It seems as if we're encountering new cyber threats every day — and the severity of their impact is growing. We now routinely deal with zero-day vulnerabilities and hybrid attacks, and when we face incidents such as Log4Shell, we rely on a group of volunteers to protect code that is deeply embedded in essential systems.
These events have pushed security teams to rethink what they do and to focus on proactive approaches that are rooted in software development security beyond "patch and pray." Toward this goal, security teams should consider the following critical software development security trends for 2022, along with "best practices" responses to them.
1. The Growing Attack Surface of Software Supply Chains
Most of the media coverage of software supply chain threats has focused on open source package managers, third-party packages, and a handful of breaches of common systems such as Microsoft Exchange and the SolarWinds network management tool. We have also witnessed the rapid increase in the number of attacks and in their breadth, targeting every nook and cranny of the supply chain.
Package managers are the obvious entry point. But there are many others, starting with developer environments and proceeding to merge queue systems, plug-ins/add-ons to code repositories, continuous integration/continuous delivery systems, application security tools and software release distribution tools. All of this combined leaves dozens and sometimes hundreds of potential entry points in the development process — and that number is growing as the number of tools and solutions used by more autonomous teams continues to expand. So expect to see previously unseen supply chain threats as the attack surface keeps increasing.
Best practice: Every company should create a software supply chain inventory to capture every potential insertion point and enable a programmatic approach to addressing risks along the entire chain.
2. The Year the SBOM Goes Mainstream
Conceptually, the software bill of materials (SBOM) has been around for a number of years. The basic idea of an SBOM is simple: Every software application should have a "bill of materials" that lists out all the components of the application. This mirrors the bill of materials that all electronics products in the physical world have.
Two prominent organizations — the Linux Foundation and the Open Web Application Security Project (OWASP) — have SBOM technologies: Software Package Data Exchange (SPDX) and Cyclone, respectively. However, adoption of the two SBOM standards has been slow. The US federal government is now on the case, pushing industry to shore up the supply chain. This may include SBOM mandates for software used by government agencies.
Best practice: Companies that are not already using SBOM should explore adopting SBOM standards for a pilot project. This will give organizations experience with one or both of the standards, and with using SBOM as a gating factor for software releases and application security practices.
3. Zero Trust Becomes Embedded in Software Engineering
We mostly hear about zero trust within the context of authenticating users/requests/transactions and verifying identity on a continuous basis. However, we don't often hear about applying zero trust to the far left of the software supply chain, in development and DevOps cycles. In fact, it could be argued that zero trust is barely an afterthought here.
In targeting supply chains, attackers nearly always rely on the presence of trust in systems — be it packages, version-control systems, or developer identities based only on virtual actions and comments. In response, security teams should start considering the implementation of zero-trust policies and systems deep in the development process to better safeguard their applications from the source code up.
Best practice: Ensure that every segment of your software development supply chain has, at minimum, two-factor authentication applied. Then explore how to add additional factors to establish continuous authentication.
Cybersecurity has always been about recognizing and responding to trends, as well as anticipating and preparing for attacks both familiar and unknown. In 2022, security teams should focus on protecting software supply chains while implementing SBOM and zero trust. As a result, organizations will stay ahead of critical developments, instead of falling behind them.