Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

The past year has seen the number and severity of incursions increase while budgets have been slashed due to a weakened economy. A new study from VMware finds that since Russia’s invasion of Ukraine, there has been an uptick in cybersecurity attacks. The 125 cybersecurity and incident response professionals VMware surveyed report the attacks have included double extortions, data auctions and blackmail, as well as attacks on APIs.

In equally troubling news, separate research from Palo Alto Networks’ Unit 42 team revealed that in 2021 the average ransomware demand increased 144%, to $2.2 million, as scores of new gangs sprung up to exploit pandemic uncertainty.

As we look toward 2023, organizations are asking themselves what they can do to maintain a security posture that is robust but also cost-effective. As I have done in past years, the following is my guide to key developing trends everyone at all levels can leverage—not just CISOs and cybersecurity specialists.

The world has changed. The days of concealing vulnerabilities are over.

GitHub recently announced vulnerability reporting, as one of the highlights of GitHub Universe, its global developer conference focusing on cloud, security, community, and AI. For those unfamiliar with the term, “vulnerability reporting” is the practice of revealing flaws in computer software or hardware. Disclosure can come from security researchers, IT security teams, in-house developers, third-party developers and other stakeholders with direct knowledge of the systems at risk.

While there is nothing new about looking for vulnerabilities, GitHub’s announcement shows that transparency is the best policy. By allowing the community to report bugs privately, organizations should seize the opportunity to rectify the situation before making a patch publicly available.

As I see it, a bug contains critical information that is better disseminated than hidden. Disclosure can mean a short-term loss, but it is an investment in long-term trust, as the threat landscape has grown more varied and complex.

Never mind the old-school crews. Welcome to the age of the well-organized, well-funded hacker.

Hackers working with economists to determine the return on investment (ROI) of an incursion. Hackers outsource testing for speed and effectiveness. This may sound like plot-points of the latest blockbuster film that makes cybersecurity professionals chuckle, but it is absolutely what’s happening.

The SolarWinds hack, which took place over a period of 9 months in 2019-2020, is perhaps the best example of this new generation of bad actors.

Among its revelations:

  • Hackers were able to access thousands of enterprises and agencies worldwide by gaining access to SolarWinds’ Orion IT monitoring and management software,
  • The decision to hack this software wasn’t random. The hackers conducted thorough threat analysis.
  • The hackers aren’t just well-organized; they are also state-funded and state-sponsored – in large measure by Russia and other rogue nations. According to the FBI Crime Report, hackers are protected with bribes or doing pro bono work for the government,
  • Hackers have moved on to supply-chain and other systemic targets—a change that depends on dispersed and diversified teams.

To address this more complex threat, we need to shift as far left in the cycle and the kill chain as possible to prevent the opportunities before they are exploited. Detect and respond solutions will never get ahead of the adversary; only with prevention do we have a chance.

Wargaming is becoming a popular way to test the security and agility of an organization.

Threats are no longer distant, abstract events, or five-alarm fires raging out of control. Smart organizations have turned to wargaming to evaluate their incident response preparedness. Experiences run the gamut from customized simulations and “tabletop” exercises that simulate a real attack.

Deloitte is among the leading exponents of cyber wargaming. Its clients include Booz Allen, on behalf of a Fortune 500 manufacturer who wanted to test their supply chain against IT and OT (operational technology) threats.

Wargaming is no substitute for experience. But its growing popularity shows that security has become an active, vital function across the entire organization. It is no longer a specialized function.

Everyone should do security these days. It’s not just about the CISO.

Today’s top technology companies have empowered most operators to do security. Google, Amazon, Apple, Meta. They have all built security into the DNA for the organization, with security as a daily function rather than a specialist activity.

As we prepare for the coming year, organizations need to think how they can change their own culture, or, better yet, strive for culture confluence where all cultures in a company come together synergistically around cybersecurity. The key to moving forward is strong top-down buy-in so a bottom-up security posture is given room to develop.

Chetan Conikee is Co-Founder & CTO of ShiftLeft, a disruptor and innovator in the world of DevSecOps and NextGen SAST and SCA.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE
AI Cybersecurity
April 29, 2024 10 min to read

Revolutionizing Vulnerability Detection and Patching

by Chetan Conikee

In the ever-evolving landscape of software development, ensuring the security of applications has become a paramount concern. As cyber threats continue to grow in sophistication, it is crucial for developers and security professionals to stay ahead of the curve. This article explores a groundbreaking approach that combines the power of Code Property Graphs (CPGs) and […]

READ MORE
Cybersecurity
April 22, 2024 6 min to read

What are the limitations of using ChatGPT to write code?

Love them or hate them, large language models (LLM) are here to stay. After opening the Pandora’s Box of ChatGPT in late 2022, everyone from developers to grandmas began using the tool to get the answers they wanted – and fast. As with every other new technology, ChatGPT created a new set of security risks, […]

READ MORE

Read Next

Engineering
September 15, 2021 3 min to read

API Security 101: Improper Assets Management

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
March 23, 2022 7 min to read

Secure Software Summit: Reachability and Risk: Tools for ...

It is impossible to manage security posture without considering two key factors in any potential vulnerability or security flaw: reachability and risk. The two factors are related. Reachability defines the degree to which a given security vulnerability that is detected, such as a CVE, can actually be attacked and exploited to gain privileged access and […]

READ MORE
Cybersecurity
March 17, 2022 7 min to read

Secure Software Summit: Importance of Securing Software w...

  With the increase of supply chain attacks on everything from logging software like Log4J to takeovers of important JavaScript packages to compromises of network utility tools like SolarWinds, more and more organizations are recognizing the need to adopt a Zero Trust mindset. Zero Trust can improve security, reduce risks, and give organizations greater confidence […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In