How to mitigate security threats and supply chain attacks in 2023 and beyond

The explosion of popular programming languages and frameworks has reduced the effort required to create and deploy web applications.

However, most teams need more resources, budget and knowledge to manage the vast number of dependencies and technical debt accumulated during the application development lifecycle. Recent supply chain attacks have used the software development lifecycle (SDLC), emphasizing the need for comprehensive application security operations in 2023 and beyond.

Attacking the software supply chain

Supply chain attacks occur when malicious actors compromise an organization through vulnerabilities in its software supply chain — as the SolarWinds breach demonstrated all too well. These attacks occur in diverse ways, such as making use of malicious code hidden in popular open-source libraries or taking advantage of third-party vendors with poor security postures.

Gartner predicts that 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025. With this in mind, security and risk management leaders must partner with other departments to prioritize digital supply chain risks and pressure suppliers to prove that they have robust security practices in place.

Open-source and Software Bill of Materials (SBOMs)

Many organizations use prebuilt libraries and frameworks to accelerate web application development. Once there is a working prototype, teams can focus on automating build and deployment to deliver applications more efficiently. The rush to ship apps has led to development operations (DevOps) practices (which combine software development and IT operations to accelerate the SDLC) and use continuous integration and development (CI/CD) pipelines to deliver software.

To solve the challenges introduced by unknown code in critical applications, the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), published the “minimum elements” for a Software Bill of Materials (SBOM). A SBOM holds the details and supply chain relationships of various components used in building software, serving as the source to:

• Check what components are in a product.
• Verify whether components are up to date.
• Respond quickly when new vulnerabilities are found.
• Verify open-source software (OSS) license compliance.

The SBOM significantly improves visibility into the codebase, which is critical because the complexity of open-source software libraries and other external dependencies can make identifying malicious or vulnerable code within application components extremely difficult. Log4j is an excellent example of an open-source vulnerability that an SBOM can help organizations find and remediate. 

What’s missing in application security?

Most security tools run as a layer on top of the development cycle — and the larger the organization, the more difficult it is to enforce use of those tools. Far too often, companies do not take security into account until after applications are deployed, resulting in a focus instead on reporting problems that are already baked into the application.

Many vendors commoditize vulnerability checks in the software supply chain, ignoring security during the pre-development phase, which leaves the meteoric rise of malware in open-source packages and third-party libraries used to develop the applications unaddressed.

Unfortunately, this gap between development and security creates a perfect target for malicious actors. Well-funded, highly motivated attackers have the time and resources to exploit the gap between DevOps and DevSecOps. Their ability to embed themselves into and understand the modern SDLC has far-reaching consequences for application security.

7 ways to improve your AppSec posture for 2023 (and beyond)

As malicious actors find new ways to exploit and leverage vulnerabilities, organizations must harden their environments and improve their web application security. Following these seven best practices can help build security into DevOps processes and prepare for the threats to come in 2023:

• Use an SBOM to ensure visibility into the code to enable better application security.
• Formalize an approval process for open-source software, including all libraries, containers, and their dependencies. Make sure DevSecOps has the tools and knowledge needed to assess these packages for risks.
• Assume all software is compromised. Build an approval process for supply chains and enforce security in the supply chain.
• Never use production credentials in the continuous integration (CI) environment and check that repositories are clean.
• Enable GitHub security settings, such as multi-factor authorization (MFA) to prevent account takeovers, secret leak warnings, and dependency bots that notify users when they should update packages (but remember that these methods are not enough by themselves).
• Merge development security into the application development lifecycle by implementing shift-left protocols for software development.
• Ensure comprehensive end-to-end protection for the digital ecosystem. Implement a layer of security in every part of the supply chain — from the SDLC, the CI/CD pipeline and the services that manage data in transit and store data at rest.

Following these wide-ranging security best practices and constantly reviewing and implementing them across an organization can help security teams better secure applications and successfully mitigate threats in the years to come.

George Prichici serves as VP of products at OPSWAT.