Austin Gadient is CTO and cofounder of Vali Cyber. Vali’s product ZeroLock automatically detects and remediates cloud security threats.
Supply chain attacks are making headlines. These high-profile, highly invasive attacks are a major concern to organizations and understandably so. More than 60% of American businesses have been impacted by supply chain attacks over the past year. To deal with these concerns, many companies require SOC2 or other certifications from their vendors to impose stricter security standards and uphold software quality. Unfortunately, these compliance requirements are open to interpretation, often leading to stricter security controls implemented on production systems, while development systems are less protected. This duality of security requirements for development and production environments is cause for significant concern.
Many breaches originate in development environments. For example, the infamous LastPass hack occurred after a DevOps engineer’s master password was stolen by keylogger malware. Another impactful attack that targeted developers involved the popular Pytorch library. The library was subject to dependency confusion that allowed attackers to run malicious code on developer systems that stole credentials such as SSH keys. When developer systems are breached, supply chain attacks often follow. Attackers use their access to development environments to corrupt software packages, steal credentials for cloud systems and compromise code repositories.
Attackers target development environments because they are often configured less securely than production systems. There are many reasons why development environments are often less locked down than production systems. However, the primary motivation is the desire of companies to make the development process as easy and simple as possible. Many organizations are wary of imposing stricter security controls on developer systems for fear that the controls will harm developer productivity. Regrettably, this desire to keep the development process seamless often results in softer targets for attackers to exploit. Simply put, companies that accept reduced security standards in development environments to conserve velocity put themselves at great risk of being the next software provider whose product is compromised to conduct a supply chain attack.
Proactive Protection
To avoid the mistakes of the past, organizations must embrace a proactive approach that incorporates security considerations throughout the development process. A fundamental step is to implement continuous security monitoring and testing during runtime. By deploying robust runtime security tools and solutions, organizations can detect and respond to potential threats in real time. Leveraging behavior-based anomaly detection and machine learning algorithms can further enhance the ability to identify and thwart malicious activities during runtime.
Additionally, integrating security measures directly into the application’s runtime environment ensures a dynamic defense mechanism that adapts to emerging threats without causing disruptions or slowdowns. By taking a “shift left” approach to runtime security, organizations can effectively safeguard their applications and data from supply chain attacks, delivering enhanced protection and peace of mind to both themselves and their customers.
To deploy a runtime security solution on developer systems without causing operational headaches, organizations should prioritize seamless integration and developer-friendly implementation. A critical step is to select a runtime security solution that aligns with the existing development environment and workflows. The solution should be lightweight and nonintrusive, ensuring that it doesn’t impede the development process or slow down the system.
Offering clear documentation and support during the implementation phase can also ease any potential challenges and foster developer buy-in. Furthermore, conducting comprehensive training sessions to familiarize developers with the solution’s features and benefits will empower them to take ownership of security in their code. Continuous monitoring and automated updates can further reduce operational burdens while ensuring that the security solution remains effective against evolving threats.
By emphasizing usability, collaboration and a developer-centric approach, organizations can successfully deploy a runtime security solution that seamlessly integrates into developer systems, bolstering security without hindering productivity.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here