In light of the recent supply chain attacks, experts urge CISOs to focus on security training that touches on the risks around software development Lifecycle
Every supply chain risk a company faces is due to the lack of smooth interrelations between software development teams and security functions. Cybersecurity leaders find themselves in a tough spot and try to educate developers with a sense of urgency. They reckon that standard security training might not be effective. Instead tailored learning that addresses the specific risks around the software development Lifecycle is essential.
The Sunburst supply chain attack in early 2021 brought the risks of insecure software to the table. Not only did it put security leaders at the edge, but it also cleared an easier route for cybercriminals who might have previously been unaware of the vulnerabilities in the development lifecycle of supply chain companies.
Months after the attack, Osterman Research report revealed that organizations are still nowhere close to analyzing the people-related security that could lead to software compromises. The alarming finding from the research was that 81 percent of the development teams admitted to putting vulnerable application codes live for external use. Additionally, the report illustrated that 45 percent accept that they have not understood the workings of cyberattacks.
The research further demonstrates the perspective of cybersecurity executives who also do not indicate positive results. Only 50 percent of CISOs are optimistic about the development of secure applications. The rest of the executives do not have confidence as they claim to not fully understand the threats to application security. Over half of the CISOs believe that their company would not be able to survive a SolarWinds form of cyber-attack.
The research concludes that the lack of understanding gets more intense due to outdated, irregular, and insufficient cybersecurity information training for developers. IT experts opine that the difficult part of continuous and targeted security training is that it has to leverage relevant content at the right time, and promote innovation.
The first step CISOs need to understand is that developers themselves are the targets. Many companies invest their time, focus, and training resources on code safety, and overlook the possible human contact compromises that can easily be a threat risk. A tiny detail like the fact that developers do not just write code, they also run it, can serve as a major eye-opener for CISOs. This easily overlooked fact can cost the company.
IT experts recommend security training programs to include awareness of targeted attacks against compromised dependencies and personal attacks. The security systems that observe any unusual activity of developer credentials can have an upper hand while responding to cyberattacks.
Software development security is different from other infrastructure security. One cannot wait for the system to enter production without making it secure with an assessment and remediation process well ahead of the deployment. Working in tandem, security and development teams should build and monitor the development system instead of trying to fix loopholes and problems post-development.
Several application attack methods that have existed for decades are still on top of a hacker’s list. Organizations are failing to grasp the problems and continue to neglect people-centric awareness issues that usually lead to compromises. Experts urge CISOs to begin strategizing a security awareness program that touches on all possible best practices, including data encryption and storage compliance.
For more such updates follow us on Google News ITsecuritywire News.