Tag Archives: Devops

Supply chain risk to dominate 2020: from the cloud all the way to the remote worker

by Bharat Mistry

We all know that the success or otherwise of most modern organisations depends to a large degree on their supply chains. From professional services partners to software providers and transportation contractors, an average enterprise could maintain hundreds of these partnerships. But these all threaten to introduce extra risk to the business, especially in the cyber domain.

Trend Micro’s newly released 2020 predictions report highlights some of the key areas where organisations may be exposed next year: from cloud and managed service providers (MSPs), new DevOps dependencies and even supply chain risks associated with their remote workers.

A new spin on an old risk
Supply chain risk is not a new phenomenon per se. The infamous NotPetya ransomware attacks of 2017 were introduced via the software supply chain, for example, while Operation Cloud Hopper was a major attack campaign targeting global organisations via their MSPs.

However, the scale of the threat coming down the line requires urgent attention. It stems to a large degree from the way organisations are changing the way they work. Digital transformation is viewed by many as an essential driver of business growth, enabling firms to respond with agility to changing market demands. In practice, this means cloud and DevOps increasingly taking centre stage in the IT departments of the coming decade.

More agility, more risk?
Unfortunately, this will introduce new cyber risk. First, organisations’ increasing reliance on third-party cloud providers will encourage attackers to go after data stored in these accounts, via code injection attacks exploiting deserialisation bugs, cross-site scripting and SQL injection. They’ll also capitalise on mistakes made when misconfiguration of these accounts leaks data to the public-facing internet.

Next, they’ll look to exploit the reliance of DevOps teams on third-party code in container components and libraries to compromise microservices and serverless environments. As these architectures become increasingly commonplace, so will attacks.

The risk posed by MSPs will also escalate, enabling a much higher ROI for attackers because they can access multiple customers via a single provider. Such threats will imperil corporate and customer data, and even pose a risk to smart factory and other environments.

Finally, supply chain risk may come from an unlikely source in 2020 and beyond. As remote and home working becomes the norm for many employees, hackers may come to view these as a handy stepping-stone into corporate networks. Whether they’re logging-on via unsecured public Wi-Fi hotspots or at home, where smart home flaws could provide an unlocked door to sneak through, these employees need to be considered as part of holistic enterprise risk management strategies.

What to do
I
t will be tough for CISOs to keep up with the rapid pace of technological change as we head through the next decade. But it’s vital that teams are equipped with the right tools and strategies to manage these third-party risks and other threats to the bottom line and corporate reputation. Here’s a snapshot of advice offered in the report:

  • Improve due diligence of cloud providers and MSPs
  • Conduct regular vulnerability and risk assessments on third parties
  • Invest in security tools to scan for vulnerabilities and malware in third-party components
  • Consider Cloud Security Posture Management (CSPM) tools to help minimise the risk of misconfigurations
  • Revisit security policies regarding home and remote workers

To find out more on our predictions for 2020 and advice on how best to manage risk in your business, check out the report here.

Open Source Software Risk Highlights the Need for Secure DevOps

by Bharat Mistry

UK firms on average download 21,000 open source software components containing flaws each year. That is the headline stat from new research which reveals the escalating risks facing developers from the common practice of sharing code. As demand for such components increases, the emphasis for security teams should be on finding ways to mitigate these risks as early on in the development lifecycle as possible, via seamless, automated security that doesn’t impact app delivery.

Continue reading

Helping Firms Secure their Digital Transformation at Cloud Expo Europe

by Ian Heritage

The quest for competitive advantage through digital innovation has hit the mainstream. Organisations across the globe are turning to agile development practices, cloud and mobile platforms, smart devices and more to drive profits and get closer to their customers. Yet going digital means new risks, a larger corporate attack surface and more work for stretched IT teams.

Finding a solution to these challenges is not easy, but it is essential to the success of crucial digital transformation projects. That’s why our Principal Security Strategist, Bharat Mistry, will be offering some guidance for IT leaders at this year’s Cloud Expo Europe in London next month. His presentations will cover security for CI/CD environments and the value of Managed Detection and Response (MDR). Continue reading

With Government Missing, Here’s How CNI Firms Can Tackle Cyber Risk

by Bharat Mistry

The government is failing to address the cyber challenge facing the UK’s critical infrastructure (CNI) providers urgently enough, a new parliamentary report has claimed. In many ways the challenges facing CNI firms are broadly the same as for other organisations, just that the impact of successful attacks could go way beyond data loss and damaged brand reputation to devastating disruption of daily life and potentially even physical harm to citizens.

The good news is that, in lieu of government action, there are many things that organisations in the sector can do to mitigate risk and improve cyber resilience. They just need to remember to layer up security at all levels of the IT infrastructure, from DevOps up. Continue reading