Follies
One of the most famous structures is The Broadway Tower, located in Worcestershire. It’s inspiring, beautiful, and at 62 feet high, like other similar buildings, it’s a folly. Although it is grand from all angles, its sole purpose is to decorate.
It’s all too easy to buy a set of policies and procedures, change the company name and some other details, then present it as an application development and security program. Unfortunately, too many companies are unable to maintain an appsec program.
What can be done to avoid falling into this trap?
Here are some considerations
Akamai’s State of the Internet Report demonstrates that the growth of the gaming industry creates “an expanded attack surface for threat actors to exploit by using everything from DDoS to SQL Injection (SQLi) attacks.”
It’s not an exaggeration that APIs – whether monolith or microservices – account for 80+% of internet traffic, or that this increase has presented a treasure trove of targets for criminals.
We learned this from MailChimp breachThe API keys can be a potential target. Criminals aren’t always simply after the money – they are looking for ways to achieve Account Take over (ATO), and that includes initial entry, followed by accessing credentials or API keys.
According to the “Cloud and Web Security Challenges in 2022” report from the Cloud Security Alliance (CSA), 47% of businesses are concerned about sensitive data loss, and 43% of businesses have customer data protection as one of their 2022 primary cloud and web security objectives.
Customers and businesses have an interest in software that is secure.
There are some problems
Based on the 2021 IBM Security X-Force Cloud Threat Landscape Report, “Public API policies represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs), based on analysis of X-Force Incident Response data of impacted clients.”
There is a lot of pressure to get things done quickly. Stress testing, consolidated and condensed development need, faster fixes, first-to-market – the increased and sometimes competing needs of the business units creates higher stress on developers and producers.
It State of Software Security report Apps that use multiple languages make up less than 5% of all apps. The 75% decrease in multi-language apps (since 2018) indicates a shift to microservices and smaller applications. Although this may reduce vendor sprawl, it can also lead to vulnerabilities as threat actors are limited in their ability to compromise only a small number of sources.
Technology interoperability is hindered by a lack of coherent, consistent, and cohesive technologies.
Software currency and succession are greatly affected by the absence of any written guidance. Documentation is key to the future success of software development. Ask auditors and they’ll say, “If it isn’t written, it doesn’t exist.”
Some Solutions
Which actions are necessary to protect software? There’s no one-list-to-rule-them-all, but here are foundational (not basic – basic makes it sound easy!) Everyone should have the right activities in place.
- Leadership
- Everyone is accountable, and no one else is. While we don’t discount other stakeholders but software direction is the sole responsibility of someone. This person must also lead remediations.
- They are also responsible for maintaining and developing confidence in all tools to achieve business goals and policies.
- SDLC
- Software Development Life Cycle (SDLC or SDL), is a document designed for those who understand the process of good development. This provides direction and guidance to the flow of software development and should include all aspects such as QA, Shift Left, clean code references and vulnerability assessments.
- The SDLC won’t contain everything (e.g., API documentation), but references to corollary files need to be included.
- Inventory
- Are you a monolithic or microservices developer? Is it possible to find your APIs? Do you have any outdated APIs? It can’t be protected if it’s unknown. Software Bill of Materials (SBOM).
- The following is a recent example that shows the importance of updating libraries crpytomining infiltration Over 200 PyPi or npm packages.
- Conform to all regulatory guidelines
- Even if a company’s industry or business is not regulated by the government, software that it creates will work in a country where regulation is present (e.g. CPRA, TX RAMP). Software must be designed to comply with these regulations.
Remaining secure requires the Shift Left concept, extending – not simply moving – secure testing further to the left of the design phase.
Information about the Author Ross Moore Passageways Cyber Security Support analyst. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA The Security Officer. Ross’s 20-year IT career has seen him serve in various operations and information security roles in companies across the manufacturing, health, insurance and real estate sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. A B.A. in Information Assurance and Cyber Security at WGU and a M.S. Johnson University, Bible Counseling.
Editor’s Note: Tripwire, Inc. is not responsible for the opinions of guest authors.
