Page 119 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 119

•  Secure coding so vulnerabilities aren’t created in the first place

               •  Use programming languages that are not inherently insecure (to run on platforms that can’t be
                   secured)
               •  Security review & source code scanning of applications before finalization

            However,  we  have  to  assume  every  connected  5G  IoT  device,  Medical  Device  or  Smart  Phone  is
            accessible to attackers. If they can reach it, they will begin to understand the Applications running on the
            device and use these as an attack surface for the application itself, or worse (via APIs) the network with
            which it communicates. This problem is magnified many times in Smart Phones by the simple existence
            of App Stores - anyone can download apps before they reach the intended devices.



            Securing the compiled applications is ever more important.


            The bullets above are fairly standard and are (thankfully) now entering the mainstream as awareness
            grows of Zero Trust and Shift Left, but there is another process that is missing…..

            Application  Protection,  sometimes  known  as  RASP  (Runtime  Application  Software  Protection),  is  a
            technique that can protect application, and any security-sensitive code, such that the good work done in
            the three bullets above can’t be undone by attackers using Static and Dynamic Analysis (or decrypt tools)
            to understand and compromise applications by re-inserting whole new vulnerabilities.

            This protection is applied during the development phase, before DevOps or DevSecOps groups need to
            become involved, or better still with these skills evident in the development team.

            The assumption that compiled app code will be accessed, and that attackers have the tools and skills
            changes the security calculus completely.

            Zero Trust means just that and developers protecting their code understand that the actual end-point is
            not the device, or even the application within that device, but is the source code on the developers’
            machine - before it’s even compiled.


            So when you decide to Shift Left, as we did, ask yourself, “how far?”




















                                                                                                            119
   114   115   116   117   118   119   120   121   122   123   124