Get our recommendations on where to focus your software security efforts.
Application security continues to fall short despite the multitude of tools available to organizations. Recent data shows software supply chain attacks have increased 600-700% year over year in the last four to five years, with more than half of U.S. businesses experiencing some form of software supply chain attack in the past 12 months.
It stems from:
Sprawling software factories: Development has become more complex, and spinning up developer environments (SCM, CI/CD artifact repositories, cloud infrastructure, etc.) is easier and faster than ever. With this shift, security is losing visibility into the development environment, leaving a large attack surface unchecked.
Siloed risk identification and triage: There are multiple application security tools used to assess the risk in an application, but each tool looks at different areas of an application, and the resulting issues found are often not connected or correlated, making it difficult to find a signal in the noise. At the same time, most organizations now have a cloud security team, an application security team, a DevOps team, etc., often without any holistic view of the risk across the end-to-end software factory or software produced in it.
Ignored attack surfaces: Existing application or cloud security tools focus on the cloud infrastructure and the application itself, but largely ignore the software factory. These tools aren’t looking at risks within things like source control management systems, CI/CD systems, or even artifact registries, and malicious attackers have realized this.
Where do you start? Based on where we most often see gaps and risk, there are overlooked areas we recommend prioritizing:
Secrets scanning: We frequently see exposed secrets in organizations’ environments. And secrets have become a top entry point for attackers. Secret scanning across the entire development environment, not just source code, is a critical first step. Secrets can lurk in wiki files, Jira tickets, log files, and containers, making it essential to cast a wide net when searching for potential vulnerabilities.
Regularly rotating keys and utilizing key management systems can significantly reduce the risk of compromised credentials. Additionally, implementing honey tokens can serve as an early warning system, alerting security teams to potential breaches before more severe attacks occur.
Least privileges: It's not uncommon for developers to have excessive permissions across projects, increasing the attack surface unnecessarily. Build tools are frequently configured with excessive privileges for the sake of convenience, but these systems often have access to sensitive IP such as code, production data, etc.
Maintain visibility and proper configurations: Security teams need real-time insight into new build assets or pipelines created by developers. Creating "paved pathways," or pre-configured, secure templates for pipelines and cloud infrastructure, can significantly reduce the risk of misconfigurations and make it easier for developers to adopt secure practices.
Risk-based shift left: Use business context and a risk-based approach to triaging vulnerabilities before sending them to the developer. Sending over only critical or high vulnerabilities could overlook very exploitable medium vulnerabilities in high-value assets, whereas sending all vulnerabilities to a developer will just inundate them and bury them in security debt. Find a happy medium where things like exposure, business impact, exploitability, and compliance are considered when assessing what to fix and how fast.
Training: While secure coding practices are important, organizations should also focus on teaching developers to recognize phishing attempts, understand proper configuration management, and be aware of threats like dependency confusion and namespace attacks.
Implementing these best practices manually can be a daunting task, especially for already overworked security and development teams. This is where Application Security Posture Management (ASPM) tools can provide significant value. ASPM solutions like Legit Security offer end-to-end visibility across the software supply chain, correlate vulnerabilities from multiple sources, and enable risk-based prioritization of security issues.
By adopting these best practices and leveraging appropriate tools, organizations can take meaningful steps towards securing the entirety of their SDLC, reducing actual risk, and building a more resilient and scalable software security program.
Get further details on these best practices in our new webinar, Innovating in Software Security: How to Take Back Control of Your SDLC with ASPM.