WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
With over 700 million attempted ransomware attacks in 2021, it’s natural to assume that
major cyber attacks and data breaches are the new normal, just an unavoidable side effect of life in the Fourth Industrial Revolution. However, this defeatist attitude is part of the reason there is no cohesive national strategy designed to efficiently deter cyber aggression or effectively defend private and public critical assets. An executive order issued by President Biden was designed to improve the nation’s cybersecurity via embedded methods such as code security.
Currently, the default strategy revolves around repeated attempts to thwart bad actors once they’ve attacked. This strategy keeps organizations running around trying to put out fires, an inefficient plan that exhausts resources with minimal effectiveness. Deterrence by Denial
Taking a cue from national defense battlefield strategies, deterrence by denial is a more efficient method of combating attacks. This approach attempts to thwart attacks by making success impossible, forcing attackers to exhaust their resources in a fruitless effort destined to fail. Unfortunately, the metaphor breaks down because the type of impenetrability that is possible on physical terrain is impossible on the vast infrastructure of the internet. While it may be impossible to defend every network, system, and resource in the country, individual organizations can do a lot to defend themselves against cyberattacks by embracing a security culture of deterrence by denial. This security mindset shift has to be a company-wide priority that incorporates security at every level of development. The agile DevOps team will have to morph into a DevSecOps team that begins and ends with security top of mind.
The Shifting Perimeter
Today’s cybercriminals don’t even have to be particularly clever to penetrate some systems.
Many cases of cybercrime and data breaches could have been easily avoided by following the most basic security protocols. It’s easy to point fingers afterward and criticize security teams, but there’s a major cybersecurity shift underway that has left many organizations unprepared to handle new and constant threats because they’re trying to secure assets with outdated practices. Like the vast, regimented military that’s defeated by the scrappy rebels using guerilla tactics,
Organizations that cling to outmoded, perimeter methods of security are vulnerable to the constant threat of malicious actors on the extensive attack surfaces generated by a remote working landscape where devices outnumber people and employees access the network from all over the globe.
If businesses want to get on top of the constant barrage of security threats, they have to change from a perimeter security model to a zero trust architecture (ZTA). ZTA assumes that at any moment, the enemy is going to jump out from behind a bush and launch a surprise attack. With ZTA, DevSecOps teams bake security into applications from the very first concept. This follows a deterrence by denial strategy and hardens applications throughout all phases of the software development lifecycle.
Three Everyday Methods of Cyber Attack and How to Avoid Them
Today’s networks and resources are an incredibly complex mix of many different devices, components, and access points. Many common security vulnerabilities are a result of the
difficulty inherent in keeping track of all of the moving parts involved. Bad actors take advantage of this complexity by targeting overlooked weaknesses and vulnerabilities that escape detection. Here are three common causes of everyday cyber attacks and tools companies can use to find and mitigate exposure: 1. Unaudited Network Assets
ZTA operates on the philosophy of “never trust, always verify, and continuously verify.” Building in secure verification methods such as two-factor authentication is one of the best practices in ZTA. However, without a comprehensive list of all network assets, it’s far too easy to overlook updating an asset.
No matter how hardened the rest of a system, leaving one asset unsecured can be
catastrophic to network security. Once a bad actor gains entrance through a forgotten server, they’re able to gain unfettered access to the rest of the network via lateral penetration. Most development teams use a complex combination of open source code and proprietary software to create applications. Keeping track of all of the components and dependencies is almost impossible to do manually. Kiuwan’s Insights (SCA) is a tool that lets developers generate a complete and accurate inventory of all open source and third-party applications that are used in builds or applications.
This comprehensive software bill of materials compiles the information developers will need to ensure all assets are updated and hardened against attack. Teams can manage libraries, check for updates, track versions to ensure compatibility, and automatically identify security issues.
2. Unknown Security Bugs in Program Interfaces
The code used in computer software is incredibly complicated, especially for complex programs that interface with other programs. Flaws in the code of one piece of software can create conflicts and security issues. When that software interacts with another program, the combination can magnify the problem. Even with two programs that don’t have any inherent flaws, unanticipated code interactions between them can create vulnerabilities. Kiuwan’s Code Security (SAST) can mitigate these risks before they become an issue. Kiuwan’s Code Security provides teams with control over the entire process of securing their code. They can build an action plan based on their goals and circumstances, monitor their progress on the dashboard, and take action to remediate any issues they discover.
3. Unpatched Known Vulnerabilities
One of the most common and easily avoidable types of data breaches occurs because of known but unpatched security vulnerabilities. Due to its collaborative nature, open source code vulnerabilities are often quickly discovered and patches issued. These vulnerabilities are public knowledge and are published in the National Vulnerability Database. In theory, it couldn’t be easier to avoid attacks aimed at these weaknesses: just install the patch or update to the latest version.
Despite the simple solution, a shocking 71% of applications use at least one unpatched, flawed open source code constituent. Part of the problem is the opaque, layered nature of open source components. It’s hard for a team to manage vulnerabilities if they don’t even realize they’re using a library that needs to be patched. This problem can crop up frequently with transitive dependencies, where a library pulls code from other libraries. The result is that an application may be using code that the developer doesn’t know about because they didn’t specifically import the library.
A comprehensive software bill of materials can also help with this problem. Kiuwan’s Insights (SCA) protects against this type of security vulnerability by increasing the transparency of open source code components. Teams can see exactly what they’re using and get alerts regarding any known vulnerabilities that need to be patched and any updates that need to be installed.
Teams across departments have access to the same information so everyone is on the same page. A shared and easily accessible SCA avoids the problems that arise from having information regarding current versions, patches, and updates siloed in different departments. If one department is using an outdated version, it won’t matter if all other departments are following best practices, the entire network may still be at risk.
Deterrence by Denial Using Kiuwan Solutions
To avoid getting roped into the endless and expensive seek and destroy method of cybersecurity, development teams need a new approach to threats and vulnerabilities. Kiuwan provides an end-to-end application security platform that offers features and functionality for every stage and stakeholder in the software development lifecycle. It’s no longer enough to hire a cybersecurity analyst to tack on security at the end of development. In today’s agile environment of continuous delivery software, security is the business of every team at every stage. Kiuwan helps make the process of securing your code and managing your open source risk automatic and effortless. Reach out to learn how we can help your team manage today’s biggest security threats.