by Bharat Mistry
UK organisations are at the cutting edge in digital adoption, especially those in certain industries like fintech. But although their efforts are delivering undoubted benefits to customers, employees and shareholders, they also expand the potential attack surface. One key example is applications, which are a vital part of any digital innovation drive, but may introduce new vulnerabilities lurking in shared open source code.
This makes it increasingly important for IT and digital managers to focus on code-level risks and bugs, not only in the deployed environment but throughout the application development lifecycle.
From luxury to necessity
Digital transformation has been helping organisations to accelerate time-to-value, keep pace with rapidly evolving markets and improve internal efficiencies for years now. However, the impact of COVID-19 has added an urgency to many projects and in many cases forced boards to consider new tools and technologies. Digital innovation has gone from a “luxury to an absolute necessity”. Microsoft claimed to have seen two years of transformation in just two months as organisations scrambled to support remote workers with its Teams platform, for example.
It’s not just third-party SaaS offerings that organisations are adopting. Increasingly, they’re looking to develop and deliver applications from their own cloud-based infrastructure. In the public sector alone, this has meant everything from contact tracing apps, to chatbots dispensing COVID information.
All this is made possible by modern development approaches known as DevOps, supported by hybrid cloud, containers, serverless, infrastructure-as-code and other innovations.
The security challenge
DevOps is able to rapidly meet ever-changing demands for new digital services not only thanks to these technologies, but also open source code components, which mean developers don’t have to write code from scratch. However, this is where security issues start to creep in. The problem is two-fold: third-party code may contain vulnerabilities, or even malware, and security teams don’t have the visibility or scope to do anything about it.
According to Trend Micro partner Snyk, open source now accounts for over 80% of application code, but bugs in this code have doubled over the past two years. In fact, nine out of the top 10 official container images in the Docker Hub contained more than 50 vulnerabilities, the same report found. Attackers could exploit these to achieve everything from sensitive data theft to SQL injection, cross-site scripting and authentication bypass.
The problem is exacerbated by the fact that DevOps and security teams too often work in siloes: the former is busy focused on meeting time-to-market demands, relegating security to something of an afterthought. On the other side, security teams may be focused on run-time protection against web application security threats, but their visibility decreases the further left they go in the CI/CD pipeline. The resulting communications and coverage gaps pose potentially huge reputational and financial risks for the organisation if they result in a serious breach.
Instead, development teams need to prioritise security by integrating code analysis into CI/CD pipelines. It should cover all code and dependencies as well as containers to ensure security goes as “far left” as possible in the process. This is what Trend Micro and Snyk offer, via Trend Micro’s Cloud One security platform for cloud builders.