The battle for data security now falls on developers; here’s how they can win

Chief information officers (CIOs) rank security as the No. 1 challenge across IT organizations. And, 82% of them say their own software supply chains are vulnerable.

Therefore, as security threats continue to evolve and become more sophisticated, developers have been tapped to work closely with security teams to bake a layer of security in from the ground up and ensure measures are taken throughout the development lifecycle.

As a result of this and other factors, cybersecurity has become an increasingly costly issue. In a recent report, McKinsey predicted that damage from cyberattacks will amount to roughly $10.5 trillion annually by 2025, a 300% increase from 2015.

At the same time, governments around the world have taken note of risks to the software supply chain. In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has released a list of cyber performance goals designed to protect critical infrastructure across the country. For now, these guidelines are voluntary, but there are signs that they could serve as a foundation for federal regulations.

This is a positive sign, but as it stands, there is one group increasingly bolstering the front lines of defense in the battle for data security: Developers.

Four pillars for securing the software supply chain

Security teams are charged with doing whatever it takes to secure their organization’s data, but with the increasing numbers and methods of software supply chain attacks, it’s becoming a tough ask. Enforcing policies across a wide variety of operations is a growing concern, and security teams are also tasked with implementing compliance and best practices.

The result in many organizations has been overstretched teams and a “downhill” effect on development teams inevitably called in to fix and fortify against the myriad of oft-deprioritized supply chain issues.

The hard reality is that most organizations don’t have an engineer or leader whose sole focus is DevSecOps. With this the case, it’s becoming increasingly common for security and development teams to work together and “bake” security into their applications and operations from the very beginning.

As developers now play a more vital role in the fight for data security, there are four pillars for them to keep in mind when it comes to securing the software supply chain:

Placing an increased focus on software packages

On the most basic level, software packages are modules of code pieced together to form an application. A common strategy among today’s malicious actors is to attack compromised packages that contain more than just source code — there could be sensitive keys, configurations or other components that could make an organization vulnerable.

As a line of defense, developers need both the tools and knowledge to reveal issues within packages that aren’t visible in the source code alone to obtain a full understanding of the impact of potential exploits.

Understanding the context within which software operates

Beyond software packages, developers need to know and understand the context in which software operates to best protect it. Specifically, they need to identify and recognize OSS library misuse, insecure use of services, exposed secrets and infrastructure-as-code (IaC) configuration issues. They must then identify the applicability and exploitability of the most serious vulnerabilities in their applications.

Common vulnerabilities and exposures (CVEs) may or may not be exploitable depending on an application’s configurations, use of authentication mechanisms and exposure of keys. Developers, in tandem with security teams, need to verify if the libraries, services, daemons and IaC they rely on are misused or misconfigured across a software supply chain, including on-premises, in the cloud and at the edge.

Ensuring every process and tool incorporates security

Ideally, developer teams should manage all artifacts and repositories in one place, creating a single source of truth for an organization. When development teams have control of their entire portfolio, security is a natural and smooth process from the beginning — the single source of truth becomes a single source of trust.

When managed correctly, every DevOps process and tool requires and incorporates security. The idea is to unify, accelerate and secure software delivery from developer to deployment. Security teams set strategies and policies, while development teams remediate and manage code bases. Packages, infrastructure, integrations, releases and flows must all be addressed to enable a workflow that works for core DevOps teams, not just security and developer groups.

Discovering vulnerabilities before they’re exploited

Most organizations should partner with third-party analysts or open source communities with advanced research experience to help discover vulnerabilities before they’re exploited. This gives businesses an opportunity to quickly respond to new attacks as they become prevalent in the industry, which in turn enables them to update databases rapidly with contextual analysis that mimics the work of the researchers.

Enabling innovation

Implementing security across the entire development process allows developers to, well, develop. Deploying the above strategies means they’re not spending all day fixing security issues that they don’t understand, while giving them easier and faster ways to fix vulnerabilities and know that they’re fixing them completely.

There is no debating that security is a real and vital concern, but winning organizations are those that make it a priority across the software supply chain. This in turn allows their developers to innovate and move the business forward.

Nati Davidi is SVP of security at JFrog.