You are the weakest link. Hello.

91 percent of organizations experienced at least one security incident in the software supply chain in 2023. The other 9% are probably lucky: the average organization has nine high, critical or apocalyptic risks within their supply chain.

The crux of the problem: Companies that are not rooted in software development are building, developing and delivering software, often without a concept for securing it. When you factor in accelerated release cycles and a move to the cloud, it is easy to understand why a key finding of this year’s Data leak investigation report There was a 180% increase in vulnerability exploitation as a critical breach action.

The call comes from the house.

Move fast, break things

AppSec teams are in the eye of a software-defined storm. Code as everything—infrastructure, compliance, security, AI—is the new normal. The lines between developer and security professional are blurring and merging. At the same time, software release cycles have accelerated beyond a point where traditional security tools and approaches can no longer keep up. Teams can release in operations and design review doesn’t work because some organizations release multiple times a day.

When it comes to penetration testing, short release cycles and multiple rapid iterations increase the likelihood of introducing vulnerabilities. But keeping track and keeping up becomes a huge challenge. Add to that the increasing reliance on open source code and cloud-native technologies, and the risk surface becomes even larger.

Hello weakness, my old friend

Like their cybersecurity peers before them, AppSec teams are finding that traditional approaches and tools cannot keep up with the new realities. Despite advances in tools and intelligence, Ox security analysts’ examination of more than a hundred million supply chain security alerts from tens of thousands of repositories, applications, and organizations found that all three of the most prevalent software supply chain vulnerabilities since for years:

• Command injection (15.4% of applications)
• Sensitive data in log files (12.4% of applications)
• Cross-site scripting (XSS – 11.4% of applications)

Although they are widely known, threats like XSS are constantly introduced during the development process. This is not due to malicious intent or negligence, but rather due to the fact that managing security in the accelerated development environment just described is difficult. Modern web applications are often complex and contain many interconnected components and dependencies. The likelihood of vulnerabilities slipping through the cracks or being introduced through recycling or third-party code is high. And when your AppSec team has more than 100,000 alerts to work through, the situation becomes overwhelming pretty quickly.

Turn the volume up

The average team today monitors 129 applications and over 119,000 alerts. The sheer volume of alerts generated, coupled with an ever-growing catalog of vulnerabilities, results in a security debt that threatens to overwhelm AppSec teams. At the same time, the gap between vulnerability and exploitation is shrinking, and the time to fix 50% of critical vulnerabilities once a patch is available is 55 days.

Without alignment between vulnerabilities found in the wild and the focus of AppSec teams, organizations will continue to struggle with supply chain vulnerabilities. With accelerated SDLCs making timelines so short, there is no effective way to do this manually. Automation goes a long way in terms of consolidation, deduplication, and contextual analysis, but as vulnerabilities continue to be pushed into live applications, prevention is at least as important as detection. It’s time for AppSec teams to think like an attacker…

Something has to happen

Understanding the nature of weaknesses and vulnerabilities is critical for AppSec teams looking to develop a proactive security approach. Organizations that can think like an attacker And Understanding the root causes of vulnerabilities can minimize risks and reduce the attack surface. The balance between agile software development and proactive security has shifted toward a playbook that includes automation, integration, risk management, and new frameworks.

In our last post, we looked at how a new approach – Application Security Posture Management (ASPM) – is having a transformative impact, adding the contextual component that was missing from siloed, traditional AppSec and DecOps processes. The next step: a unified framework for describing and understanding software supply chain attacks.

An OSC&R award-winning framework

Based on real observations in the wild, MITRE Attack and Attack Framework gave cybersecurity teams a common language and model to describe and understand attacker tactics and techniques. Inspired by this success, OX collaborated with other experts from GitLab, Google, and Microsoft to develop an ATT&CK-like open framework and model for understanding the entire software supply chain. The result: Open Software Supply Chain Attack Reference (OSC&R) Framework.

Like the MITRE approach, OSC&R creates a common language for discussing and analyzing the tactics, techniques, and procedures malicious actors use to attack the software supply chain. The framework takes tools to the next level, contextualizes risk, and helps both AppSec and AppDev teams keep up with the latest attack trends.

OSC&R takes an attacker-centric view with phases and TTPs (tactics, techniques and procedures) tailored specifically to software supply chains, enabling AppSec teams to think differently about their environment. By understanding how attackers view and attack the supply chain attack surface – and by using a common language to describe threats – AppSec, DevOps and security teams can align more effectively to mitigate risks at each stage of the SDLC and prevent them from occurring in the first place.

The new AppSec Playbook

As we’ve seen throughout this series, traditional approaches to AppSec no longer work. Software supply chains have become an ever-expanding attack surface. Given the sheer volume of alerts and vulnerabilities, detection alone is not enough – it’s time to address risks at every step of the SDLC.

Those seeking to understand what the future of AppSec might look like can learn a lot from our security past. The tools, frameworks, and solutions developed to meet evolving cybersecurity needs provide a useful lens through which AppSec defenders can view the challenges they face today. As with our cybersecurity counterparts in the past, an ever-growing number of vulnerabilities and alerts has spurred the development of new frameworks and approaches for insight and mitigation.

Want to learn more about the OSC&R framework? Download the report here.

The post “That was then, this is now… Modernizing AppSec in fast-moving development environments” first appeared on OX Security.

*** This is an OX Security blog syndicated by the Security Bloggers Network, written by OX Security. Read the original post at: https://www.ox.security/that-was-then-this-is-now-modernizing-appsec-in-fast-paced-development-environments/