The Devil is in your Code: Zero trust in response to inevitable threats

A “Zero Trust” cybersecurity model has been one of the most important innovations in organizational risk management in recent years. It constitutes a fundamental shift in mitigating risk, but one that is still not widely adopted or even understood. This is why, throughout Cybersecurity Awareness Month in October, the Cybersecurity Tech Accord will be breaking down the core elements of “Zero Trust” architecture in a new blog series – Never Trust, Always Verify. The series will feature expert voices from across Cybersecurity Tech Accord signatories breaking down what Zero Trust is, what is isn’t, and how to have an informed conversation to ensure your organization is employing best practices for security.The series will include entries on:

  1. Zero Trust in IT and OT systems – Schneider Electric
  2. Strong authentication for Zero Trust – Balasys
  3. Zero Trust access policies – Safe PC Solutions/Safe PC Cloud
  4. Threats that necessitate Zero Trust – Contrast Security

Tom Kellermann, SVP Cyber Strategy – Contrast Security

Rising geopolitical tensions are driving increasingly sophisticated threats in cyberspace. Russia’s war in Ukraine in particular has spawned cyberattacks targeting critical infrastructure. Countries like Russia and North Korea have been implicated in numerous attempts now to cripple adversary infrastructure abroad as cyber conflict escalates and is increasingly intertwined in hybrid warfare efforts. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States (U.S.) even issued an ominous advisory warning of imminent Russian cyberattack campaigns to be launched by cyber-militias.

In light of these stark realities, organizations must rethink their defenses. Embracing a Zero Trust model means accepting that 100% prevention is no longer possible. Perimeter defense alone has proven impractical given the complexity and overlapping nature of modern computer networks. In a world that is defined by rapid digital transformation, intrusions are ubiquitous and inevitable; organizations should always assume breach and act accordingly

Modus Operandi has Evolved

In earlier days, adversaries launched cyberattacks against single targets. But nowadays, an increasingly common tactic is for attackers to “island hop” – targeting an organization’s third-party partners, and using them as access points from which to worm their way into a primary target’s network. Island hopping enables malicious actors to circumvent primary target defenses by exploiting the networks of partners that are already trusted enough to be granted access to the desired network.

A prime example of this tactic is the SolarWinds breach of 2020. This supply-chain attack attributed to Russian government hackers compromised multiple U.S. government agencies, including the Treasury and Commerce departments, as part of a global espionage campaign. In the attack, the government agencies were breached via the compromise of a widely used business software called Orion that was developed by SolarWinds, a trusted third-party vendor.

Other adversaries have also picked up on the island hopping technique used by the SolarWinds actors. Threat actors are laying siege to the software development, integration and delivery infrastructure of the supply chain via a myriad of attack classes, such as:

•                   Command injection

•                   Cross-site scripting (XSS)

•                   Expression language injection

•                   Method tampering

•                   Path traversal/local file inclusion (LFI)

•                   SQL and NoSQL injection

•                   Untrusted deserialization

•                   XML external entity processing

Research shows that a typical application in production is assailed more than 433 times a day. Given that rate of incursion, it’s inevitable; malicious actors will get into the environment.

The recent memorandum from the White House on “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” underscores the national security implications of inaction. The necessity to make our technology resilient and secure is “not theoretical,” the White House advised, going on to say that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure.”

In order to effectively wage a digital “counterinsurgency,” organizations must suppress  campaigns as they attempt to infiltrate their code. We must treat each vulnerability as a potential attack, and we must employ continuous monitoring that extends to the entire software development lifecycle, from development to production.

Vigilant Digital Transformation

A Zero Trust approach must extend to code. Organizations must verify what developers have created. We must digitally transform in a vigilant manner.

Vigilant digital transformation entails that organizations:

  • Detect and prevent run-time attacks on known and unknown code app exploits in production with intelligent runtime protection. This will shield organizations against emerging zero-day vulnerabilities and entire classes of application security attacks.
  • Automate/instrument the identification of vulnerabilities in order to get actionable remediation guidance that enables developers to remediate as they code — during functional testing — to find unknown vulnerabilities.
  • The velocity of change requires that we discover zero days in libraries and frameworks. This requires testing and protecting third-party open-source code moving through your supply chain with continuous monitoring in production with Software Composition Analysis (SCA) tools, This will provide insight into known Common Vulnerabilities and Exposures (CVEs) or issues with the libraries they produce, automating visibility into the use of open-source software for risk management, security and license compliance.
  • Employ security for application programming interfaces (APIs) before the adversary hijacks them. For this, you need an integrated, modern API security platform, which provides an up-to-date inventory of APIs that are relevant, in-development and exposed; conducts runtime analysis during functional testing that enables you to remediate as you code; enables you to find known vulnerabilities in active third-party libraries, frameworks and services; identifies probes and attacks on both known and unknown vulnerabilities; and prevents exploits.

As application and API attacks surge, application security must be viewed as a functionality of conducting business, not an expense. We must invert the security paradigm. Defending from within is of paramount importance.

As the great French literary figure Charles Baudelaire said, “the greatest trick the devil ever pulled was convincing the world he didn’t exist.”

The devil is in your code.