Cultivate a security-focused mindset for software developers
There is a “great cybersecurity awakening” happening in business. Right now, we need a fundamental new approach to development, so that we don’t constantly fight fires.
Nearly two years into the pandemic, organizations recognize that their teams may never be together in one place again. This has pushed massive adoption of cloud services and SaaS applications to enable their distributed workforce. the pandemic has also fueled a rise in cybercrime, with criminals taking advantage of the chaotic transition to remote working to target vulnerable systems and launch devastating ransomware and supply chain attacks. Naturally, security teams are recalibrating and sorting out where more security investments are needed in the new year.
The software development community is reacting to these developments and recognizing that addressing security after the fact encourages attacks and the resulting damage. Each time an application is updated with new features, it is possible to introduce exploitable vulnerabilities.
Vulnerabilities can be introduced in several ways. The pressure to deliver innovative features and get products to market quickly often forces security practices to crash, resulting in the release of vulnerable code. The use of pre-built code and components and the idiosyncrasies of different programming languages can also introduce software vulnerabilities. Even when developers follow secure coding practices, highly motivated cybercriminals look for vulnerabilities in a collection of code to exploit where developers can work only in a small subset of code and not see the big picture. Either way, the vulnerability is addressed by other app updates, continuing the cycle.
Faced with this uphill battle, application vendors are going to have to ask themselves how they can integrate security at the level they need into their applications. For many of them, the answer will be to integrate what I call “micro-detection” into their applications.
Micro-sensing can result in resilient software
Most software today is composed of independent, loosely coupled components that run each application process as a service. These services work and function on their own, but when combined, the whole is far greater than the sum of the parts. Cybersecurity, however, has not kept up with this development. It always visualizes the entire application, which makes it difficult to effectively mitigate the risks introduced by microservices architecture. Breaking down an application into discrete microservices increases that application’s attack surface because its entry points and communication paths are spread across multiple environments. The high-level cybersecurity umbrella approach is not well suited to detecting and addressing vulnerabilities in these types of modern applications.
Detection is going to have to go down to the micro level to work effectively with microservices. Think of detection as a set of small service capabilities that can sit and watch for changes within a microservice. The closer we can get to the source, the quicker and easier it is to monitor a chain reaction that can lead to an exploit being activated. Prevention is great, but it’s too close to an active exploit. This may be controversial to some people, but you need a vaccine to prevent disease, and the sooner you get it the better protected you are, even if you never come into contact with the virus.
So how do you know when to get vaccinated and which one to get vaccinated? You need to see what is happening and really understand the potential impact. The only sure way to achieve this outcome is for developers to consider how each service they develop could potentially be leveraged and how each exposure would work across services. Next, they will need to consider the potential of detection capabilities.
This likely means that developers will need to identify potential anomalies (a deviation from baseline in some microservices code, for example) that can provide a “trigger” for detection. A single anomaly in a microservice may be interesting but not particularly important. But when combined with five or six other specific anomalies on the same feature set spanning multiple microservices, it may indicate something more critical. Machine learning algorithms could recognize these anomalies as a pattern and flag it for investigation. This way, developers can embed a series of hooks at the microservice level that could point the way to a security threat when viewed together.
Making micro-sensing a reality will require a significant paradigm shift. The functionality and security of app features should be managed by separate independent teams. Many companies today have developers who are also responsible for security. Separating church and state is important, the fox can’t be in the henhouse, choose your analogy; otherwise, you end up with supply chain issues. What is needed is an agile approach to security and development that brings the two disciplines together to work together. Change may take years, but the current cybersecurity climate has created a realization that forces application vendors to accept that they cannot continue to develop software in the same way.
The role of managed detection and response
Managed detection and response will continue to play a critical role in this new paradigm. The strength of MDR is to put organizations in a good security posture to begin with and to focus first on what needs to be done to prevent a breach. In the event of an organizational breach, MDR vendors can help control the scope of the attack to minimize the impact. Shifting to a security-focused development mindset, coupled with oversight by a strong MDR partner, will provide the most robust protection in a growing and increasingly aggressive threat landscape.