
Software developers should keep the following four trends in mind when it comes to securing their solutions:
1. Shift to the Zero Trust Model
More businesses are moving to the Zero Trust model; however, as Joe Leonard, CTO and VP of Security Strategy at GuidePoint Security, points out, it also takes a shift in culture and adapting processes to be effective.
“The traditional security model operated with implicit trust where everything was allowed unless it was known to be bad. Zero Trust implements a granular least privilege per-request access, where only those specified as needing access get access,” he says. “Organizations need to educate their employees on why the shift to Zero Trust is needed and relate it to how it can help them be more productive. At the end of the day, employees are focused on doing their jobs much more so than on prioritizing security. It’s critical to educate users on this shift and help them understand how this will ultimately allow them to be more efficient in their job responsibilities.”
He adds, “Transitioning from the traditional cybersecurity approach to one based on a Zero Trust model, also requires a shift from a manual, static environment to one with more automation and integration of processes and systems that enables dynamic policy enforcement based on a user’s behavior in real-time to determine access. It’s important to build in as much automation as possible so that controls are transparent to the end users.”
2. Leverage Threat Modeling
Victor Wieczorek, VP, AppSec and Threat and Attack Simulation at GuidePoint Security, predicts, “Threat modeling is front and center in 2022 from an AppSec perspective. Not only is it now part of the OWASP Top 10, but the earlier you can identify design-related flaws and potential threats, as well as implement effective compensating security controls to mitigate those threats, the better you will be from both a security personnel’s and an application owner’s perspective.”
3. Gain Visibility into Third-Party Vulnerabilities
Wieczorek adds, “With the software supply chain attacks that we’ve seen in the last year, the big impact we’re seeing is that organizations are focused on trying to understand third-party and open-source libraries that are used in their software development. I think we’ll see more organizations creating software bills of materials (SBOMs) for many of their key solutions and include this as a requirement within their procurement process.”
4. Introduce New Security Roles
Wieczorek also sees employees taking on new roles. “As this need to understand, manage, and document our own software supply chains grows, we’re seeing new positions created by organizations to support this need, such as software supply chain architects and teams that manage this process internally and for the organization’s suppliers,” he says. “These teams are responsible for monitoring software dependencies, documenting secure usage, approving new libraries, managing internal and vendor SBOMs and identifying risk to the organization based on this data.”