In 2022, some of the world’s biggest technology companies, including Microsoft and T-Mobile, fell victim to attacks by the cybercrime group LAPSUS$, with members of the hacking group operating from the UK and Brazil.
While the breaches differed in scope and size, many of them made active use of vulnerabilities in third-party applications to access a company’s network.
Once inside, the LAPSUS$ attackers could steal valuable data or hold the company to ransom, threatening to steal the source code of their most sensitive products unless they were paid.
While LAPSUS$ has earned a particular reputation for high-profile targets, these kinds of attacks are no longer out of the norm. In fact, over the past 18 months, they have become especially prevalent with a growing number of bad actors looking to exploit technology applications that offer security vulnerabilities.
Many organisations will naturally want to throw money and technology at the problem, but, in fact, the best line of defence is people, in particular, the software developers many businesses already employ in-house. Let’s explore how developers can serve as a “human firewall” in the technology supply chain to secure applications used as gateways to network access.
Looking into the data
Organisations first need to be aware that the software products they frequently use feature inherent bugs and security flaws. This is typically the result of a stressed application development cycle that prioritises speed and functionality above security.
In partnership with Evans Data, Secure Code Warrior polled 1,200 active software developers in December of 2021 for our State of Developer-Driven Security Survey. The numbers highlighted some alarming industry trends, chief among them that 67% of developers admitted that they routinely left known vulnerabilities and exploits in their code.
This is not generally the fault of the developers themselves, but rather that of the systems they work in. Under the constant pressure of tight deadlines, these employees prioritise functionality over security. Many also lack security-related training or any real knowledge about fixing common code-level security problems.
Only 14% of those surveyed said application security was their top concern during development, falling behind priorities such as code quality, application performance, and the ability to solve real-world problems.
Making use of in-house development
To make security improvements, organisations need to lean on and rely on their development team. Properly-trained in-house developers can act as a firewall for company systems, writing software that is inherently secure, and overseeing best practice access control in elements like APIs to improve the overall security posture of the business.
Developers have a front-row seat to an organisation’s security challenges and can strengthen security practices that match how employees leverage applications. In-house developers are at the front lines of cyber defence. Given time and comprehensive training, these developers can fortify software with appropriate security measures.
As we’ve seen from the SolarWinds breach and others like it, supply chains will remain a key area for attack. Since these types of platforms can ship with vulnerabilities, in-house developers can provide additional security features to close these down.
Ideally, platform vendors will improve the cybersecurity of their platforms before shipping, but it may take a rash of more high-profile breaches before that happens. Business consumers cannot continue to operate in a world where the security of their platforms is unknown. Work with your development team to add security features to avoid these types of attacks.
Change needs to happen now
Organisations continue to face cyber threats from a wide range of different sources. The reliance on automation, tools, and a reactive response to security incidents has long stood alone, but the increasingly sophisticated threat landscape requires more vigorous defence.
A human-led approach to software security leveraging security-skilled developers can close this gap. Organisations must focus on the talent already in their business to help improve the security posture and reduce supply chain-embedded vulnerabilities. Often, developers want to learn these skills but lack the time or incentive to do so. Improved training that empowers them, together with automation and security tools, can provide a pathway to long-term success that was previously unachievable.
About the Author
Matias Madou is the Co-Founder & CTO at Secure Code Warrior. He is a researcher and developer with more than 15 years of hands-on software security experience and has developed solutions for companies such as HP Fortify. Over his career, Madou has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, he has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DEFCON, BSIMM, OWASP AppSec, and BruCon. Madou holds a Ph.D. in computer engineering from Ghent University.