Connect with us

Hi, what are you looking for?

HEADLINES

How PH businesses can tighten up software supply chain against cyber attacks

Security has to be baked in from the start instead of an add-on feature in a connected world. In other words, it has to be built into a piece of software or part of a technology stack that is then used to build other digital services.

Photo by @privecstasy from Unsplash.com

By Dean Vaughan
Vice President of Asia Pacific, Azul

In September 2022, Philippines Airlines lost the personal data of frequent flyers when its IT provider was hacked, adding yet another example of supply chain attacks that have bedeviled businesses globally in the past year.

The cyberattack on a third-party IT provider for the airline caused the names, birth dates, nationality, gender and points balance, among other details to be stolen.

Although it is unclear how the malicious actors managed to get into the victim’s systems, the incident once again reinforces the need to tighten up security against supply chain attacks.

Advertisement. Scroll to continue reading.

For many of today’s IT systems, using third-party software in one form or another is inevitable, such is the interconnectedness of the Internet and the complexity of digital infrastructure.

An estimated 40% to 80% of the lines of code in software come from third parties such as libraries, components and software development kits. Unfortunately, they are one reason for the increased vulnerability of third-party production code that goes into digital services.

By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to research firm Gartner.

A lack of visibility hampers defense

This is a problem facing any digital economy and the Philippines is no different as it delivers more services over digital channels in the years ahead. The way forward has to involve better detection of such vulnerabilities without impacting performance.

Advertisement. Scroll to continue reading.

To begin, you can only defend against something if you know what you are up against. Since many organizations do not peer into the nuts and bolts of the many third-party programs they use, they often are working on the hope that the code is free from vulnerabilities.

Even with a vulnerability detection tool in place, many organizations fail to act on a threat, because alerts are often too general or unable to differentiate between production and non-production code. This means the work required to clean up an infected or vulnerable system is too broad to be undertaken by already beleaguered security and application teams.

Today, organizations continue to grapple with Log4Shell, a critical vulnerability found in a widely used Java-based logging component (Log4j). This loophole enables threat actors to run code on a victim’s system and take control. It has impacted countless servers and applications that used Java software because Java software is used widely in today’s modern IT infrastructure.

Yet, when the threat first emerged last year, few organizations had the ability to quickly find the exact location of the vulnerability in their IT systems because Java was used so extensively. The challenge was knowing where to look even when the dashboard lit up with a warning.

More precision needed

Advertisement. Scroll to continue reading.

What is needed is greater precision, which can only be possible with improved visibility over existing solutions. Application scans in CI/CD, application agents, or application inventories (SBOMs) are valuable approaches as part of a comprehensive security strategy. However, these approaches also have drawbacks, including false positives which waste time via alert fatigue as well as a performance impact which adds burden to Java teams and their applications.

Take Azul Vulnerability Detection, a new Software-as-a-Service (SaaS) product that continuously detects known security vulnerabilities that exist in Java applications. By eliminating false positives and with no performance impact, it is ideal for in-production use and addresses the rapidly increasing enterprise risk around software supply chain attacks.

Azul Vulnerability Detection uniquely identifies code run using sophisticated, highly granular techniques inside Azul JVMs (Java virtual machines) and maps against a curated Java-specific database of common vulnerabilities and exposures (CVEs). This produces more accurate results, even for custom code and shaded components, so IT teams can get to a vulnerability and remediate the issue quickly and efficiently.

Gaining agility while beefing up security

To be sure, vulnerability detection tools are not new. Unfortunately, some end up providing the added security at the expense of performance. This means business agility suffers, because one’s security tool is slowing down transactions and requiring more computing resources and cost to run.

Advertisement. Scroll to continue reading.

Organizations need to find a way to overcome the software supply chain problem. They need smarter tools that can beef up the security without adding overheads and dragging back performance.

When it comes to security in Java applications, what’s different with Azul Vulnerability Detection is its use of Azul Java virtual machines (JVM), which provide highly accurate runtime-level visibility into what code is actually running and whether it is vulnerable. This enables faster remediation of vulnerabilities with significantly less operational overhead.

Additionally, because the tool is agentless, it avoids the performance penalty commonly associated with other security tools that require teams to install and maintain a separate piece of software. Taken together, Azul Vulnerability Detection makes security a byproduct of simply running Java software.

Fighting a winnable battle

Security has to be baked in from the start instead of an add-on feature in a connected world. In other words, it has to be built into a piece of software or part of a technology stack that is then used to build other digital services.

Advertisement. Scroll to continue reading.

Unfortunately, supply chain attacks against trusted vendors and third-party code pose substantial enterprise risk.

The key to winning battles against increasingly sophisticated threats is to be armed with the right tools that deliver a solid defense while retaining the agility that organizations need today. Even as cyber threats evolve, they have to believe they can keep out the bad guys over time and continue delivering the trusted digital services and experiences to their users.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

According to statistics provided by Kaspersky Global Emergency Response Team, the average duration of a prolonged attack is 94.5 days before it is detected...

HEADLINES

Globe deactivated 20,225 SIMs and blacklisted 35,333 SIMs involved in scam and spam messages in 2022 alone as part of its campaign for internet...

HEADLINES

Experts have since forecasted the steady growth of the Managed Security Service Provider (MSSP) market in Southeast Asia in the coming years due to...

HEADLINES

At the moment, the new technique targets users in South Korea, but it can be soon implemented in other countries as well.

HEADLINES

Kaspersky announced that its comprehensive Managed Security Services (MSS) offering has received top accolades from Quadrant Knowledge Solutions for its parameters of service excellence...

HEADLINES

Cybercriminals are actively exploiting the public’s lack of awareness. Kaspersky researchers found a site that offers to download "The Last of Us Part II"...

HEADLINES

By the end of 2022, the PLDT Group has blocked more than 17 billion attempts to open malicious domains after its Cyber Security Operations...

HEADLINES

98% of non-IT respondents experienced miscommunications regarding IT security. With regards to consequences, most often a breakdown in communications leads to serious project delays...

Advertisement