Take a fresh look at your lifestyle.
Embedded

Despite Attacks, Software Logistics Remains Insecure

What do epic cybersecurity attacks like 2022's SolarWinds and Kaseya share with DevOps, AppSec, and also the pandemic? Not much. But when it comes to securing the program logistics, they may all be connected.

Not much is different since we last checked in about this problem last year. Cyberattacks continued to increase in 2022. In contrast to 2022, they rose by 606% against software publishers, based on a recent Netscout report. Attacks on computer storage manufacturers jumped by 263%, and on computer makers by 162%.

Nearly three-quarters of software companies and almost two-thirds of large enterprises suffered hacks and intrusions last year, according to a study from Anchore released in January. Over fifty percent from the IT, security, and development executives surveyed said they are making software supply chain security a high focus this year.

That's a good thing because many reports say your their unpreparedness is extremely high.

KNOWING ISN'T DOING

Nearly two-thirds of senior IT security professionals said they would not have the ability to stop an attack against their development environment, and almost the same number admitted they haven't done anything to secure their software logistics, according to a CyberArk survey.

Fewer than 40% of companies can detect when their developed code continues to be tampered with, along with a miniscule 7% check their code for tampering each and every phase from the development cycle, senior software employees reported in a recent ReversingLabs survey. An overwhelming majority were clearly aware that tampering could cause a security breach.

These disconnects are symptoms of a wider problem, Jon Jarboe, director of product marketing for Cycode, said in an interview with EE Times. Even though many on the development side happen to be centered on other security issues-primarily on solving application vulnerabilities-these attacks on the software development pipeline were increasing.

\”I'm unsure that many organizations are presently equipped to deal with that kind of security problem,\” Jarboe said. \”If attackers may take over your pipeline, it doesn't matter how secure your code is because they can insert their code, their malware, as well as your pipelines will be sending it to your production environment in order to your visitors.\”

For these reasons, software security is not about securing only the applications. Instead, it's also about securing what's accustomed to build those applications. Including the tools and environments, so that as Jarboe explains, \”all the pieces which go in it, whether you wrote it or got it off-the-shelf or pulled it in from an open-source repository.\”

\”The logistics has its own dependencies, with the same vulnerabilities that may be leveraged by attackers in applications. [Its] security problem is the next step in application security,\” he added.

THE STATE OF SECURITY TOOLS

Attempts to resolve this issue are still so new that not all areas of the possible attack surface are known yet, while brand new ones continue to appear, Jarboe noted. The various tools readily available for preventing known problems work well and are often automated so they don't get within the developer's way.

But they cannot give a complete picture of all the possible, unknown risks, whether for creating new software or for integrating third-party code.

Vulnerabilities especially really are a major problem, both during development and after code has shipped. \”Once software is put out in to the world, there might be vulnerabilities we weren't aware of,\” Jarboe said. \”And how do you recognize when new vulnerabilities are highly relevant to you?\”

Another problem is the constraints on the security tools we do have.

For instance, static application security testing (SAST) tools used before code gets deployed, and software composition analysis (SCA) tools that look for known vulnerabilities, don't provide the developer much in the way of guidelines for implementing them.

\”A big operational issue with these power tools is that they can tell you you will find problems; but how do you know where to start?\” Jarboe said. \”How important is each problem? Which side that code be used-in a production environment, or like a support tool without access to customer data? Where's it located in the source code, and what needs to be completed to repair it?\”

Then there is the challenge of maintaining code in the real world: understanding its components or being able to consider the good reputation for what happened throughout its development and deployment.

The pandemic has also influenced both DevOps and AppSec. While developers had already commenced working remotely, lockdowns increased both remote work and related security concerns.

When even larger numbers of developers began working remotely, this pushed them, as well as many other workers, out into the cloud-a trend which had already begun in DevOps. That shift spawned tools like Terraform for codifying your infrastructure-infrastructure as code (IaC)-instead of having things carried out by IT, Jarboe said.

\”IaC enables us to better comprehend the context where the code will run, so we can make better decisions concerning the security findings we're getting from the tools,\” he said. \”I think AppSec is visible as a subset of software supply chain security-they're all part of the same thing.\”

CONTROLS, TOOLS, AND GUIDELINES

Some new tools have grown to be available.

Last fall, for instance, Google announced its Minimum Viable Secure Product (MVSP) initiative, a vendor-agnostic set of minimum baseline controls for that business, application design, application implementation, and operational stages of developing secure B2B software products. The concept is to give companies, including underserved, smaller ones, a template so they do not have to start from scratch.

More recently, the Center for Internet Security and Aqua Security co-developed guidelines for software supply chain security, plus an open-source tool for auditing an organization's own software supply chain.

Without visibility into the development process, security teams can't secure it. According to Jarboe, \”we're visiting a huge upswing in software supply chain attacks like SolarWinds, typosquatting, and dependency confusion.\”

Both the development process and also the environments have grown to be valuable targets, and a huge attack surface for applications constructed with them. \”There's lots of cultural inertia to overcome, but companies need to get their arms for this problem,\” he explained.

You might also like More from author