Understand how modern software development is changing security threats.
Modern software development is making the security team’s job increasingly challenging. Three emerging and especially vexing struggles:
- Visibility: Lack of visibility into the full software factory, from assets to pathways and pipelines.
- Correlation: Lack of correlation among types of risk — such as cloud, app, supply chain — across the SDLC, leading to increased manual efforts.
- Complexity: Complexity leading to misconfigurations and the exposure of secrets in development pipelines.
Lack of visibility and context make it hard to identify security risks and comply with regulations
With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to get the visibility and context they need to effectively mitigate risk.
Beyond increasing risk, lack of visibility into the attack surface also creates compliance challenges. Security teams are struggling to comply with regulations requiring evidence of asset inventories and security controls.
Silos prevent holistic view of product security
Further complicating risk management are the silos among application, cloud, and security teams.
Although most applications are deployed in the cloud, application security and cloud security are often two separate entities, leading to a lack of context and clarity. For instance, if a vulnerability is identified in a cloud environment, it can take hours for the cloud security team to work with the application security and development teams to locate the code creating the vulnerability.
Ultimately, neither of these teams are focused on the big picture of the software factory, leading to unidentified supply chain risk.
Developers are often also working in their own silo, spinning up new repositories or servers without the security team’s awareness or visibility.
Increasing complexity opens up new opportunities for misconfigurations and secrets exposure
The complexity of the modern software factory also opens up new avenues for:
- Risky misconfigurations, such as of build systems
- Exposure of secrets, such as API keys and cloud credentials
Misconfiguration mayhem
With the software development factory becoming more complex and automated,
there are increasing opportunities for misconfigurations to create risk. For example, misconfigured build servers is a common problem that creates significant vulnerabilities.
Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren’t treated as critical from a security perspective. In many cases, these systems — like Jenkins, for example — are misconfigured or otherwise vulnerable and unpatched.
Oftentimes, development tools are over- privileged because they’re easier to integrate if users have full access. In some instances, organizations spin up an open-source development server and then allow admin access to everything. They’re not worried about misconfigurations; they’re focused on application vulnerabilities.
In fact, this type of misconfiguration was the source of the SolarWinds and the Codecov attacks.
Secrets in the spotlight
Modern apps require hundreds of secrets to function (API keys, third parties, cloud credentials, etc.).
At the same time, developers are pushed to innovate and develop code as fast as possible, frequently leading to shortcuts intended to drive efficiency and speed. One of those shortcuts is using secrets in development to accelerate testing and QA. The problem is that it’s very easy for these secrets to remain exposed.
For example, a developer may test a piece of code with a key. When it works, they move it into production without removing that key. They either forget, or the key works and they don’t want to adjust it.
This practice and others like it lead to a continuously growing and significant source of risk to the organization.
Time for a new approach
Get details on a new approach to application security that works with the way development does in our new whitepaper.