Make the most of that code freeze: a Shift Left year-end to-do list

This time of year offers everyone in Infosec the opportunity to set operational and strategic goals for the coming year. With the normal software cycle paused and developers on holiday, we can get the kind of serious work done that is only possible when everyone else isn’t around.

Our team is no exception.

Like anyone reading these words, they are either on-call or are working through strategic to-do lists.

The following is a list of what some of our customers are working on during their code freeze. We’re sharing it in the hope they help all you CISOs and CTOs make the most for the next week or so.

With any luck, everything will stay nice and quiet, and our end-of-year holiday code freeze won’t get spoiled like it did last year with Log4shell.

Year-End Code Freeze To-Do List: (prioritized)

1.Log4j is still out there lurking. Identify where you still have it.

Is it still reachable in your apps?
Yes?
Decide on mitigation steps (Can you stop using the library? Can you ensure it cannot be exploited? Can you upgrade the library?)

2.Prioritize those bug-fixes you haven’t been able to get to. (Your future self will thank you)

Nightmare scenario: What if a bug-fix causes/triggers a cascading bug condition that leads to an exploit?
Even worse: if an attack is attempted and is successful, staff is not at full capacity to run a post-mortem/fix cycle.
The longer your exploitable apps remain exposed, the more your risk profile is amplified.

3.Review security fixes done during the year.

What worked?
What didn’t?
How can the team apply what you’ve found to the coming year?

4.Security training for devs. (nice-to-have)

Boning up on the latest vulnerabilities outside the usual agile development cycle is a great idea.
Refreshing knowledge of secure coding best practices.

5.Unplug for a bit

While there are always projects that need to be completed, don’t underestimate the value of taking a little time to step away from emails and Jira reports.

ONE FINAL THOUGHT:

2023 is coming up quickly.

The most we can do as we look toward another year of serious, headline-making cyberattacks is dive in with the right tools and the right priorities. The work you put in now will put your organization ahead of the problems the organizations that didn’t put in the work will be having.

https://embed.podcasts.apple.com/us/podcast/networking-and-growing-your-career-in-appsec-with/id1503847743?i=1000550329123

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai