Dubbed as the modern-day digital Pearl Harbor attack,
the SolarWinds breach is putting the spotlight on software development security.
This article was originally published on the Delphix website here January 25, 2020.
While 2020 is finally over, the new year could be a tougher one with cyber attacks getting more and more sophisticated. Just last month, SolarWinds, a software company that serves more than 300,000 customers—including U.S. government agencies and the vast majority of Fortune 500 companies—was breached by hackers who broke into its system and inserted malicious code into its proprietary software Orion’s network monitoring program.
While details are still unfolding, we know the patching server was hacked, and the compromised malware file was used to infect the company’s DevOps pipeline. The malware file was subsequently sent to every SolarWinds server in the next software upgrade.
Up to 18,000 of its customers downloaded the software update that contained the malicious code. While there were quite a few blunders in this saga—from password mismanagement and unsupervised updates, to failure to detect intrusion—it brings forth the importance of integrating security into the software development life cycle.
With the rapid adoption of digital technology during COVID-19, almost every company is in the business of building software and applications. It’s evident that software is eating more of the world, faster. The pandemic effectively became a catalyst for cybersecurity threats to rise exponentially as almost every organization’s digital footprint grew. Every piece of data is now a possible point of leverage or access for cybercriminals.
This incident is a reminder that technology leaders need to take a closer look at the vulnerabilities introduced at the code level and find ways to introduce security earlier in the lifecycle of application development. We share 3 ways to adopt a DevSecOps process and release secure, quality software faster in 2021.
1. Shift Security to the Left
By shifting security to the left, development, security, and operations teams can ensure that security standards are met from the start of the project without slowing down delivery. When software teams bring security forward in the SDLC, more code gets tested, security reviews are streamlined, friction is reduced among teams, and it’s more likely for the business to end up with a secure product, delivered on time because pain points and bottlenecks are identified and resolved more quickly.
Addressing any potential vulnerability after development eats up too much time and exponentially increases the risk of security concerns—which can be extremely costly and damaging to the reputation of the company.
2. Amplify Continuous Feedback
Feedback loops are a powerful way to analyze and optimize processes of software delivery. The shorter they are, the better they can reduce risk, improve quality, and ensure a better response to change. Implementing the OODA (Observe, Orient, Decide, Act) loop can create a continuous feedback loop for making all parties accountable for any security incident that may occur and easy remediation in case of an exploit such as this.
3. Automate Security, Including Your Data
Most people see security as a bottleneck that causes delays and frustration, but DevOps provides a huge opportunity for better security. Many of the practices that come with DevOps, especially automation, enable companies to integrate security as a key component of their processes. As more tests are automated, there is less risk of introducing security flaws due to human error. Tests are more efficient, and the process is consistent and predictable.
Similarly, from a data perspective, responsible data management requires organizations to implement guard rails that decrease their chances of mishandling sensitive data, including automated tools that identify and obfuscate data. Proper data masking must be done before data leaves the hands of developers because humans and systems will inevitably fail.
Lastly, automating monitoring systems for threats can also be valuable as they provide real-time alerts, where teams can then easily collaborate and allow authorized updates to flow to the right folks.
Get your “Test Data Management Checklist” to learn how to deliver production-quality data throughout the development cycle and reduce data-related defects.