Cyberattacks against software supply chains have in the last few months have resulted in a spate of high-profile breaches that are impacting organizations around the globe. Cybercriminals have determined the most efficient way to wreak as much havoc as possible is to compromise software that thousands of organizations employ. The core targets of these attacks are the teams of developers that build and deploy that software.
Most of those attacks begin with the same types of phishing attacks that are launched against everybody else. Cybercriminals are trying to compromise the credentials of developers that typically have privileged access to backend IT platforms they need. Just like a lot of end-users, the typical developer, when it comes to access, is overprivileged.
A big part of the reason for that is many developers in the interest of building and deploying applications now regularly provision Infrastructure as Code (IaC) using tools such as Terraform. Cybercriminals know that if they can gain access to the credentials to those systems, they can gain access to the entire IT environment. Most organizations have policies in place that limit who can access IT environments but enforcing them is a major challenge.
A survey of 314 security professionals conducted by Dimensional Research on behalf of Tripwire, a provider of compliance tools, finds more than three quarters (78%) use best practice security frameworks and well over half (59%) have configuration standards for their public cloud. However, only 38% of the organizations that have frameworks in place said they were consistently applied across their cloud environments. Only 21% said they have a centralized view of their organization’s security posture and policy compliance across all cloud accounts.
Nearly three-quarters of respondents (73%) said their organizations are now trying to secure a multi-cloud environment, with a full 98% noting multiple clouds create additional security challenges. In theory, at least, the best DevSecOps practices that shift responsibility for security further left toward developers should reduce risks. Developers, in reality, don’t have a lot of time, or in some cases inclination, to master all the nuances of cybersecurity. There may come a time when the tools and DevOps platforms they rely on will be able to identify malicious code that has been injected into an application. In the meantime, however, it’s still up to security teams to make sure the software supply chain is secure both before and after the software is deployed in a production environment.
Obviously, that’s a tall order when developers can easily fall prey to a phishing attack. Cybersecurity teams need to not only create security policies but also make sure they are enforced. Complicating that issue is a desire to secure the software supply chain without slowing down the rate at which applications are being built and deployed. It’s not clear to what degree that’s actually an achievable goal. At some point, organizations may need to come to terms with the simple fact that deploying more insecure software faster just plays into the hands of the cybercriminals. In fact, like it not it may be time to recognize, at least for the time being, that rapidly developed software is unsafe at any speed.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.