Every relationship is built on trust. Trust is at the core of every lasting relationship, whether it’s between family members, between spouses, between organizations and their customers, and even between citizens and their government.
At the start of this week, this trust was unfortunately violated in Bulgaria. The data of 5M people was leaked from the country’s tax reporting service – the National Revenue Agency (NRA). This is described as the biggest data leak in Bulgaria’s history. Cyber-attackers got access to personal identifiable numbers, addresses, and even income data.
And it gets worse… The attackers sent emails to a number of Bulgarian media outlets with a link to databases containing personal information on millions of Bulgarian citizens and companies, accessed from the NRA servers. “Your government is mentally… The state of your cyber security is a parody”, the e-mail reportedly said.
The point is, that in a split second, the trust between Bulgaria’s citizens and their government was completely shattered. Could this have been avoided? As an organization, how can you ensure that the trust you build with your customers over the years doesn’t just get breached overnight?
First, you need to acknowledge that, “what’s making your software essential to your business is also making it more dangerous”. When software is everywhere, everything becomes an attack surface. Software exposure is the new unknown. Once you understand the full scale of the risk, you need to ensure that you have an effective software security infrastructure in place that enables security to be seamlessly embedded into every stage of your SDLC, without delaying time-to-market.
So where do you start?
Developer training and an AppSec-awareness culture forms the basis of a robust software security infrastructure. The people who build and test software in your organization need to be aligned on what good security looks like and what it means for them. Your developers can’t protect against what they don’t know exists, and the rapidly changing nature of security vulnerabilities presents a problem if you don’t have secure coding education in place.
Ongoing training, education, and awareness helps developers think and act with a security mindset. The recommendation is to train all of your developers to a strong, consistent baseline. They’ll be more effective if they are aware of the latest vulnerabilities and the techniques attackers are using to compromise applications. When they have this level of education, you’ve effectively empowered your developers to be part of the cybersecurity talent you need.
Next, you need to ensure that you are identifying and eliminating all security vulnerabilities in your code as early as possible, before it’s released to production. To cover all bases, you need to scan your code both statically during development and interactively during testing. Both types of testing are required as different types of vulnerabilities can be found statically and at run-time. For example, interactive testing is better at picking up deployment configuration flaws, while static testing finds SQL injection flaws more easily.
Finally, in addition to scanning your proprietary code, it is also vital that you assess the security of your third-party code. Today’s applications are essentially composed of hundreds of open source libraries that make up as much as 80% of the total code. This opens a huge door for attackers, so make sure that you are assessing and creating a dynamic inventory of your third-party code at all times.
So while it’s a little too late for Bulgaria’s government, it is not too late for your organization. To learn more about how your organization could release secure software at the speed of DevOps, speak with one of our experts.