Discovery: The First Critical Pillar in a Successful DevSecOps Program
This is the first installment in a series about making DevSecOps work in your organization.
The DevSecOps model, a key to enhancing software security at all phases of the development lifecycle, includes four pillars: Discovery, validation, prioritization and remediation.
These are vital for eliminating vulnerabilities from software products, in a way that does not overly tax development and security team resources or lead to higher costs, greater friction and reduced productivity. In short, on organization needs each of these pillars in order for DevSecOps to work.
In this post we’ll look at the first pillar, and then cover the others in subsequent posts. Discovery is an essential part of vulnerability management—without it, organizations can’t identify potentially harmful software bugs that could be exploited by cyber criminals to launch attacks.
In many cases, discovery is made possible by vulnerability scanners, tools that analyze systems in search of known vulnerabilities. Vulnerability scanning and management are required in order to achieve compliance with regulations and industry standards such as the International Organization for Standardization’s ISO 27001 Information Security Management System (ISMS), one of the most widely used standards in the ISO family.
Many organizations use scanning tools to collect information from the devices on their networks, such as which version of the software is installed. They then compare this information to known vulnerabilities as described by software vendors or others.
Discovering software vulnerabilities early has never been more important for organizations. This joint Cybersecurity Advisory (CSA), an April 2022 alert published by multiple cyber security authorities in the U.S., Australia, Canada, New Zealand and the U.K., said malicious cyber actors targeted global Internet-facing systems such as email servers and virtual private network (VPN) servers with exploits of newly disclosed vulnerabilities in 2021.
The agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI), in the advisory provided details on the top 15 Common Vulnerabilities and Exposures (CVEs) that were routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
“Malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the alert said.
Among the top exploited vulnerabilities the agencies noted was the widely publicized Log4Shell, which affects Apache’s Log4j library, an open-source logging framework. A cyber criminal can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes the system to execute arbitrary code, the alert noted. The request enables the attacker to take full control over the system, steal information, launch ransomware, or conduct other malicious activity.
The rapid widespread exploitation of the vulnerability, which was first disclosed in December 2021, “demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch,” it said.
“To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets,” the alert said. The exploitation of older vulnerabilities demonstrates the ongoing risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.
The cybersecurity authorities encouraged organizations to apply mitigations such as applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors. But organizations need to emphasize the discovery phase of DevSecOps if they hope to successfully mitigate vulnerabilities.
Discover Where Your Vulnerabilities Lie With a Dynamic SBOM
With a Dynamic SBOM, organizations can discover where their vulnerabilities exist in real-time, as changes take place in the software environment. For more information, visit https://www.rezilion.com/platform/dynamic-sbom/ or book a demo at https://www.rezilion.com/request-a-demo/
