Cultivating a security-first mindset for software developers
There is a “great cyber security awakening” happening across companies. Right now, we need a fundamental new approach to development, so we are not constantly firefighting.
Almost two years into the pandemic, organizations are recognizing that their teams may never be together in one place again. This has pushed a mass adoption of cloud services and SaaS applications to enable their distributed workforces. The pandemic has also fueled an increase in cybercrime, with criminals taking advantage of the chaotic transition to remote work to target vulnerable systems and launch devastating ransomware and supply chain attacks. Understandably, security teams are recalibrating and sorting out where more security investments are needed in the new year.
The software development community is responding to these developments and recognizes that approaching security as an afterthought encourages attacks and their resulting damages. Each time an app is updated with new functionality, there is potential to introduce exploitable vulnerabilities.
Vulnerabilities can be introduced in several ways. The pressure to deliver innovative features and get products to market quickly often forces security practices to the wayside, resulting in vulnerable code getting released. The use of pre-built code and components and the idiosyncrasies of the various programming languages can also introduce software vulnerabilities. Even when developers follow secure coding practices, highly motivated cybercriminals are looking for vulnerabilities across a collection of code to be exploited where developers may be working just within a small code subset and not see the bigger picture. In any case, the vulnerability is dealt with through further app updates, which perpetuates the cycle.
Faced with this uphill struggle, app vendors are going to have to ask themselves how they can build security at the level they need into their applications. For many of them, the answer will be to embed what I call “micro-detection” into their apps.
Micro-detection can result in resilient software
Most software today is composed of independent, loosely coupled components that run each app process as a service. These services work and deliver in a standalone capacity, but when they’re combined, the whole is far greater than the sum of the parts. Cybersecurity, however, hasn’t kept pace with this evolution. It still views the application in totality, making it difficult to effectively mitigate the risks introduced by microservice architecture. Breaking down an application into discrete microservices increases that app’s attack surface, as its entry points and communication paths are spread over multiple environments. Cybersecurity’s high-level umbrella approach isn’t well-suited to detecting and addressing vulnerabilities in these types of modern applications.
Detection is going to have to get down to the micro level to work effectively with microservices. Imagine detection as a set of small service capabilities that can sit and monitor changes within a micro-service. The closer we can get to the source the faster and easier it is to monitor a chain reaction that can lead to an exploit being active. Prevention is great but it’s too close to an exploit being active. This may be controversial to some folks, but you need a vaccine to prevent an illness, and the earlier you get it the better you are protected, even if you never come in contact with the virus.
So how do you know when to get that vaccine and which one to get? You have to see what’s happening and really understand the potential impact. The only sure way to achieve this outcome is for developers to consider how each service they’re developing could potentially be exploited and how each exposure would work from one service to the next. Then they’ll need to consider the potential for detection capabilities.
This likely means developers will have to identify potential anomalies—a deviation from the baseline in some microservice code, for example—that can provide a “trigger” for detection. A single anomaly in a microservice on its own may be interesting but not particularly important. But when combined with five or six other specific anomalies across the same set of functionalities spanning several microservices, it may indicate something more critical. Machine learning algorithms could recognize these anomalies as a pattern and flag it for investigation. In this way, developers can build in a series of hooks at the microservice level that could point the way toward a security threat when viewed together.
Making micro detection a reality will require a significant paradigm shift. Application feature functionality and security need to be handled by separate independent teams. Today many companies have developers who are also responsible for security. Separating church and state is important, the fox cannot be in the henhouse, pick your analogy; otherwise, you end up with supply chain issues. What’s needed is an agile approach to security and development that brings the two disciplines together to work in conjunction. The shift may take years, but the current cybersecurity climate has spurred an awakening that is forcing application providers to accept they can’t continue to develop software in the same way.
The role for managed detection and response
Managed detection and response will still play a critical role in this new paradigm. MDR’s strength is putting organizations in a good security posture to begin with and prioritizing their focus on what needs to be done to prevent a breach. In the event, the organization does get breached, MDR providers can help control the extent of the attack to minimize the impact. The shift toward a security-first development mindset coupled with monitoring by a strong MDR partner will provide the most robust protection in a growing and increasingly aggressive threat landscape.