How to mitigate security threats and supply chain attacks in 2023 and beyond

The explosion of popular programming languages ​​and frameworks has reduced the effort required to create and deploy web applications.

However, most teams need more resources, budget, and knowledge to manage the massive number of dependencies and technical debts accumulated during the application development lifecycle. Recent supply chain attacks have leveraged the software development lifecycle (SDLC), highlighting the need for comprehensive application security operations in 2023 and beyond.

Attack on the software supply chain

Supply chain attacks happen when malicious actors compromise an organization through software supply chain vulnerabilities, as the SolarWinds breach has demonstrated all too well. These attacks take place in various ways, for example by exploiting malicious code hidden in popular open source libraries or by using third-party vendors with poor security posture.

Gartner predicts that 45% of organizations worldwide will experience attacks on their software supply chains by 2025. With this in mind, security and risk management leaders should work with other departments to prioritize digital supply chain risks and pressure suppliers to prove they have robust security practices in place.

Open-source and Software Bill of Materials (SBOMs)

Many organizations use ready-made libraries and frameworks to accelerate web application development. Once there’s a working prototype, teams can focus on automating build and deployment to deliver applications more efficiently. The rush to ship apps has led to development operations (DevOps) (which combine software development and IT operations to accelerate SDLC) and use continuous integration and development (CI/CD) pipelines to deliver software.

To solve the challenges posed by unknown code in critical applications, the Department of Commerce, in conjunction with the National Telecommunications and Information Administration (NTIA), has identified the “minimum elements” for a Software BOM (SBOM). An SBOM contains the details and supply chain relationships of various components used in building software, and serves as a source for:

• Check which components are in a product.
• Check that components are up to date.
• Respond quickly when new vulnerabilities are found.
• Check compliance with open source software (OSS) licenses.

The SBOM greatly improves visibility across the codebase, which is critical because the complexity of open-source software libraries and other third-party dependencies can make identifying malicious or vulnerable code in application components extremely difficult. Log4j is an excellent example of an open-source vulnerability that an SBOM can help organizations find and fix.

What is missing in application security?

Most security tools run as a layer on top of the development cycle – and the larger the organization, the harder it is to enforce the use of those tools. Far too often companies don’t consider security until after applications are deployed, so the focus is instead on reporting issues that are already baked into the application.

Many vendors make checks for software supply chain vulnerabilities into a product and ignore security during the pre-development phase, failing to address the proliferation of malware in open source packages and third-party libraries used to develop the applications .

Unfortunately, this gap between development and security makes a perfect target for malicious actors. Well-funded, highly motivated attackers have the time and resources to exploit the gap between DevOps and DevSecOps. Their ability to integrate and understand modern SDLC has far-reaching implications for application security.

7 ways to improve your AppSec attitude for 2023 (and beyond)

As malicious actors find new ways to exploit and exploit vulnerabilities, organizations must harden their environments and improve the security of their web applications. Following these seven best practices will help you build security into DevOps processes and prepare for the threats coming in 2023:

• Use a SBOM to ensure visibility in the code to enable better application security.
• Formalize an open-source software approval process, including all libraries, containers and their dependencies. Make sure DevSecOps has the tools and knowledge necessary to assess these packages for risk.
• Suppose all software is compromised. Build a supply chain approval process and enforce security in the supply chain.
• Never use production credentials in the continuous integration (CI) environment. and check that repositories are clean.
• Enable GitHub security settingssuch as multi-factor authorization (MFA) to prevent account takeovers, secret leak alerts, and dependency bots that notify users when they need to update packages (but remember, these methods alone are not enough).
• Merge development security in the application development lifecycle by implementing shift-left protocols for software development.
• Provide comprehensive end-to-end protection for the digital ecosystem. Deploy a layer of security at every part of the supply chain – from the SDLC, the CI/CD pipeline, and the services that manage data in transit and store data at rest.

Following these comprehensive security best practices and continually reviewing and implementing them across an organization can help security teams better secure applications and successfully mitigate threats for years to come.

George Prici serves as VP of products at OPSWAT.