The rise of ransomware has unleashed a torrent of large-scale attacks, disabling critical infrastructure and bringing key supply chains to their knees, adding to the uncertainty of an already chaotic pandemic era.
There have been front page attacks like Colonial pipeline, which was forced to shut down 5,500 miles of pipeline after being hit by ransomware, as well as a meat processor JBS Foods and software publisher Kaseya. Together, these attacks have dramatically shifted ransomware conversations to places ranging from conference rooms to gas station lines.
Yet beyond these high-profile incidents, the reach of ransomware was even more widespread. While the total number of unsophisticated ransomware attacks that Symantec, as part of Broadcom Software, has detected and blocked has declined over the past 18 months, single-organization targeted attacks seeking high-value ransom increasing. Our threat intelligence report on “The threat of ransomware”Found that targeted ransomware attacks increased by 83% during this period. Now is the right time for a major cybersecurity awakening.
Make DevSecOps Work
When a separate cybersecurity team works outside the confines of the traditional software development cycle, security becomes an afterthought, creating unnecessary loopholes. In contrast, a modern DevSecOps paradigm establishes cybersecurity as a shared business responsibility and changes security practices to begin early in the software development lifecycle where there is greater opportunity for built-in protections.
While DevSecOps isn’t entirely new, the concept has been slow to take off in part due to organizational and cultural challenges. In most organizations, the product and cybersecurity teams are separate, often with competing agendas. The product team designs the product without considering security policies while the security group promotes policies without the same concern for new features or the urgency of time to market. The friction puts the two groups at odds instead of fostering a partnership that integrates security into the product development phase, closing access through the backdoor that hackers could easily exploit.
The widespread use of open source code and cloud-based platforms like Github has also made some businesses more vulnerable to cybersecurity risks. Developers program from laptops, often outside the strict security controls of the corporate network and integrated development environment (IDE). Without a secure IDE as well as robust processes to analyze and certify all source code contributions, organizations are more susceptible to infiltration of malicious code used to perpetuate ransomware attacks.
Reorient your culture
With DevSecOps, organizations can eliminate unnecessary risk. There are several things to consider when you reorient the culture and adopt a DevSecOps model. Here are a few :
- Create a dedicated organization. The principle behind DevSecOps: cybersecurity is everyone’s business. At the same time, dedicated resources and management are still needed to create oversight and ensure that practices are applied. The DevSecOps team should act as a bridge between cybersecurity and product developers and report to the Chief Technology Officer (CTO) or Chief Product Officer (CPO). The team should be a partnership of experts with application knowledge, technical skills, and development expertise to discuss both product requirements and cybersecurity needs.
- Embrace automation and monitoring. Invest in the resources, skills and specialized tools to automate the process as much as possible. Automating the analysis of code and critical segments of the continuous integration / continuous delivery (CI / CD) process will ensure consistency while reducing the risk of human error. Over time, refine DevSecOps practices through the use of AI as well as feedback loops that explore how and why a security vulnerability was introduced into the code to facilitate further refinements.
- Invest in training and awareness. Promote the importance of cybersecurity practices by creating a corporate culture where security is a priority and not seen as an afterthought. Offer company-wide training sessions, communicate regularly to increase awareness, and recruit executive sponsors.
- Standardize tools and processes. Having a standardized set of tools and practices is essential to keep everyone on the same DevSecOps page. Formalizing a standard IDE and a set of analysis and monitoring tools will ensure that code is constantly monitored for problems and that potential blind spots are identified and then closed.
Don’t underestimate the importance of creating a culture and structure for good cybersecurity. After a brutal year of rampant ransomware and other cybersecurity attacks, customers are determined to limit their exposure by aligning themselves with software vendors who follow proven and verifiable cybersecurity best practices. DevSecOps will create a competitive advantage, positioning your business as a more reliable and trustworthy partner.
Copyright © 2021 IDG Communications, Inc.