The battle for data security now falls to developers. here’s how they can win

Chief Information Officers (CIOs) rank security as the No. 1 challenge in all IT organizations. And, 82% of them say their own software supply chains are vulnerable.

Therefore, as security threats continue to evolve and become more sophisticated, developers have been called upon to work closely with security teams to build a layer of security from the ground up and ensure measures are taken throughout the development life cycle.

As a result of this and other factors, cybersecurity has become an increasingly costly issue. In a recent report, McKinsey predicted that damage from cyberattacks will reach approximately $10.5 trillion annually by 2025, a 300% increase from 2015.

At the same time, governments around the world have taken note of the risks to the software supply chain. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) has published a list of cyber performance targets designed to protect critical infrastructure across the country. For now, these guidelines are voluntary, but there are indications that they could serve as the basis for federal regulations.

That’s a positive sign, but as it stands, there’s one group that’s increasingly strengthening the first lines of defense in the data security battle: Developers.

Four Pillars for Software Supply Chain Assurance

Security teams are tasked with doing whatever it takes to protect their organization’s data, but with the increasing numbers and methods of attacks in the software supply chain, it’s hard to ask. Enforcing policies across a wide variety of functions is a growing concern, and security teams are also tasked with implementing compliance and best practices.

The result in many organizations was overstretched teams and a “trickle-down” effect on development teams who were inevitably called upon to fix and strengthen the myriad supply chain issues that were often downplayed.

The harsh reality is that most organizations do not have an engineer or leader whose sole focus is DevSecOps. With this being the case, it is becoming increasingly common for security and development teams to work together and “bake” security into their applications and operations from the ground up.

As developers now play a more vital role in the fight for data security, there are four pillars to keep in mind when it comes to software supply chain security:

Giving increased focus to software packages

At the most basic level, software packages are units of code that are joined together to form an application. A common strategy among today’s malicious actors is to attack compromised packages that contain more than just source code — there may be sensitive keys, configurations, or other elements that could make an organization vulnerable.

As a line of defense, developers need both the tools and knowledge to uncover issues within packages that are not visible in source code alone to gain a full understanding of the impact of potential exploits.

Understanding the framework within which the software operates

Beyond software packages, developers need to know and understand the context in which the software operates to best protect it. Specifically, they must identify and identify OSS library misuse, insecure service usage, exposed secrets, and infrastructure-as-code (IaC) configuration issues. They must then determine the applicability and exploitability of the most serious vulnerabilities in their applications.

Common vulnerabilities and exposures (CVEs) may or may not be exploitable depending on an application’s configurations, use of authentication mechanisms, and exposure of keys. Developers, in conjunction with security teams, must verify whether the libraries, services, daemons, and IaC they rely on are being misused or misconfigured across a software supply chain, including on-premises, in the cloud, and at the edge .

Securing every process and tool incorporates security

Ideally, development teams should manage all artifacts and repositories in one place, creating a single source of truth for an organization. When development teams are in control of their entire portfolio, security is a natural and smooth process from the start — the single source of truth becomes a single source of trust.

When properly managed, every DevOps process and tool requires and incorporates security. The idea is to unify, accelerate and secure the delivery of software from developer to development. Security teams define strategies and policies, while development teams debug and manage code bases. Packages, infrastructure, integrations, releases, and flows must be addressed to enable a workflow that works for core DevOps teams, not just security and developer teams.

Discover vulnerabilities before they are exploited

Most organizations should work with third-party analysts or open source communities with advanced research expertise to help discover vulnerabilities before they are exploited. This gives businesses the opportunity to quickly respond to new attacks as they become prevalent in the industry, which in turn enables them to quickly update databases with contextual analysis that mimics the work of researchers.

Enabling innovation

Applying security throughout the development process allows developers to grow. Developing the strategies above means they don’t spend all day solving security issues they don’t understand, while giving them easier and faster ways to patch vulnerabilities and know they’re fully patching them.

There is no debate that security is a real and vital concern, but the winners are the ones who make it a priority throughout the software supply chain. This in turn allows their developers to innovate and move the business forward.

Nati Davidi is vice president of security at JFrog.