Why Organizations Today Need a Risk-Based Approach to Code Security

We salute October as National Cybersecurity Awareness Month

As we salute the national cybersecurity awareness month, we also want to recognize the ongoing increase in application-based software supply chain attacks. The process to deliver security and protection during software development cycles are disjointed, leading to gaps, vulnerabilities and lots of false positive alerts. This is why we are making the case for all organizations to adopt a risk-based approach to code security to help identify and prioritize critical threats and vulnerabilities that really matter.

Gartner in a security brief related to software supply chain risks¹ mentions that, “Attackers are targeting software development systems, open-source artifacts and devops pipelines to compromise software supply chains”. The brief also refers to one of Gartner’s strategic planning assumptions that 45% of organizations worldwide will experience attacks on their software supply chains by the year 2025, which is a three-fold increase from 2021.

Our view of what is contributing to this trend is the fact that code is everywhere. What this really means is that we must acknowledge today’s software development practice which involves the use of code that is present in many repositories that may reside internal or external to the organization. The growing use of open-source software and the need to rely on APIs to integrate with third-party applications increases the presence of secrets in code that can be compromised as threat actors are exploiting vulnerabilities at every stage of the development cycle. 

Earlier this year cybersecurity research experts Ponemon Institute released a report on application security risks². This report contained results from a survey of over 600 individuals who were engaged in developing, testing and securing applications. Respondents were at an almost even split between mid-size and large organizations.

During the last year, individuals responsible for application security felt that the remediation of code vulnerability was slow and relied on point solutions where the number of false positives was so high that effective mitigation became impractical. This is particularly true of open-source application security tools as well as some of the point products that address static code testing, or dynamic testing closer to deployment. Of course, it is well recognized that threats and vulnerabilities detected closer to deployment are incredibly costly to fix and can cause a lot of other unexpected disruptions.

According to one of the results from the Ponemon survey, 84% of the respondents felt that it is difficult to ascertain and in turn reduce the risk to applications because they could not monitor, detect and prevent attacks related to code security and application vulnerability. 

The trend to shift left calls for the control of security for applications to move left into the hands of the developers. This of course is referring to the familiar DevOps process diagram and the fact that security needs to move left from Ops toward Dev closer to where the initial development takes place. In spite of the amount of visibility that the shift-left movement has received, application security has not transcended silos in many organizations. 

Another conclusion from the study previously mentioned is that 65% of the respondents reported that their organizations had limited or no collaboration between the developers and the security teams. The disadvantage for those companies is the inability to quickly detect vulnerabilities and take adequate steps to remediate code vulnerabilities.

One of the key metrics for reviewing application security solutions is figuring out how long it takes for organizations to resolve security issues once found in applications once deployed to production. Some organizations have taken steps to resolve production vulnerabilities in minutes and hours. However, 58 percent of the organizations surveyed were left dealing with the impact over a period extending days, weeks or even months. 

Developers often feel that security controls are bolted on after the fact and in many cases are bypassed to meet the ever-growing expectations for faster code delivery. Providing security tools that are effective and operate within the developer’s common daily workflows will lead to better outcomes. As a result of longer resolution times, many organizations are reporting that their vulnerability backlogs are growing. One silver lining to all this is that the accumulating security debt is now forcing them to foster a dialog between developers and security teams. 

As reported in the 2021 Verizon Data Breach Investigations Report, more than 80% of security incidents originated with compromised credentials. Compromised credentials once referred only to stolen username and password combinations or credential attacks mounted by automated bots. However, today compromised credentials can mean secrets in code such as application level login credentials, tokens passed between applications, and data that is passed to invoke API interfaces.  Organizations promoting security standards such OWASP (Open Web Application Security Project) are also promoting the need to monitor secrets in code.

The BluBracket Code Security Solution is complete and comprehensive and extends beyond secrets in code to include many other risks that need to be addressed. The Code Security solution from BluBracket can apply to various stages of the development cycle.

The BluBracket solution is most effective in uncovering vulnerabilities, determining the associated risks and best of all, delivering a path to mitigating the threats. BluBracket can deliver a risk score that is a quantifiable measure of risk over time. Unlike many point solutions, BluBracket can virtually eliminate the very high false positives that practitioners face from the point solutions and open source tools

Finally, as a solution that is built with developers in mind, BluBracket is easy to integrate into the daily development workflows. It has the flexibility to operate across all git repositories, both internal and external. Integration with existing DevOps and CI/CD tools commonly found in the enterprise allow developers to easily include BluBracket into their daily routines.

Here are some of the ways that companies today are using BluBracket today

Conducting Full Repo Scan – Developers can check for hard-coded secrets in their commit history across a whole range of repositories, both internal and external. Additionally, developers and security engineers can discover individuals who have access to code and allow them to take steps to limit the number of owners and collaborators in order to enhance security. One particular area of risk is Git misconfigurations. BluBracket can help detect insufficient branch protection rules, as well as multi-factor authentication configurations. 

Performing Pre-commit Checks – Developers can prevent coding mistakes before they are committed to their local history on their workstation/device by leveraging the BluBracket CLI.  Developers can then take action by using environment variables or utilizing a secrets management tool This eliminates the risk of leaving secrets in plain text. The solution also highlights unsigned commits, prompting developers to sign them for better security through identity management. Most important is finding and highlighting the presence of personally identifiable information (PII) that could pose a compliance violation or lead to a substantial breach.

Completing PR Checks – to catch hardcoded secrets before they are inadvertently merged to a remote feature branch. This is also the stage in which the BluBracket code security solution checks for configuration errors related to Infrastructure as Code (IaC). IaC has evolved as an area to monitor for security vulnerabilities as infrastructure deployment gets more automated with scripts being used to set up infrastructure environments eliminating manual configuration efforts. Detecting and remediating potential infrastructure vulnerabilities directly within the development workflow will help avoid having to handle security incidents post-deployment.  

Ensuring Post-merge Validation – In the case that a risk is not detected in earlier steps of the development cycle, BluBracket also escalates alerts when hardcoded secrets are merged into a main code branch. Integration with Slack, PagerDuty, ServiceNow and many other tools allows teams to be immediately notified and remediation actions to be instantly invoked. Additional capabilities include scanning containers like docker and kubernetes for secrets as well. BluBracket regularly scans public repositories for vulnerabilities that may have already leaked out.

BluBracket delivers a Risk-Based Approach to Code Security for Today’s Application Development Practices 

BluBracket delivers a modern day approach for today’s application development practices. It delivers the most comprehensive code security solution that allows developers and security professionals to identify risks from the very beginning of the development process and all the way throughout the entire CI/CD process. With deep links to code, the solution delivers actionable remediation for every risk found

For more information on the complete set of risks that BluBracket covers and how BluBracket can help your team reduce their code security risks please contact us at [email protected] 

___________________

1. How Software Engineering Leaders can Mitigate Software Supply Chain Security Risks, Manjunath Bhatt, Dale Gardner, Mark Horvath, Gartner, July, 2021
2. Reducing Enterprise Application Security Risks, Research Report, Ponemon Institute, February, 2021
3. Verizon DBIR (Data Breach Investigations Report) 2021

*** This is a Security Bloggers Network syndicated blog from BluBracket: Code Security & Secret Detection authored by blubracket. Read the original post at: https://blubracket.com/risk-based-code-security/