By now, everyone has heard about the malicious December 2020 attack on SolarWinds’ Orion software platform, which affected the US Treasury, US Department of Commerce and the cybersecurity company FireEye, among others. While the breach itself sounds too massive to believe, we don’t have to look far to find the culprit. All it takes is one small security hole to open up a world of trouble. The question is, when will we learn our lesson?
According to Microsoft, the addition of a few innocent-looking lines of code into a single DDL file was all it took to threaten the security of the powerful organizations using the affected product. Boiled down to simple terms, all of the powerful companies impacted by the SolarWinds breach have one thing in common—the Orion application they relied on as a critical piece of their software supply chain suddenly became an attack vector.
Application security is no longer just nice to have—it is a business imperative. As myriad companies large and small continue to drive digital transformation, they will become increasingly reliant on software (like Orion). And entities in the business of building this software absolutely must find ways to roll out their applications quickly and securely, to establish a robust application security program.
No matter where you stand with regards to time and resources, vulnerabilities in the supply chain can and will bring down even the most advanced digital business. Why? Because applications are still the most favored external attack target overall. Without a loop of continuous vulnerability discovery in place, there is no way to ensure security happens early and often in the software development life cycle (SDLC). An arbitrary selection approach to security leaves organizations flying blind, without the visibility they need throughout the build. The question organizations need to ask of their software supply chain partners is, how can best practices in application security be applied in the ongoing development and delivery of these applications?
While the risk to the software supply chain is considerable, the work it takes to address it doesn’t have to be. Organizations need to rely on technical vendors and other third parties in their software supply chain to deliver excellent applications that allow them to grow and provide solutions to customers. But companies must address the security of their applications by ensuring their software supply chain partners are taking a holistic and comprehensive view of application security.
Take Charge of Security
Empower your organization to maintain enterprise standards for application security while accelerating software delivery, without disrupting the DevOps processes. With an effective application security automation and orchestration platform, you can remove the friction between security and DevOps teams by making security integral and transparent within the software development life cycle. Developers are then empowered to deliver the security software your business needs to drive growth and future success. Make sure your DevOps toolchain integrations support development agility.
This is just a start, but by understanding these basic best practices, you can protect your organization from software supply chain attacks. For more information on how to manage your application security tools to deliver consistent, scalable scanning throughout the development life cycle, contact us at ZeroNorth and kick off the new year with a robust security program.
*** This is a Security Bloggers Network syndicated blog from Blog | ZeroNorth authored by ZeroNorth. Read the original post at: https://www.zeronorth.io/blog/its-time-to-understand-risk-in-the-software-supply-chain/