3 Critical Trends and Best Practices in Software Development Security
It seems that we encounter new cyber threats every day, and the severity of their impact continues to grow. We now routinely deal with zero-day vulnerabilities and hybrid attacks, and when faced with incidents such as Log4Shell, we rely on a group of volunteers to protect code deeply embedded in critical systems.
These events have caused security teams to rethink what they do and focus on proactive security-rooted approaches to software development beyond “fix and pray.” To achieve this goal, security teams should consider the following critical software development security trends for 2022, along with “best practice” responses to them.
1. The growing attack surface of software supply chains
Most media coverage of software supply chain threats has focused on open source package managers, third-party packages, and a handful of breaches of common systems such as Microsoft Exchange and the Security Management Tool. SolarWinds network. We have also witnessed the rapid increase in the number of attacks and their scale, targeting every nook and cranny of the supply chain.
Package managers are the obvious entry point. But there are many more, starting with development environments and moving on to merging queuing systems, plug-ins/add-ons to code repositories, continuous integration systems /continuous delivery, application security tools and software release distribution tools. All of this combined leaves dozens, if not hundreds, of potential entry points into the development process – and that number is growing as the number of tools and solutions used by more empowered teams continues to grow. So expect to see never-before-seen supply chain threats as the attack surface continues to grow.
Best workout: Every company should create a software supply chain inventory to capture every potential insertion point and enable a programmatic approach to addressing risks along the chain.
2. The year when SBOM became widespread
Conceptually, the software bill of materials (SBOM) has been around for several years. The basic idea of an SBOM is simple: every software application should have a “bill of materials” that lists all the components of the application. This mirrors the nomenclature of all electronic products in the physical world.
Two prominent organizations – the Linux Foundation and the Open Web Application Security Project (OWASP) – have SBOM technologies: Software Package Data Exchange (SPDX) and Cyclone, respectively. However, adoption of both SBOM standards has been slow. The US federal government is now on the case, pushing the industry to strengthen the supply chain. This can include SBOM mandates for software used by government agencies.
Best workout: Companies that are not yet using SBOM should consider adopting SBOM standards for a pilot project. This will give organizations experience with one or both standards, and with using SBOM as a trigger for software releases and application security practices.
3. Zero Trust becomes embedded in software engineering
We mostly hear about zero trust in the context of user/request/transaction authentication and ongoing identity verification. However, we don’t often hear about zero trust being applied to the far left of the software supply chain, in the development and DevOps cycles. In fact, you could say zero trust is just an afterthought here.
Targeting supply chains, attackers almost always rely on the presence of trust in systems, whether packages, version control systems, or action-only developer identities. and virtual comments. In response, security teams should start considering implementing zero-trust policies and systems deep within the development process to better protect their applications from source code.
Best workout: Ensure that each segment of your software development supply chain applies at least two-factor authentication. Then learn how to add additional factors to establish continuous authentication.
Cybersecurity has always been about recognizing and reacting to trends, as well as anticipating and preparing for attacks, whether familiar or unknown. In 2022, security teams should focus on protecting software supply chains while implementing SBOM and Zero Trust. As a result, organizations will stay ahead of critical developments, instead of falling behind them.