The ongoing evolution of cyber threats, attack vectors, and expanding computing environments are known challenges for security teams. However, industry analyst Gartner listed a new risk among the top three security concerns for 2022, the digital supply chain. The digital supply chain encompasses all third-party applications and internet-facing services enterprises rely upon to run their business. Enterprises must assess and continuously monitor their third-party risk. This evaluation must include an understanding of their vendors and their vendor dependencies. Soon this evaluation becomes an assessment of your fourth, fifth, and sixth party risk when you start to unpack the dependent parties of your suppliers. For CISOs and the entire C-Suite, this means the vulnerabilities of your vendors (and their vendors) become your vulnerabilities.
A recent example of digital supply chain risk was a critical vulnerability identified in a popular open-source Apache product, Log4j. This critical vulnerability was a Remote Code Execution (RCE) (NIST vulnerability ID CVE-2021-44228). If successfully exploited, hackers would have gained remote access to enterprise computing environments. Enterprise security teams quickly mobilized to scan their environment for instances of this popular Apache solution within their homegrown or third-party applications. Furthermore, beyond just mitigating their known vulnerabilities, security teams had to ensure their application and SaaS vendors impacted by this zero-day threat also performed the proper patching to mitigate their supply chain risks.
As enterprises continuously strive to improve their internal and third-party risk posture, software development teams can play a critical role in enhancing defenses against these evolving security risks. Implementing a secure SDLC (software development life cycle) will proactively identify software vulnerabilities and miss configurations before applications are deployed into production. For enterprise security teams, understanding what mitigating efforts your suppliers have implemented to secure their SDLC process will be critical for your third-party risk assessments.
One method for software development teams to improve defenses against these evolving security challenges is to enforce security best practices in the software development process. Implementing a secure SDLC (software development life cycle) will proactively identify software vulnerabilities and miss configurations before applications are deployed into production. As a complement to your infrastructure team’s ongoing vulnerability assessments, implementing SDLC vulnerability scanning and remediation will dramatically improve your security posture.
What is Application Vulnerability Scanning?
Application vulnerability scanning assesses the security of web-based applications. As applications are developed in the SDLC process, software code can be evaluated for vulnerabilities. Scanning technologies analyze code to ensure all code components are secure. By performing vulnerability assessments in the SDLC process, software development teams validate the security of their applications before promoting the code to production environments. Applications are secured through proactive vulnerability identification and remediation.
Why haven’t all software development teams implemented Application Vulnerability Scanning?
There are a few reasons why application vulnerability scanning is challenging to implement. For starters, the software development lifecycle is an intricate multi-step process. Engineering teams are under constant pressure to meet and exceed delivery schedules to ship code for releases to meet customer demand. Adding these vulnerability assessments into this complex process extends delivery times.
Second, there are several different ways to analyze software during the development lifecycle (as noted above). Software development teams need to assess several factors to determine what solutions are best suited for them based on the contents of their code (i.e., if it contains open source components), how its packaged, and how they deploy their software to clients. There are scanning solutions for static code assessment, dynamic code assessment, composition analysis, API assessment, infrastructure as code, etc. Picking the right products, implementing them, and refining the SDLC process takes time.
While it is safe to assume that all engineering teams strive to build secure software by design, performing these vulnerability assessments gives them validation and assurance pre-production. Furthermore, with recent highly publicized breaches such as the Solarwinds breach in 2020, software development teams are under elevated levels of scrutiny to demonstrate the security posture of their software as part of their release cycles.
In the Solarwinds breach, hackers gained unauthorized access to the Solarwinds network in September 2019. They went undetected for the next several months, testing code injections into one of Solarwinds flagship products, Orion. Their malicious code, named “Sunburst,” was successfully injected into Orion and unknowingly sent out to 18,000 SolarWinds Orion customers in a software update in March of 2020.
This highly sophisticated attack demonstrates that even highly secure organizations like SolarWinds are susceptible. The attack specifically exploited a weakness in the SDLC process.
So while vulnerability scanning may extend delivery timelines, the potential ramifications can be extraordinarily damaging for enterprises if they do not invest the time and resources into securing their SDLC processes.
What’s The Solution?
While time-intensive at the onset, software development and information security teams are shifting their security focus to earlier in the software development life cycle. In other words, they’re infusing security in the pre-production phase.
This notion of “shifting left” extends the best practices of an organization’s security program to application development teams. Applications need to be built securely by design. Cybersecurity will not be an afterthought (often handled by other devs and utilities) but an integral component of early software development.
Shifting left allows developers to identify vulnerable configurations or bugs within the SDLC process and fix them before reaching the production phase. Furthermore, with advancements in vulnerability management solutions, developers are aided by systems to automate and streamline remediation workstreams. These automation platforms are making adoption more manageable for software development teams.
While “shifting left” will identify vulnerabilities before they reach production, despite best efforts, there will be instances in which software bugs are only identified once deployed in production. It is best to have a defense-in-depth approach. These mitigating efforts need to be complemented with ongoing continuous monitoring by the security team. With proactive and reactive vulnerability assessment solutions in place, the security team will be armed with a comprehensive set of solutions to identify and mitigate these vulnerabilities.
Adapting to the Paradigm Shift
Implementing the best practices for application vulnerability management isn’t just about the right size of investments. Organizations must also change their mindset and culture to respond to threats more effectively.
From the top-down, the C-suite must push for security automation proactively and implement security by design. This initiative must be supported with investment in the right solutions and consultative services (if necessary) to design and implement secure software development best practices into workstreams. These changes can bring about business process automation and improved security posture with the proper endorsement and vision.
DevSecOps (development, security, and operations) is the ultimate destination. This discipline incorporates security as a shared responsibility throughout the software development lifecycle, blending security know-how with cloud-first development (i.e., containers and microservices)
Is there any guidance on SDLC frameworks?
In February of 2022, NIST published its first framework for Secure Software Development, NIST SP 800-218. While not yet widely adopted, you can expect this to gain traction with enterprises soon for internal best practices and provide a basis for external assessment of their digital supply chain.
The security community continues to evolve its approach to securing the new digital landscape. Ongoing investment into secure software development processes, guidance from NIST, and innovation in cybersecurity products will benefit the digital supply chain and help enterprises mitigate risk.
How can c1secure help?
As security practitioners and a Premier ServiceNow Integrated Risk Management and Security Operations implementation partner, c1secure understands the impact automation and orchestration have on advancing security and compliance programs. Furthermore, providing security and development teams with a common platform to assess, prioritize, and remediate vulnerabilities improves collaboration and faster remediation of compliance violations, vulnerabilities, and security incidents.
c1secure has developed the c1connect SDLC suite to complement the ServiceNow vulnerability management application. Available in the ServiceNow AppStore, this application contains integrations with market-leading application vulnerability scanning solutions, including Black Duck, Burp Suite, Checkmarx, Data Theorem, API Sec, and NowSecure. These integrations provide DevSecOp teams with a signal platform to scan, analyze, and remediate vulnerabilities across all application components during the SDLC process. To learn more, please contact [email protected], visit our website www.c1secure.com, or check out our application portfolio on the ServiceNow AppStore.