The SolarWinds Attack in 2020 demonstrated that only a small insertion of code can affect tens of thousands of organizations and cost millions or billions of dollars. While having an extended reach into thousands of organizations is a moniker of success for a software company, there is also a factor of risk. In this instance, SolarWinds’ large reach caused a failure in thousands of networks, like having a defective part in a wildly popular car. Even the US government found themselves blindsided in this attack. When jobs and dollars are on the line, the resulting reputational damage can prove unrecoverable.
One of the newest weapons in combating cybercrime is the Software Bill of Materials (SBOM). This nested list of components in a software package, similar to a list of ingredients in packaged food, is now the standard in risk mitigation and management in the software industry. SBOMs are meant to protect the end user as well as the security of the software supply chain, allowing the client to make more informed decisions on the software being implemented in their system.
In 2021, the White House directed the National Institute of Standards and Technology (NIST) to add a requirement that an SBOM be provided for all software sold or used in the United States. The SBOM adds to the security of the software supply chain and is a critical component of Zero Trust network architecture.
While the SBOM allows for some accountability and transparency, it falls short and does not provide the necessary information to ensure that software meets country of origin requirements as defined by the U.S. Customs and Border Protection when required for U.S. government procurements. This additional information included within the SBOM enables software companies to meet regulatory requirements and increase security for their own organization and their customers.
Organizations across the world need to do more to protect unauthorized access to their software and data. Proprietary information such as trade secrets, customer data and employee’s personal information are remotely accessible by bad actors. As seen by recent breaches, the leaking or losing control of sensitive data to a cyberattack can be the end of an organization, or, at a minimum, the end of the career for the person held responsible.
Zero Trust is a strategic approach to cybersecurity that can reduce risk and better secure an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Creating a chain of custody that continuously ties all developers directly back to the software that they contributed to is quickly becoming the frontline of defense in the cybersecurity arena.
Cybercrime has increased over 600% since the start of the COVID-19 pandemic and with a new shift in the workforce, many employees are continuing to work remotely. This has caused both software development managers and IT security departments to struggle to find the balance between increasing security measures to address added threats from the remote workforce and keeping the efficiencies commonly expected by developers to write, create and manage code and data. To meet the demands of these new challenges, organizations must equip their teams with tools that allow them to better secure their developer environments without sacrificing security or interrupting workflow.
According to research organizations such as Gartner, there are very few tools currently available to help organizations achieve these goals; however, it is a new and emerging market that technology vendors are rushing to address. New products incorporating technologies such as blockchain combined with enhanced AI insights have proven to be a perfect in bridging the gap between developers and security professionals. New technologies can provide continuous software security at the code-level while simultaneously producing advanced performance metrics and data analytics, which can result in increased profits for a company by achieving greater efficiencies from its workforce.
Zero Trust hinges on accountability and so too will the overall performance of an organization. Those who fail in their duties as data fiduciaries will mark the vestiges of organizational inertia. Not only will they be outmatched in the market, but they will be punished in the Press. Forgiveness for the victims of cyberattacks is shrinking under legislative requirements that put responsibility directly on corporate leaders. The technologies we need to protect ourselves and our customers are available and those who choose to neglect those resources will be held increasingly accountable.
CEO’s, CTO’s and CISO’s who develop software or safeguard data assets are realizing that code-level protection means more than just securing code, it means securing their organizational reputation – and in many cases – their own jobs.