Key implications of IT security events in 2022 | Jobs Reply

As I reflect on the trio of tech industry events I’ve attended over the past few months, security stands out as a major theme at all three.

At KubeCon + CloudNativeCon (hereafter simply KubeCon), managed by the Cloud Native Computing Foundation (CNCF), approximately 7,500 attendees can visit dozens of security vendor booths, and that’s not even counting security products and demos on display. doing. in the stalls of the largest multi-product sellers.

Many of the appearances and talks at KubeCon – as was the case at All Things Open and the Linux Foundation Member Summit – touched on security at various levels. For example, Ayse Kaya, CEO of Slim.AI Strategic Insights & Analytics, spoke at KubeCon, where she argued that the industry needs to do a better job of prioritizing the most serious security threats “instead of being all hands on deck.” back”. This feeling was expressed in various ways during the events.

Red Hat’s recently released 2023: Global Tech Outlook report also identified security as the top IT funding priority among decision makers surveyed.

There are several aspects at play in both the broader software and market landscape, but also in open source in particular.

The attackers are out in force

The general environment has become more threatening. Attackers are evolving.

“More and more popular packages are being attacked,” says Jossef Harush Kadouri, head of software supply chain security at Checkmarx. For example, tricking users into visiting malicious websites with URLs that are common misspellings of legitimate websites is now common enough to have its own name: typosquatting.

[ Also read Why security should be on every IT department’s end-of-year agenda. ]

Brian Fox, CTO of Sonatype, noted that “attacks are increasingly targeting developers and infrastructure,” and not just open source software. This is a particular problem because the risk is concentrated in a relatively small number of particularly critical maintainers and software. Fox stressed, however, that the problem isn’t so much that the software isn’t fixed, but rather that 96 percent of the time consumers don’t download patched versions.

Software supply chain security

Most of the code for internal and public applications written by companies and others is open source code, including all the dependencies that many open source projects have on other open source projects: Think of this web of dependencies as a supply chain. but instead of manufactured parts for software – a software supply chain, in other words.

This type of vulnerability has led to some of the most high-profile software security flaws, such as the remote execution vulnerability in Apache’s Log4j software library in late 2001. The US Federal Government (among others) has also sounded the alarm, publishing Enhancing software supply chain security to deliver a secure government experience by September 2022.

Among the many security sessions at this fall’s events, the software supply chain related talks were probably the most popular. With all this attention – and the many tools available to alleviate the problem – you’d think this problem was at least on the way to being largely solved.

It is not. At least not yet.

Consider a data point from 2023: The Global Tech Outlook report. While security was a top priority for IT funding, when we looked at funding priorities inside security, third party or supply chain risk management came in at the bottom, just like last year. Only 12 percent of survey respondents said it was a top priority. The report outlines some plausible reasons why this number may not be higher, but it is difficult to see this as an area that is receiving sufficient attention.

For another statistic, Sonatype’s Fox finds that 38 percent of the world is still consuming vulnerable versions of Log4j. Patched versions were made available almost immediately after the vulnerability was discovered, but a large amount of software has not yet been patched.

Something has to change

From the many conversations I had with security vendors and others at these events, despite all the products already available, security approaches may need to be fundamentally adapted. After all, as Albert Einstein (maybe) once said, “the definition of insanity is doing the same thing over and over again and expecting different results.”

More automation, along with machine learning, is likely part of the answer. We are already seeing the management and control of complex distributed systems begin to be automated using AIOps.

One thing that has become clear is that leaving it up to individual developers is not the right answer. It’s good to change tasks, checks, and fixes earlier in the process. But there must be the right tools.

That tool should, among other things, provide the ability to track upstream dependencies and, just as importantly, be deployed today in production and elsewhere. Such systems are common in manufacturing, such as the automotive industry, where serious supply chain issues make headlines and can cost lives. However, statistics show that IT organizations must be quicker to recognize the importance of software supply chains and apply rigor to fixing them.

To some extent, this is understandable. The reliance on so much software from upstream open source communities (in addition to any proprietary libraries and other code) is a relatively new phenomenon, and IT organizations could be forgiven for not putting supply chains at the top of their list of concerns. However, the situation must change.

[ Discover how priorities are changing. Get the Harvard Business Review Analytic Services report: Maintaining momentum on digital transformation. ]

Source link