8.3.22 – SIW
Why developers should be the human firewall in the supply chain. Organizations must focus on the talent already in their organization to help improve the security posture and reduce supply chain-embedded vulnerabilities.
Earlier this year the cybercrime group LAPSUS$ claimed responsibility for several high-profile attacks against some of the world’s top technology companies, including Microsoft and Nvidia. While the breaches differed in size and scope, many leveraged vulnerabilities in third-party applications to gain access to a company’s network.
Once inside, the LAPSUS$ attackers could steal valuable data or hold the company ransom, threatening to steal the source code of their most sensitive products unless paid.
While noted for their high-profile targets, the LAPSUS$ attacks were nothing out of the norm. The last 18 months have seen a continued attack on technology applications that offer security vulnerabilities that bad actors look to exploit.
Many organizations will look to throw money and technology at the problem, but the best line of defense is people, in particular software developers. Let’s explore how developers can serve as a “human firewall” in the technology supply chain to secure applications used as gateways to network access.
What Does the Data Say?
Organizations must first understand that the software products they often use feature inherent bugs and security flaws. This comes from a stressed application development cycle that prioritizes speed and functionality above security.
In partnership with Evans Data, Secure Code Warrior surveyed 1,200 active software developers in December of 2021 for our State of Developer-Driven Security Survey. The numbers showed some alarming industry trends, namely that 67% of developers admitted that they routinely left known vulnerabilities and exploits in their code.
This is not to find fault with the developers, but with the system they work inside. These developers often neglect security because of tight deadlines, the prioritization of functionality over security, or a lack of training or knowledge about fixing security problems.
Only 14% of those surveyed said application security was their top concern during development, falling behind priorities such as code quality, application performance, and the ability to solve real-world problems.
Leveraging In-House Development
To make security improvements, organizations should lean on their development team. Properly trained in-house developers can act as a firewall for company systems, writing software that is inherently secure, and overseeing best practice access control in elements like APIs to improve a company’s overall security posture.
Developers have a front-row seat to an organization’s security challenges and can augment security practices that match how employees leverage applications. In-house developers are at the front lines of cyber defense. With proper training and time, these developers can fortify security features.
As we’ve seen from the SolarWinds and Kaseya breaches, supply chains will remain a key area for attack. Since these types of platforms can ship with vulnerabilities, in-house developers can provide additional security features to close these vulnerabilities.
Ideally, platform vendors will improve the cybersecurity of their platforms before shipping, but it may take a rash of more high-profile breaches before that happens. Business consumers cannot continue to operate in a world where the security of their platforms is unknown. Work with your developer team to add security features to avoid these types of attacks.
A Need for Change
Organizations continue to face cyber threats from multiple avenues. The reliance on automation, tools, and the reactive response has long stood alone, but the increasingly sophisticated threat landscape requires more vigorous defense.
A human-led approach to software security with security-skilled developers can close this gap. Organizations must focus on the talent already in their organization to help improve the security posture and reduce supply chain-embedded vulnerabilities. Often, developers want to learn these skills but lack the time or incentive to do so. Improved training that empowers developers, paired with automation and security tools, can provide a pathway toward long-term success that was previously unachievable.
About the author: Matias Madou is a Co-Founder and CTO of Secure Code Warrior where he is responsible for leading the company’s technology vision and overseeing the engineering team. Matias has more than 15 years of hands-on software security experience and has developed solutions for companies such as HP Fortify, and founded a company called Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt.