Source code security is a topic that I am passionate
about. In fact, I’ve got a whole whitepaper
Sort of on that topic (it deals more specifically with on how to keep a good
software update/patch schedule). As I
have written about before countless times, this topic is going to be one of the
top Cyber issues in the coming year, and quite possibly for a long time to
come.
With pretty much everything going digital and being connected
amongst one another, web apps and mobile apps are going to be the way things
are headed. But yet another problem that
is compounding this grave issue is once again, Generative AI. Love it or hate it, this too is going to be
around for a long time to come also.
Many businesses are now starting to send source code now
using Generative AI, in an effort to automate the process. It used to be done manually, but now longer
is it the case. This is a very
vulnerable situation for those organizations that rely heavily upon outsourcing
when it comes to building web or mobile apps.
For example, suppose Company ZYX has its base of operations
here in the United States. Some of the source
code is developed here, but a major part of it is developed overseas, such as
India. Human intervention at one point
was probably used to ship the code over to the headquarters in the US. But now, Generative AI is being used for
this, so probably nobody is really checking twice to see if there have been any
issues or vulnerabilities.
So now, this is the big question: How can US companies (or for that matter, any
business really located throughout the world) protect themselves from receiving
malicious code when automated means are being used for distribution? Here are some tips that any CISO and their IT
Security team can use:
1)
Mandate the use of code signing certificates:
You may be wondering what exactly this
is? Well, here is a technical definition
of it:
“Code
Signing Certificates are used by software developers to digitally sign
applications, drivers, executables
and software programs as a way for end-users to verify that the code they
receive has not been altered or
compromised by a third party.”
(SOURCE: https://www.digicert.com/signing/code-signing- certificates#:~:text=Code%20Signing%20Certificates%20are%20used,compromised%20by%20a %20third%20party.)
In a way, this can be compared to a chain of
custody forms that are used in digital forensics investigations. In
order for the evidence to be admissible to a court of law, there must be a record of all of the authorized
individuals who had access to it. This
is to ensure that nothing has
been altered or changed in the process, and that everything is still intact. This is also true for the source code.
In order to make sure that that it has maintained its integrity and that
it has not fallen into the wrong
hands, software developers use these kinds of signing certificates. However,
for the longest time, this was
an optional feature businesses to implement. But now people, especially those in the Cyber
industry, are now stating
that it should be a mandatory in order
to keep the attack surface to a minimum.
Also keep in mind that the following
questions have to be answered:
*Who in your organization
is signing code?
*Where are private code-signing
keys stored?
*What software is being signed?
2)
Maintain
visibility:
Even today, many businesses still
go on the presumption that outside suppliers can be trusted, as long as they
have a good reputation. However, do
not take anything for granted.
In this regard, you have to think like the Zero Trust Framework. You have to go on the premise that absolutely
nobody can be trusted, and that everybody must go through at least three layers
of authentication in order to have their identity to be fully confirmed. So with this in mind, you and your IT
Security team have to keep a close eye on the rights, permissions, and privileges
that are being assigned to everybody, especially even the software development
teams that create your ever important source code. In the end, always implement the concept
of Least Privilege, which simply states that nobody should receive any
permissions than are absolutely necessary to have.
3)
Assign
a responsible party:
Back in the day, when source code
was being developed, it would have been the responsibility of the IT Security
team to ensure its safekeeping. But with
Generative AI, remote work, the use of both DevOps and DevSecOps teams, there
are now hundreds, and possibly even thousands of people who could come into
contact with the source code in one way or another. Therefore, you need to find somebody or some
entity that you can trust who will actually oversee the ownership of the source
code. Once that has been determined, then
your IT Security team should work closely with them in order to make sure that
all of the necessary protocols and controls are indeed put into place. Try to find no more than two or three people,
or just one entity, to take responsibility for the ownership. The more involved this process gets, the
worse off it will be in the long run.
My Thoughts On This:
According to a recent study conducted by Deloitte, over 50%
of businesses will be using Generative AI for automation purposes. And as you can imagine, the shipping of source
code will be a big part of this. While I
am not against the use of AI completely, there needs to be sense of checks and
balances here. Cybersecurity needs both
aspects: the technology and the humans
in order to really mitigate the risks of security breaches.
More information about this study can be found at the link
below:
No comments:
Post a Comment