Automation is the Only Answer to Vulnerability Hypergrowth

Software represents one of the largest security risks to an organization’s day-to-day running. Ironic, that the plethora of applications streamlining productivity may be the same lines of code that allow attackers to waltz through the front door. This same scenario is becoming more evident throughout organizations, as exploited weaknesses rise year after year. The thorny answer to bloated and weakened SecOps is more tech. However, security automation must be implemented on a solid foundation.

The Non-Stop March of Software Flaws

Each of the last five years have seen highest-ever recorded numbers of software flaws. From zero-day exploits to well-published attack chains that remain totally unpatched, the threat that opposes organizations remains as strong as ever, despite ever-growing cybersecurity jobs and corresponding increases in budgets and spending. In 2021, over 25,000 software products were affected by at least one major vulnerability. This marks an increase of 900 vulnerable pieces of software over the year before. The attack trends continue to remain the same, too, showing a severe and widespread lack of efficient security strategy. The most common approach to vulnerability exploitation continues to be via networks. So far this year, around 69% of vulnerabilities were exploitable in this manner, up from 66 per cent in 2021.

The data also confirms that software vulnerabilities are usually fully remotely exploitable, with no aid required from inside employees. This represents a major headache for threat tracking and logging, as attackers will often hide under the guise, or mimic the actions, of a legitimate user account. However, it’s not always as simple as achieving access completely independently. In a third of vulnerability exploits, successful access required action on the part of an inside actor in order to grant the attacker illicit access; one example of this could be a system administrator installing a piece of auxiliary software. This spreads the vulnerability landscape over ever-broader patterns of attack, placing increasing pressure on security professionals and DevOps alike.

The biggest kick in the teeth provided by 2021’s data is that of attack complexity. In 2021, 94% of attacks were gauged “low complexity”. A low complexity attack defines an attack that is easily replicable. This also shows an increase from 88 per cent in 2020.

The reality is that attackers are becoming increasingly aggressive, funded in part by the soaring quantities of successful attacks. Part of this cybercriminal success is granted by the growing awareness of supply chain attacks. Now, with only one successful hit, ransomware groups can extort ridiculous amounts thanks to this precarious position that software providers remain in. In July 2021, REvil demonstrated this, as they successfully executed the largest ever ransomware attack on B2B software provider Kesaya. With a demand of $70 million, the criminals gained entry to a number of Kesaya’s customers via a zero-day vulnerability in the software. This flaw gave them access to Kesaya’s VSA servers, where they deployed the ransomware across a number of Kesaya-dependent managed service providers (MSPs). Though REvil only hit less than 60 of Kesaya’s clients, the total number of affected organizations was estimated at between 800 and 1,500.

The Power of Automation in DevSecOps

The attack surface continues to expand, with increasing opportunities for attackers to pull off massive attacks, amplified by the very infrastructure of today’s tech stacks. The industry-wide response to this has been the implementation of DevSecOps. This translates to the creation and maintenance of a more secure environment throughout a software’s lifecycle. The shift-left approach engrains security front he ground up, reducing the chances of serious bugs surviving until release day. Testing and iteration is integrated throughout – here are the steps taken by DevSecOps, and why it matters.

Agile app development has seen the rise of continuous integration and continuous deployment, or CI/CD. The CI/CD pipeline itself is a major target of compromise and abuse. Developers have access to rich databases of proprietary code, databases, credentials, and production environments. These each represent a major payday for attackers – from illicit personal data being sold on the dark web, to flaw-based extortion, the stakes are high for both the attackers and security teams.

First, the DevSecOps team focuses on building and deployment pipelines that are adequately mapped. The goal is for the security risks at each step to be fully understood. Threat modeling exercises are key to this, as it allows the identification of each weak link within the chain. Every connection to the CI/CD pipeline must be examined closely.

Following this minimum-privilege approach, access control lists need to be kept lean and clean. Regular audits are necessary to maintain this, as old machines and redundant service accounts represent one of the worst threat risks if left unchecked. Strong authentication is a must for all current users, making regular password rotation and multi-factor authentication a necessity.

Development demands a code repository: unfortunately, many businesses choose to self-host a repository. This represents a major risk of misconfiguration. Nissan’s North American team recently discovered that this is true even for established, mature organizations, as their source code was accessed and leaked. A hosted service needs to secure access to the repository.

The path toward complete security is iterative. The quantity, speed and demands of testing means that today’s DevSecOps require automation. Manual proceedings are simply too slow. Forward-thinking comprehensive security solutions now analyze how watertight each step of production is, alongside actioning clear and understandable insights.

Managing Vulnerabilities that Reach Production

Mature DevSecOps recognizes that patching is a constant process. Flaws may be minimizable, but vulnerabilities are not found by end-users until it’s too late. Every organization can guarantee their own security via a comprehensive security stack. One component of which continues to be particularly promising: Runtime Application Self Protection (RASP). RASP is able to wrap around an app, offering a targeted defense mechanism. The inputs, outputs and internal behaviors of the app are automatically monitored and adaptively analyzed. This contextual analysis allows for virtual patching, as novel attacks can be recognized before the attacker gains full control. Alongside recognition, a blossoming attack can be stopped in its tracks, as RASP automatically alerts the team and shuts down the anomalous behavior.