Fight the Phish! How DevSecOps Can Support the Effort

October is Cybersecurity Awareness Month, the U.S. government’s annual reminder that information security is something everyone needs to consider. Each week of the month has a specific theme, and this week’s topic should be of interest to every CISO: Fight the Phish! There are many layers of defense that organizations can put in place to mitigate phishing, and DevSecOps can be part of that effort. But more on that later. First, let’s look at the current phishing landscape.

Phishing attacks are on the rise, and they can lead to ransomware attacks, data exposure and other kinds of incidents for organizations as well as individuals. These attacks are one of the most common types of breaches and have been so for the past two years, according to Verizon’s Data Breach Investigations Report for 2021.

The report says phishing was present in 36% of all data breaches in 2020, up from 25% in the previous year. A key reason for the increase was the emergence of phishing lures related to the COVID-19 pandemic, which came about during worldwide stay-at-home orders, according to the report.

The spike in pandemic-related phishing points out some characteristics of the cyber criminals who launch these kinds of attacks: they are opportunistic and prey on users’ fears and interests. And even beyond the increased phishing activity due to the worldwide health crises, phishing in general is extremely common and one of the more insidious attack modes organizations face.

This attack mode comes in various interactions. For instance, there’s email phishing, in which a cyber criminal registers a fake domain that imitates the website of a legitimate organization, such as a bank, and then sends out thousands of email requests to get recipients to provide personal information on the fake site.

Another type is spear phishing, a more sophisticated method that also involves email aimed at specific individuals. The phishers who send these might already have information about the target such as their name, company, title, and description of their job role. Similar to this is whaling, phishing attacks that are aimed at senior executives.

Awareness is Essential for Phishing Defense

Enterprises need to be vigilant in looking out for scams that are sent to users via email, text messages, and other means. One of the best defenses against phishing is awareness, so companies should make education a priority.

If employees are trained in how to recognize and avoid common phishing tactics, that can go a long way toward enhancing protection against these types of attacks.

Businesses should reinforce the idea that security is every individual’s and every team’s responsibility. If security is taken seriously and made a priority in all aspects of the business, then organizations can be better prepared for assaults such as phishing attacks.

DevSecOps Can Also Help Fight Phishing

DevSecOps, an extension of DevOps, enables the integration of security testing earlier in the development lifecycle, rather than later on when adding security capabilities might be more difficult and costly. By making security a high priority as early in the process as possible, developers can help enhance the security posture of the organization and its customers and partners.

Companies that adopt a DevSecOps approach can help to ensure that security is built into applications at the outset of development, to make software more secure and therefore less vulnerable to exploits. DevSecOps emphasizes security in every aspect of the software development lifecycle, and that means if an employee does fall prey to a phishing attack, secure software can help minimize the damage, and prevent further spread of malware that might infect systems more extensively. Bottom line, phishing criminals take advantage of vulnerabilities in applications, and shifting left in the SDLC means fewer bugs for hackers to exploit.