By Chetan Conikee
This article is part of a series featuring lessons learned from the Secure Software Summit
The connected global economy and the COVID-19 pandemic have forced businesses to accelerate digital transformation. Sophisticated cybercriminals have seized on this forced acceleration to lay the groundwork for cyber warfare. In response to recent attacks ranging from the SolarWinds flaw to recent Log4Shell exploits, many companies have quickly isolated and patched their systems. However, these reactive patches don’t work all the time; neither does the watch-and-wait approach. We need to focus on redesigning our organizational operations and culture to create and sustain preventative preparedness. Businesses and infrastructures need to be more resilient and secure from the start by integrating secure coding practices into the development process.
Secure Software Summit
In early 2022, ShiftLeft hosted the Secure Software Summit to provide industry experts and practitioners in the software development world with a platform to discuss the latest methods and breakthroughs in secure coding and development practices – secure coding sooner and better has become a discipline in itself!
Some of the main takeaways from the event were:
SBOMs are in your future
In the very near future, organizations will need to better account for all software and components in their applications, most likely through a software bill of materials (SBOM). The US government has mandated barebones SBOMs, and soon we will see the private sector begin to mandate them as well, as part of procurement and audit processes. This will increase transparency and automate the discovery of all dependencies and components in a way that until now was not common. Software Composition Analysis (SCA) will facilitate this process and become a standard part of the build process and application development lifecycle.
Securing open source is essential
With Log4Shell and other open source software (OSS) supply chain attacks, application security teams need to learn how to smarter update and secure the most critical OSS components and infrastructure. The average AppSec team has to sift through huge stacks of vulnerabilities and suggested security fixes – way more than they can possibly fix. We’ve seen a record number of new vulnerability disclosures in each of the past four years. Proper prioritization based on the fact that a vulnerability can have a significant impact on an organization’s applications and infrastructure is now essential amid the blizzard of OSS dependencies that make up the modern application.
Digital threats impact the real world
For many organizations in non-tech verticals such as software-intensive healthcare, application security is at a critical point – software vulnerabilities can literally put lives and our economy at risk. The researchers correlated increases in mortality with hospitals operating at higher levels of stress and capacity. When ransomware or other attacks hit healthcare facilities, the effect is the same as a massive pandemic flooding the ER: doctors can’t use systems or equipment, care is rationed, patients are refused and everything becomes more time-consuming. The net result is more deaths. Securing these systems from attack becomes a matter of life and death — literally.
Culture change must come first
Organizations will deploy new security architectures such as zero trust, but these attempts will only succeed if AppSec and development teams change the culture around security. Organizations must recognize that the new normal is a state of constant renewal of trust. It will be difficult; constantly renewing trust requires an entirely new infrastructure and a new mindset that can be challenging for humans. This means implementing multi-factor authentication in many more places and removing conveniences such as administrative accounts that have general access to systems; this requires the implementation of least privilege practices. Software development will need to incorporate this constant renewal of trust into workflows and tools to make it the new normal.
Go from reactive to proactive
AppSec and development teams should move away from reactive approaches that tend to tie up most resources during a breach or incident and focus on more proactive approaches such as better software security analysis and security chaos engineering. Knowing the unknown unknowns before they become a problem is key here. Netflix, which pioneered chaos engineering, recognized that frequently and constantly soliciting systems to see how they perform under adverse conditions often yields startling insights that can improve security (and resilience, wider). As mentioned above, creating better ways to prioritize vulnerabilities and focus on those that are truly attackable takes the task from a hopeless burndown to a focused, proactive tactical exercise that is manageable.
To view this session and other recorded Secure Software Summit sessions, please visit: https://www.techstrongevents.com/Secure-Software-Summit.
To register for a free account for static analysis of custom code, open source dependencies, and secrets, visit shiftleft.io/register.
Secure Software Summit Series: Focus on Preventative Readiness originally appeared in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium written by the ShiftLeft team. Read the original post at: https://blog.shiftleft.io/secure-software-summit-series-focus-on-preventative-readiness-3c3d29612811?source=rss—-86a4f941c7da—4