Lock Down the Software Supply Chain With 'Secure by Design'

11 months ago 44
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Postits and notes to figure out the design

Source: Parichat via Adobe Stock Photo

Software that prioritizes security at its most foundational level means designing the system with customer security as a key goal rather than a tacked-on feature. And that concept — secure by design — is becoming increasingly crucial as attackers begin targeting supply chains more frequently.

"They understand that they can have a bigger impact by successfully exploiting the supply chain," Thomas Pace, CEO of NetRise, says. Because traditional security solutions such as EDR, firewalls, and spam filters have gotten good at preventing head-on attacks, he says, attackers have to look for openings further up the chain.

And pasted-together systems provide just that kind of opening. "Cyberattacks are easier when businesses and vendors try to 'bolt on' security after the fact," says David Brumley, CEO of ForAllSecure. "It's like putting an after-market stereo in your car — it just doesn't work exactly right."

To enhance software security globally, the Cybersecurity and Infrastructure Security Agency (CISA) proposed an initiative aimed at revolutionizing development practices by embracing "secure by design" principles in the software development life cycle. It reflects a pivotal shift toward proactive security measures.

The request for information focuses on addressing recurrent software vulnerabilities, fortifying operational technology, and assessing the impact of secure practices on costs. The call for comment, which is open until Feb. 20, 2024, also emphasizes the collective responsibility of technology manufacturers and consumers in fostering a future where technology is inherently safe and secure.

"Secure by design means security is part of how you build the software from the ground up," Brumley explains. "That means it is much more robust from attacks."

A Foundational Level of Security

Ken Dunham, cyber threat director at Qualys Threat Research Unit, explains that secure by design starts with architecture and risk management principles in operations before an organization migrates to or begins using the cloud.

"This is a critical element of modern, complex hybrid infrastructure," he says. "In a world of shared responsibility, organizations must decide what risk is acceptable to be shared, and potentially at higher risk, with third parties versus that which is fully owned and managed in-house."

He points out the lifecycle of software manufacturing is increasingly complex, with many stakeholders who must all be secure to reduce risk. Dunham asks, "Are your developers, who care about functionality and user experiences, adept at secure coding principles, modern day attacks, security countermeasures, and SecOps?"

Organizational security expectations put pressure onto an onboarding team to properly roll out, configure, and monitor software within the business architecture. "How mature are your incident response and cyber threat intelligence services?" he asks. "Do you trust them in a hybrid cloud world where you may have a complex intrusion attack at blazing speed?"

"Once you have the right people, the process is well understood," Brumley agrees. "You architect the product with defense in depth, make sure your dependencies and third-party software are up to date, and use a modern technique like fuzzing to find unknown vulnerabilities."

For Brumley, secure by default means designing in security that works with how people use the software. "There are design principles that span multiple principles — just like when building a skyscraper, you need to think about everything from structural support to air conditioning," he explains.

Paradigm Shift Required in IT Security

Dunham notes that 2023 was full of examples where race conditions existed for zero days — vulnerabilities were reversed and weaponized by bad actors faster than organizations could patch them.

"There are still some organizations struggling to patch Log4J vulnerabilities after all this time," he points out.

He says organizations must identify their attack surface, internal and external, and prioritize assets and risk management accordingly in order to get out in front when exploitation and attack risk related to a vulnerability increases.

From Pace's perspective, the IT security industry must undergo a paradigm shift in how it considers risk and how to best prioritize it — and this can only happen with visibility into the supply chain. He shared an example in which a "very large organization" did not know what dependencies its security system had when it dutifully updated that system. "After the update it was scanned by a vulnerability scanner and it was determined that the recent critical Apache Struts vulnerability was present," he says. "Now this organization has introduced a severe risk to their organization."

Secure Design in the IoT Era

John Gallagher, vice president of Viakoo Labs at Viakoo, says one key challenge is designing security into long-lived devices like those part of the Internet of Things (IoT) that may not have had security as a design consideration initially.

"This requires more extensive testing and may require new engineering resources," he says. "Likewise, building in new security features is a way to introduce new security vulnerabilities."

Gallagher says software manufacturers should embrace the use of software bills of materials (SBOMs) to find and remediate vulnerabilities more quickly. He notes that companies are incorporating secure by design practices into new products, which will ultimately be a competitive factor in the marketplace.

"In addition to MFA and restricted access privileges, other measures like eliminating default passwords and providing mechanisms to more easily and quickly update firmware are being designed into products," he says.

Avoiding "security through obscurity" is another tenet of secure by design, Gallagher points out. SBOMs and open source software, for example, provide security by offering transparency around the software code.

Pace says one of the areas he is most excited about as it relates to secure by default and secure by design is significantly better visibility into the software supply chain. "Once this visibility can be achieved, we can begin to truly understand where our problems are from a foundational level and then begin to prioritize them in a way that makes sense," he says.

Read Entire Article