With over 700 million attempted ransomware attacks in 2021, it’s natural to assume that major cyber attacks and data breaches are the new normal, just an unavoidable side effect of life in the Fourth Industrial Revolution. However, this defeatist attitude is part of the reason there is no cohesive national strategy to efficiently deter cyber aggression or effectively defend critical private and public assets. An executive order issued by President Biden was designed to improve the nation’s cybersecurity via embedded methods such as code security.
Currently, the default strategy focuses on repeated attempts to counteract bad actors after they’ve attacked. This strategy keeps organizations running around trying to put out fires, an inefficient plan that exhausts resources with minimal effectiveness.
Taking a cue from battlefield strategies in national defense, deterrence by denial is a more efficient method of countering attacks. This approach attempts to thwart attacks by making success impossible, forcing attackers to exhaust their resources in a fruitless effort destined to fail. Unfortunately, the metaphor breaks down because the type of impenetrability possible on physical terrain is not possible on the vast infrastructure of the internet.
While it may be impossible to defend every network, system, and resource in the country, individual organizations can do a lot to defend themselves against cyberattacks by embracing a security culture of deterrence by denial. This security mindset shift has to be a company-wide priority that incorporates security at every level of development. The agile DevOps team will have to morph into a DevSecOps team that puts security top of mind from start to finish.
Today’s cybercriminals don’t even have to be particularly clever to penetrate some systems. Many cases of cybercrime and data breaches could have been easily avoided by following the most basic security protocols. It’s easy to point fingers afterward and criticize security teams, but a major cybersecurity shift is underway that has left many organizations unprepared to handle new and ever-evolving threats because they’re trying to secure assets with outdated practices.
Like the vast, regimented military that’s defeated by the scrappy rebels using guerrilla tactics, organizations that cling to outmoded, perimeter methods of security are vulnerable to the constant threat of malicious actors on the extensive attack surfaces generated by a remote working landscape where devices outnumber people and employees access the network from all over the globe.
If businesses want to get on top of the constant barrage of security threats, they have to change from a perimeter security model to a zero-trust architecture (ZTA). ZTA assumes that at any moment, the enemy will jump out from behind a bush and launch a surprise attack. With ZTA, DevSecOps teams bake security into applications from the earliest stages. This follows a deterrence-by-denial strategy and hardens applications across all phases of the software development lifecycle.
Today’s networks and resources are an incredibly complex mix of many different devices, components, and access points. Many common security vulnerabilities result from the difficulty of keeping track of all the moving parts involved. Bad actors take advantage of this complexity by targeting overlooked weaknesses and vulnerabilities that escape detection. Here are three common causes of everyday cyber attacks and tools companies can use to find and mitigate exposure:
ZTA operates on the philosophy of “never trust, always verify, and continuously verify.” Building in secure verification methods, such as two-factor authentication, is one of the best practices in ZTA. However, without a comprehensive list of all network assets, it’s far too easy to overlook an asset’s need for updating.
No matter how hardened the rest of the system is, leaving one asset unsecured can be catastrophic for network security. Once a bad actor gains entry through a forgotten server, they can gain unfettered access to the rest of the network via lateral movement.
Most development teams use a complex mix of open-source code and proprietary software to build applications. Keeping track of all of the components and dependencies is almost impossible to do manually. Kiuwan’s Insights (SCA) is a tool that lets developers generate a complete, accurate inventory of all open-source and third-party applications used in builds or applications.
This comprehensive software bill of materials compiles the information developers will need to ensure all assets are updated and hardened against attack. Teams can manage libraries, check for updates, track versions to ensure compatibility, and automatically identify security issues.
The code used in computer software is incredibly complicated, especially for complex programs that interface with other programs. Flaws in the code of one piece of software can create conflicts and security issues. When that software interacts with another program, the combination can magnify the problem. Even with two programs that don’t have any inherent flaws, unanticipated code interactions between them can create vulnerabilities. Kiuwan’s Code Security (SAST) can mitigate these risks before they become an issue.
Kiuwan’s Code Security provides teams with control over the entire code security process. They can build an action plan based on their goals and circumstances, monitor their progress on the dashboard, and take remedial action for any issues they discover.
One of the most common and easily avoidable types of data breaches occurs because of known but unpatched security vulnerabilities. Due to its collaborative nature, open-source code vulnerabilities are often quickly discovered and patched. These vulnerabilities are public knowledge and are published in the National Vulnerability Database. In theory, it couldn’t be easier to avoid attacks aimed at these weaknesses: just install the patch or update to the latest version.
Despite the simple solution, a shocking 71% of applications contain at least one unpatched, flawed open-source component. Part of the problem is the opaque, layered nature of open source components. It’s hard for a team to manage vulnerabilities if they don’t even realize they’re using a library that needs to be patched. This problem can crop up frequently with transitive dependencies, where a library pulls code from other libraries. The result is that an application may be using code that the developer doesn’t know about because they didn’t specifically import the library.
A comprehensive software bill of materials can also help with this problem. Kiuwan’s Insights (SCA) helps protect against this type of security vulnerability by increasing transparency into open-source code components. Teams can see exactly what they’re using and get alerts regarding any known vulnerabilities that need to be patched and any updates that need to be installed.
Teams across departments have access to the same information, so everyone is on the same page. A shared, easily accessible SCA avoids the problems that arise when information on current versions, patches, and updates is siloed across different departments. If one department is using an outdated version, it won’t matter if all other departments are following best practices; the entire network may still be at risk.
To avoid getting roped into the endless, expensive seek-and-destroy approach to cybersecurity, development teams need a new approach to threats and vulnerabilities. Kiuwan provides an end-to-end application security platform that offers features and functionality for every stage and stakeholder in the software development lifecycle.
It’s no longer enough to hire a cybersecurity analyst to tack on security at the end of development. In today’s agile, continuous-delivery software environment, security is the business of every team at every stage. Kiuwan helps make the process of securing your code and managing your open source risk automatic and effortless. Reach out to learn how we can help your team manage today’s biggest security threats.
