Defined as a network of 3D virtual worlds focused on enhancing social connections through conventional personal computing and virtual reality and augmented reality headsets, the metaverse was once a fringe concept that few thought much, if anything, about. But more recently it was thrust into the limelight when Facebook decided to rebrand as Meta, and now consumers have started dreaming about the potential of a completely digital universe you can experience from the comfort of your own home.
While the metaverse is still years from being ready for everyday use, many of its parts are already here, with companies like Apple, Epic Games, Intel, Meta, Microsoft, Nvidia, and Roblox working hard to bring this virtual reality to life. But while most people default to visions of AR headsets or perhaps the superspeed chips that power today’s gaming consoles, there’s no question there will be a massive volume of software needed to design and host the metaverse, as well as an endless number of business use cases that will be developed to exploit it.
With this in mind, it’s worth giving thought to how the metaverse will be secured, not only in a general sense, but at the deeper level of its underlying programming. The question of securing the core components of the metaverse—or any enterprise—is one that is regularly brought to light, most recently by the Apache Log4j vulnerability, which compromised nearly half of all enterprise systems around the globe, and before that by the SolarWinds attack, which injected malicious code into a simple, routine software update rolled out to tens of thousands of customers. The malicious code created a backdoor to customers’ information technology systems, which hackers then used to install even more malware that helped them spy on U.S. companies and government organizations.
Shift left, again
From a DevOps point of view, securing the metaverse depends on integrating security as a fundamental process using technologies such as automated scanning, something that’s widely touted today but not widely practiced.
We’ve previously talked about “shifting left,” or DevSecOps, the practice of making security a “first-class citizen” when it comes to software development, baking it in from the start rather than bolting it on in runtime. Log4j, SolarWinds, and other high-profile software supply chain attacks only underscore the importance and urgency of shifting left. The next “big one” is inevitably around the corner.
A more optimistic view is that far from highlighting the failings of today’s development security, the metaverse might be yet another reckoning for DevSecOps, accelerating the adoption of automated tools and better security coordination. If so, that would be a huge blessing to make up for all the hard work.
As we continue to watch the rise of the metaverse, we believe supply chain security should take center stage and organizations will rally to democratize security testing and scanning, implement software bill of materials (SBOM) requirements, and increasingly leverage DevSecOps solutions to create a full chain of custody for software releases to keep the metaverse running smoothly and securely.
Metaverse 2.0
Currently, the metaverse—at least the Meta version—feels like a hybrid of today’s online collaboration experiences, sometimes expanded into three dimensions or projected into the physical world. But eventually, the goal is a virtual universe where you can share immersive experiences with other people even when you can’t be together and do things together you couldn’t do in the physical world.
While we’ve had online collaboration tools for decades, the pandemic supercharged our reliance on them to connect, communicate, teach, learn, and bring products and services to market. The promise of the metaverse suggests a desire to bring remote collaboration platforms up to speed for a world in which more complex work patterns demand more sophisticated communications systems. While this could usher in exciting new levels of collaboration for developers, it will also create a whole lot more work for them.
Developers are essentially the transformers of our age, driving the majority of digital innovations we see today—and the metaverse will be no exception. The metaverse will be big in terms of the code needed to support its advanced virtual worlds, potentially generating the need for a lot more software updates than any mainstream business application in use today. More code means more DevOps complexity, leading to an even greater need for DevSecOps.
Whether the allure of the social gaming metaverse being touted today will ultimately help businesses collaborate and communicate more effectively remains to be seen, but there are three things that are irrefutable: The metaverse is coming; it will be largely comprised of software; and it will require comprehensive tools to help developers release updates faster, more securely, and continuously.
Shachar Menashe is senior director of JFrog Security Research. With over 10 years of experience in security research, including low-level R&D, reverse engineering, and vulnerability research, Shachar is responsible for leading a team of researchers in discovering and analyzing emerging security vulnerabilities and malicious packages. He joined JFrog through the Vdoo acquisition in June 2021, where he served as vice president of security. Shachar holds a B.Sc. in electronics engineering and computer science from Tel-Aviv University.
—
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.