Reporting Live From Collision Conference 2021: Part Two!

If you caught part one of our recap series on this year’s Collision conference, you know we covered a roundtable talk hosted by Veracode’s own Chris Wysopal. The talk focused on the risks of AI and machine learning, delving into discussions of how to manage the security aspects of these future-ready technologies — especially when it comes down to consumer privacy. 

Chris also had the opportunity to host a session of his own (watch here) covering the critical aspects of modern application security and the reasons that organizations need to get serious about security-minded approaches to their code. Here’s what we learned. 

Secure from the top down

Chris began his session Secure From the Top Down by noting that, today, it’s important to think about application and product security through the eyes of the developer or the builder. With so many applications running in the cloud and so many devices connected to the Internet of Things (IoT), Chris pointed out that the attack surface for threat actors is growing exponentially and that everyone building and deploying technology needs to consider the risks moving forward.

Connected devices are everywhere, Chris said, but they’re not typically behind a firewall. Normally, these devices are connected to 5G or Wi-Fi. According to Chris, this means devices essentially need to secure themselves and all of the connection points where they talk to other devices or they pose a security risk. 

Further, everything is connected through APIs today. “We used to have big, monolithic software packages with one big block of code,” Chris said. “Today, we have a lot of small devices; even with applications running in the cloud, they’re built with microservices and are talking to each other through APIs.” This is a way an attacker can exploit a device or an application, and means the builders of today need to improve the security around their APIs for a more secure tomorrow.

It’s already a problem; Chris pointed out in his session that, according to the 2020 Verizon Data Breach Investigations Report, 43 percent of breaches come from single page applications. Developers working on building these single page apps need to be more considerate with their security. 

Looking ahead at trends

Time is the biggest competitor for most organizations, according to Chris, and there are three main trends that are going to impact product security moving forward: ubiquitous connectivity, abstraction and componentization, and hyperautomation of software delivery. 

Ubiquitous connectivity

While this involves the rise of APIs and IoT devices, what it really comes down to is that each piece of software connected through the network and APIs must think about securing itself. “Each code that is exposing an API needs to think about how it will authenticate, encrypt, and secure itself from all the bugs an attacker might exploit,” Chris said. Chris notes that we need to make sure we have heavy API security, that we’re scanning APIs, and that we think about all of the different deployment environments a device might be in (such as Wi-Fi or 5G) to make sure those points are secure. 

Abstraction and componentization

As more developers rely on open source code to speed up development, organizations are taking a supply chain model approach to the way they are reviewing third-party options by these suppliers. For example, it’s helpful to have a bill of materials, a well-defined process in place, and to implement automated scanning tools to scan things in production. “Cloud technology adoption is a shared responsibility,” Chris noted. “We need to start to push security towards suppliers so that they notice new problems. That’s the mindset change that needs to happen when we’re using open source code and APIs. We need to track things like a manufacturer would.”

Hyperautomation of software delivery

We’ve always automated software delivery, but Chris is seeing the trend of ‘hyperautomation’ as more organizations automate every part of software delivery. This enables the concept of Everything as Code, Chris says, where everything that’s part of the pipeline is checked. “That’s the norm now, there’s no manual process once you’ve committed code, it can go all the way to deployment. What’s enabling this is virtual infrastructures. Having a ‘Security as Code’ mindset can help organizations keep up with speed and automation needs.” 

With these three trends taking shape, Security as Code (SaC) and Compliance as Code (CaC) mindsets are crucial to keeping that innovative momentum without sacrificing security. “Even though we’re going faster with development, we can still go faster with security at the same time,” Chris elaborates. “We’re using the same techniques with security testing as we are with everything else to prevent a lag.”

As Chris looks forward, he points out that approaching this from an ‘infrastructure as code’ mindset with SaC and CaC procedures in place is what will drive meaningful changes. When you approach application security from a SaC mindset, you’re shifting security measures left and implementing them sooner in the development process to catch flaws before they become problems. Shifting the scanning and patching processes left that organizations used to run in production means it’s easier to keep everything on schedule as you secure from the top down. 

Watch the full session from Chris below.

If you missed part one of this series, you can read it here. The Veracode team had a blast attending Collision 2021, and we’re looking forward to what they have in store for next year!