Connect with us

Hi, what are you looking for?

HEADLINES

How PH businesses can tighten up software supply chain against cyber attacks

Security has to be baked in from the start instead of an add-on feature in a connected world. In other words, it has to be built into a piece of software or part of a technology stack that is then used to build other digital services.

Photo by @privecstasy from Unsplash.com

By Dean Vaughan
Vice President of Asia Pacific, Azul

In September 2022, Philippines Airlines lost the personal data of frequent flyers when its IT provider was hacked, adding yet another example of supply chain attacks that have bedeviled businesses globally in the past year.

The cyberattack on a third-party IT provider for the airline caused the names, birth dates, nationality, gender and points balance, among other details to be stolen.

Although it is unclear how the malicious actors managed to get into the victim’s systems, the incident once again reinforces the need to tighten up security against supply chain attacks.

Advertisement. Scroll to continue reading.

For many of today’s IT systems, using third-party software in one form or another is inevitable, such is the interconnectedness of the Internet and the complexity of digital infrastructure.

An estimated 40% to 80% of the lines of code in software come from third parties such as libraries, components and software development kits. Unfortunately, they are one reason for the increased vulnerability of third-party production code that goes into digital services.

By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to research firm Gartner.

A lack of visibility hampers defense

This is a problem facing any digital economy and the Philippines is no different as it delivers more services over digital channels in the years ahead. The way forward has to involve better detection of such vulnerabilities without impacting performance.

Advertisement. Scroll to continue reading.

To begin, you can only defend against something if you know what you are up against. Since many organizations do not peer into the nuts and bolts of the many third-party programs they use, they often are working on the hope that the code is free from vulnerabilities.

Even with a vulnerability detection tool in place, many organizations fail to act on a threat, because alerts are often too general or unable to differentiate between production and non-production code. This means the work required to clean up an infected or vulnerable system is too broad to be undertaken by already beleaguered security and application teams.

Today, organizations continue to grapple with Log4Shell, a critical vulnerability found in a widely used Java-based logging component (Log4j). This loophole enables threat actors to run code on a victim’s system and take control. It has impacted countless servers and applications that used Java software because Java software is used widely in today’s modern IT infrastructure.

Yet, when the threat first emerged last year, few organizations had the ability to quickly find the exact location of the vulnerability in their IT systems because Java was used so extensively. The challenge was knowing where to look even when the dashboard lit up with a warning.

More precision needed

Advertisement. Scroll to continue reading.

What is needed is greater precision, which can only be possible with improved visibility over existing solutions. Application scans in CI/CD, application agents, or application inventories (SBOMs) are valuable approaches as part of a comprehensive security strategy. However, these approaches also have drawbacks, including false positives which waste time via alert fatigue as well as a performance impact which adds burden to Java teams and their applications.

Take Azul Vulnerability Detection, a new Software-as-a-Service (SaaS) product that continuously detects known security vulnerabilities that exist in Java applications. By eliminating false positives and with no performance impact, it is ideal for in-production use and addresses the rapidly increasing enterprise risk around software supply chain attacks.

Azul Vulnerability Detection uniquely identifies code run using sophisticated, highly granular techniques inside Azul JVMs (Java virtual machines) and maps against a curated Java-specific database of common vulnerabilities and exposures (CVEs). This produces more accurate results, even for custom code and shaded components, so IT teams can get to a vulnerability and remediate the issue quickly and efficiently.

Gaining agility while beefing up security

To be sure, vulnerability detection tools are not new. Unfortunately, some end up providing the added security at the expense of performance. This means business agility suffers, because one’s security tool is slowing down transactions and requiring more computing resources and cost to run.

Advertisement. Scroll to continue reading.

Organizations need to find a way to overcome the software supply chain problem. They need smarter tools that can beef up the security without adding overheads and dragging back performance.

When it comes to security in Java applications, what’s different with Azul Vulnerability Detection is its use of Azul Java virtual machines (JVM), which provide highly accurate runtime-level visibility into what code is actually running and whether it is vulnerable. This enables faster remediation of vulnerabilities with significantly less operational overhead.

Additionally, because the tool is agentless, it avoids the performance penalty commonly associated with other security tools that require teams to install and maintain a separate piece of software. Taken together, Azul Vulnerability Detection makes security a byproduct of simply running Java software.

Fighting a winnable battle

Security has to be baked in from the start instead of an add-on feature in a connected world. In other words, it has to be built into a piece of software or part of a technology stack that is then used to build other digital services.

Advertisement. Scroll to continue reading.

Unfortunately, supply chain attacks against trusted vendors and third-party code pose substantial enterprise risk.

The key to winning battles against increasingly sophisticated threats is to be armed with the right tools that deliver a solid defense while retaining the agility that organizations need today. Even as cyber threats evolve, they have to believe they can keep out the bad guys over time and continue delivering the trusted digital services and experiences to their users.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

In rigorous evaluations conducted by prestigious cybersecurity testing organizations, Kaspersky Plus (starting in Q4 2024, Kaspersky Premium), Kaspersky Endpoint Security for Business (KESB), and...

HEADLINES

"Given the Philippines' high exposure to cyber threats, it's important for both individuals and businesses to stay vigilant," said Adrian Hia, Managing Director for...

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

Advertisement