OX Security
You are the weakest link. Hello.
Ninety-one percent of organizations experienced at least one software supply chain security incident in 2023. Chances are the other 9% are riding their luck: The average organization has nine high, critical or apocalyptic risks within their supply chain.
At the heart of the problem: Companies that aren’t rooted in software development are building, developing and shipping software, often with little concept of how to secure it. Bake in accelerated release cycles and an output that’s going to the cloud and it’s easy to understand why a key finding of this year’s Data Breach Investigation Report was a 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach.
The call is coming from inside the house.
Move fast, break things
AppSec teams are in the eye of a software-defined storm. Code as everything – infrastructure, compliance, security, AI – is the new normal. The lines between developer and security pro are blurring and converging. At the same time, software release cycles have accelerated past a point where traditional security tools and approaches can keep pace. Teams can release in ops and design review isn’t working because some organizations are releasing multiple times a day.
As for pen testing…short release cycles and multiple, rapid iterations make it more likely that vulnerabilities will be introduced, but keeping track and keeping up are becoming a massive challenge. Add increased reliance on open-source code and cloud-native technologies and the risk surface expands even more.
Hello weakness, my old friend
Like their colleagues in cybersecurity before them, AppSec teams are finding that traditional approaches and tools can’t keep pace with the new realities. Despite advances in tools and information, research by Ox security analysts into more than one hundred million supply chain security alerts from tens of thousands of repositories, applications and organizations found that all three of the most prevalent software supply chain vulnerabilities have been around for years:
- Command injection (15.4% of applications)
- Sensitive data in log files (12.4% of applications)
- Cross-site scripting (XSS – 11.4% of applications)
Despite widespread awareness of them, threats like XSS are being introduced during the development process all the time. This isn’t due to malice or oversight, it’s due to the fact that managing security in the accelerated development environment we’ve just described is tricky. Modern web applications are often complex, with many interconnected components and dependencies – the likelihood of vulnerabilities slipping through the cracks or being introduced through recycles or third party code is high. And if your AppSec team is wading through 100,000+ alerts, things get overwhelming pretty quickly.
Pump up the volume
The average team now monitors 129 applications and over 119,000 alerts. The sheer volume of alerts being generated, coupled with an ever-expanding catalog of vulnerabilities, is creating a level of security debt that is in danger of overwhelming AppSec teams. Meanwhile, the gap between vulnerability and exploitation continues to shrink, while time to remediate 50% of critical vulnerabilities once a patch becomes available is 55 days.
Without alignment between vulnerabilities found in the wild and the focus of AppSec teams, organizations will continue to struggle with supply chain vulnerability. Because accelerated SDLCs make timeframes so short, there is no effective way to do this manually. Automation goes a long way towards consolidation, deduplication and contextual analysis, but as vulnerabilities continue to be passed into live applications, prevention is at least as important as detection. It’s time for AppSec teams to think like an attacker…
Something’s gotta give
Understanding the nature of weakness and vulnerability is crucial for AppSec teams looking to develop a proactive security approach. Organizations that can think like an attacker and understand the root causes of vulnerabilities can minimize the risks and reduce the attack surface. Balancing agile software development with proactive security has shifted towards a playbook that includes automation, integration, risk management and new frameworks.
In our last post, we looked at how a new approach – Application Security Posture Management (ASPM) – is having a transformational impact, adding the contextual component that was missing from siloed, traditional AppSec and DecOps processes. The next step: a unified framework for describing and understanding attacks on the software supply chain.
An OSC&R-winning framework
Based on real-world, in-the-wild observations, the MITRE att&ck framework gave cybersecurity teams a common language and model for describing and understanding attacker tactics and techniques. Inspired by its success, OX collaborated with other experts from GitLab, Google and Microsoft to develop an ATT&CK-like open framework and model to understand the entire software supply chain. The result: Open Software Supply Chain Attack Reference (OSC&R) framework.
Like the MITRE approach, OSC&R creates a common language for discussing and analyzing the tactics, techniques and procedures malicious actors use to target the software supply chain. The framework takes tools to the next level, contextualizing risk and helping both AppSec and AppDev teams to keep up with the latest attack trends.
OSC&R takes an attacker-centric view, with phases and TTPs (tactics, techniques and procedures) specific to software supply chains, giving AppSec teams a new way of thinking about their environment. By understanding how attackers view and target the attack surface of the supply chain – and by using a common language to describe threats – , AppSec, DevOps and security teams can align more effectively to mitigate risk at every stage of the SDLC, and avoid introducing it in the first place.
The new AppSec playbook
As we’ve seen over the course of this series, traditional approaches to AppSec no longer work. Software supply chains have become an ever-expanding attack surface. With the sheer volume of alerts and vulnerabilities, detection alone is not enough – it’s time to address risk at every step of the SDLC.
For anyone charged with understanding what the future of AppSec could look like, there’s a lot to learn from our security past. The tools, frameworks and solutions that evolved to address changing cybersecurity needs provide a useful lens through which AppSec defenders can view the challenges they face today. Like our cybersecurity colleagues in the past, an ever-expanding volume of vulnerabilities and alerts has driven the evolution of new frameworks and approaches for insight and mitigation.
Want to learn more about the OSC&R framework? Download the report here.
