As we approach the mid-year of 2024, most CISOs and CSOs have established and are currently executing their organizations' security posture priorities for the year.
While the industry made significant strides in terms of strengthening software supply chain security this past year with the introduction of federal guidelines and regulations such as those from NIST, CISA and the NSA, security teams continue to face several looming threats to their software supply chains. Rampant use of malicious code in AI/ML models, compromised open-source software, vulnerability exploitation and more continue to plague organizations.
To ensure their software supply chain is as secure as possible, there are 5 priorities that security professionals must commit to, including:
- Trust but verify your open-source code
- Be wary of AI/ML in security solutions and code development
- Don’t panic over zero days
- Integrate SBOMs as a must-have in your security strategy
- Embrace a “shift left” strategy
Trust But Verify Your Open-Source Code
One of the most pressing battles for security leaders is the menace of open-source software. Many developers naively rely on software from public open-source repositories, assuming it's free from security and compliance issues. Neglecting to thoroughly inspect the code for updates, necessary security controls, and more, puts organizations at a heightened risk for an assault on their software supply chain.
Security leaders must trust but verify developers’ open-source coding practices. Security risks are often initiated when developers download code from these public repositories. Security leaders can proactively mitigate the threat of irreparable damage to their software supply chain by ensuring that code is adequately vetted from the very start.
Be Wary of AI/ML in Security Solutions and Code Development
The rise of artificial intelligence has empowered innovation but also drew great concern around security. Oversights in software development security can unintentionally introduce malicious code into AI/ML models and create entryways for attackers to further damage an organization.
Developers may also use code generated from public AI/ML sources without knowing if the model has been compromised. If an AI/ML model is blindly trusted, this can introduce further vulnerabilities into an organization— all code from AI/ML sources must be vetted.
Don’t Panic Over Zero-Days
Cybercriminals exploited zero-day vulnerabilities at record speeds in 2023, and the evolving threat landscape shows this trend will likely continue.
When faced with a zero-day attack, security teams often panic without knowing exactly how a critical vulnerability exposure (CVE) impacts their specific software environment. While a CVE may impact a specific software library or code base that is used within their software environment, it’s entirely possible that said CVE cannot and will not be exploited within their environment because it’s not used in the specific configuration or use case in which it would cause harm. Considering the context regarding CVE assessment and designing remediation strategies is crucial.
This year, CISOs and CSOs must prioritize understanding CVEs in the full context of their software environment before taking action. Blind fixes can do more harm than good, and contextualizing CVEs provides a better path forward for safeguarding your organization and understanding what actions are truly needed.
Integrate SBOMs As a Must-Have in Your Security Strategy
The SBOM has become a critical DevSecOps tool for security leaders to wield. It provides users with a faster identification method, shortens recovery times, creates more efficient and effective code remediation, and enhances compliance in a stricter regulatory landscape.
SBOMs systematically track the components that exist within each application and the dependencies that the application requires to run, allowing security teams to see exactly the systems that have been impacted by vulnerability exploitation. Additionally, the cybersecurity regulatory landscape will continue to tighten, making SBOMs a nice-to-have and a need-to-have to ensure trusted releases with new rules.
‘Shifting Left’ Amid an Evolving Threat Landscape
Adopting these priorities can be overwhelming for security leaders, so CSOs and CISOs must adopt a ‘shift-left’ approach to security.
By building security into software development from the start, security leaders can ensure a more proactive line of defense for their software supply chains. This gives them more flexibility in the open-source or publicly developed AI/ML code they use in software development, gives them better control over the AI/ML models they are building for their organization, ensures the smallest possible likelihood of CVE exploitation, and makes SBOMs more effective.
Moving forward, the software landscape will only evolve in complexity. By utilizing a ‘shift left’ mentality to software supply chain security, CISOs and CSOs can ensure a stronger and more resilient organization that can face new security challenges head-on.