  3. AI is talk of the talk of the town. Organistions should use AI responsibly. With great power comes great responsibility, so we have to be very careful while using AI.

John Hammond, Cybersecurity Researcher, Ethical Hacker, YouTuber, CTF Wizard

  • Personal resolution: Break my bad habits.
  • Professional security role: Write more YARA or Sigma rules for detection efforts.

Patrick Pitchappa, Cyber Security Leader

Personal Security

  1. Mentoring cybersecurity professionals at all levels.
  2. Help cybersecurity professionals find jobs or change their current jobs .
  3. Get more into cybersecurity awareness research. The current awareness programs are old and becoming ineffective.

Professional Security

  • Adapt more AI into cybersecurity initiatives
  • More networking with cybersecurity professionals

Arianna Willet, Head of Security, Risk, and Trust, ngrok

  • Personal security resolutions: Evangalize MFA and password managers among my friends and family. Start using passkeys more broadly.
  • Work security resolutions: Make sure all the new systems that ngrok purchases in the new year are behind our identity provider and can be accessed via SSO, so we can continue to grow our trust.

Leo da Silva, Principal Security Solutions Architect, ASEAN

  • Backups: I will ensure that my personal and important files have been backed up using durable storage. And will test the restoring process at least once during the year.
  • Patching: I commit to invest time in prioritising patches to be deployed in my environments, keeping my apps free of critical issues as quickly as practical. I will do that by leveraging automated functions everywhere it makes financial and technical sense.

Brian Demers, Developer Advocate, Gradle

  • Personal: For 2024, I plan to audit my passwords, particularly improving weaker passwords used on some home network devices.  While I typically use strong, generated passwords and multi-factor authentication, I anticipate discovering some accounts with outdated security settings.  My password manager has this functionality built-in, so I have no excuse for not doing it yet.
  • Professional: This year, I'll focus on championing reproducible builds in the projects I contribute to.  Reproducible builds are a set of practices that allow various users to build the same source and get the same output bit-for-bit.  This can help prove nothing malicious is injected at build time and is essential to ensuring the integrity of any produced artifact.

Commit to your own security resolutions

There are some common threads in most of these. For personal resolutions, improved OpSec, including password managers and MFA, is important. For professional resolutions, there are a lot of commitments to improve security postures and knowledge around AI.

Let us know what your personal and professional security resolutions are! You can find us on X (formerly Twitter) @snyksec.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .