Secure Software Summit Series: Focus on Preventative Preparedness
The connected global economy and the COVID-19 pandemic have forced businesses to accelerate digital transformation. Sophisticated cybercriminals have seized on this forced acceleration to lay the groundwork for cyber warfare. In response to recent attackscks ranging from SolarWinds breach to recent Log4Shell exploits, many companies quickly isolated and patched their systems. HHowever, these reactive patches don’t work all the time; neither does the watch-and-wait approach. We need to focus on overhauling our organizational operations and culture to create and sustain preventative preparedness. Businesses and infrastructure need to be more resilient and secure from the start by creatingshares in the development process.
Secure Software Summit
Early 2022, ShiftLeft hosted the provide industry experts and practitioners in the software development world with a platform to discuss the latest methods and advancements in secure coding and development practices – securing code earlier and better has become a discipline in itself!
Some of the main takeaways from the event were:
SBOMs are in your future
In the very near future, organizations will need to better account for all software and components in their applications, most likely through a software bill of materials (SBOM). The US government has mandated barebones SBOMs, and soon we will see the private sector begin to mandate them as well, as part of procurement and audit processes. This will increase transparency and automate the discovery of all dependencies and components in a way that until now was not common. Software Composition Analysis (SCA) will facilitate this process and become a standard part of the build process and application development lifecycle.
Securing open source is essential
With Log4Shell and other open source software (OSS) supply chain attacks, application security teams need to learn how to smarter update and secure the most critical OSS components and infrastructure. The average AppSec team has to sift through huge stacks of vulnerabilities and suggested security fixes – way more than they can possibly fix. We’ve seen a record number of new vulnerability disclosures in each of the past four years. Proper prioritization based on the fact that a vulnerability can have a significant impact on an organization’s applications and infrastructure is now essential amid the blizzard of OSS dependencies that make up the modern application.
Digital threats impact the real world
For many organizations in non-tech verticals such as software-intensive healthcare, application security is at a critical point – software vulnerabilities can literally put lives and our economy at risk. The researchers correlated increases in mortality with hospitals operating at higher levels of stress and capacity. When ransomware or other attacks hit healthcare facilities, the effect is the same as a massive pandemic flooding the ER: doctors can’t use systems or equipment, care is rationed, patients are refused and everything becomes more time-consuming. The net result is more deaths. Securing these systems from attack becomes a matter of life and death, literally.
Culture change must come first
Organizations will deploy new security architectures such as zero trust, but these attempts will only succeed if AppSec and development teams change the culture around security. Organizations must recognize that the new normal is a state of constant renewal of trust. It will be difficult; the constant renewal of trust requires an entirely new infrastructure and a new mindset that can be difficult for humans. This means implementing multi-factor authentication in many more places and removing conveniences such as administrative accounts that have general access to systems; this requires the implementation of least privilege practices. Software development will need to incorporate this constant renewal of trust into workflows and tools to make it the new normal.
Go from reactive to proactive
AppSec and development teams should move away from reactive approaches that tend to tie up most resources during a breach or incident and focus on more proactive approaches such as better software security analysis and security chaos engineering. Knowing the unknown unknowns before they become a problem is key here. Netflix, which pioneered chaos engineering, recognized that frequently and constantly soliciting systems to see how they perform under adverse conditions often yields startling insights that can improve security (and resilience, wider). As mentioned above, creating better ways to prioritize vulnerabilities and focus on those that are truly attackable takes the task from a hopeless burndown to a focused, proactive tactical exercise that is manageable.
Stay tuned for more articles to follow written by the following keynote speakers from the event:
- Aaron Rinehart, Verica – Security Chaos Engineering
- Dan Lorenc, Chainguard – The State of OSS Supply Chain Security
- Steve Springett, OWASP – Meet the SBOM
- Shinesa Cambric, Microsoft – Importance of Securing Software with a Zero Trust Mindset
- Malcolm Harkins (Epiphany Systems), Rob Lundy (ShiftLeft) and Bryan Smith (RiskLens) – Accessibility and attack capacity
- Abhishek Arya, Google – Measuring and Mitigating Risk in Open Source Software