Cybercriminals are also developers, and they know how to attack the weakest links in any software architecture.
Software development as an industry is transforming all the time and, in recent years, it has changed considerably due to evolving market demands.
Think back 10 to 15 years when developers would write everything on their own. Today it is very rare for developers to write all code from scratch. In this new era of modern application development they tend to take tools and resources from different places to create software more efficiently.
In oversimplified terms modern application development is similar to using building bridges with toy blocks. For example, to build a secure bridge, it is not sufficient to focus on each brick individually to determine if the bridge is strong enough. The builder must understand the bigger picture, or the overall ‘architecture’. So, by moving away from writing their own code, developers are combining different elements with architecture, and will need to look at the full infrastructure to see just how stable the whole design really is.
What we are talking about here is the basis of modern application development.
Securing the bricks and architecture
With coding, as with building blocks, it is important for developers to have a view of the bigger picture. Developers now want to build flexible applications by simply snapping components together: this is a positive shift and has allowed developers the ability to focus on what matters the most—business logic.
At the same time, however, this does raise concerns around security, especially when it comes to the links between the components. As the ‘snap-on’ model of modern application development continues to gain popularity, what are the security risks that organizations need to consider when ‘legolizing’ modern application development?
When building a metaphorical Lego bridge in the application security world, developers need to look at where components are linked, and the ways that they work together to ensure the security of the applications they are building, because they are constantly introduced to new and complex security challenges. In the event of a cyberattack, the security of their software affects not only the end user, but entire organizations as well.
Addressing the ‘legolized’ attack trend
Modern application security is focused on two steps: making sure the bricks are secure, then making sure the architecture is secure. Without doing this we are opening up the apps being developed to attackers. Massive supply chain attacks such as Kaseya and Colonial Pipeline are perfect examples of the cyber risks involved.
Hackers have realized it is easier to attack one component rather than the whole stack. It may seem obvious, but if we apply this back to our bridge, it is easier to attack a crack in the bridge, rather than the whole bridge itself, and the same applies for applications. For example, rather than attacking an organization head on, hackers are finding a vulnerable component to attack instead.
In the past, developers had viewed security as the problem of their organization’s IT team. However, in recent years, there has been a mindset change, and developers are realizing that the security issue also lies with them.
In order to help developers prevent a ‘legolized’ attack, organizations need to encourage them to take a more holistic, unified, and effective approach to managing risk. They need to be given the right tools to look at the overall architecture of how the code they use fits together.
There is now a real need to be able to scan all the bricks and the links and to have different engines correlating with each other. While developers cannot be expected to know the tricks to beating criminals as the latter move too quickly, the former need to be able to automate detection and mitigate security risks. This can be achieved by using a supply chain engine that can track all components and infrastructure, but also one that will not affect or slow down their work.
Training as a form of defense
Everyone is in agreement that training is important, but until recently, no effective solutions have been presented. And therein lies an issue: developers are eager for knowledge on writing secure-by-design code, yet have traditionally lacked the necessary tool or solution to execute it. This knowledge gap has left them unable to deliver the safest products for organizations, resulting in risks that are entirely preventable.
Therefore, businesses need to put measures in place to ensure developers receive the appropriate application security training, but not the traditional compliance sessions. Instead organizations should prioritize bite-sized, interactive training that enthuses this group of talent and tailored to developers that are reshaping software development.
As digital transformation and innovative technology solutions continue to evolve the software development landscape has changed and it will continue to do so. The message for organizations wanting to ensure their developers are empowered to create secure applications is that modern application security has to evolve in tandem.