Enhancing code security: Tools and techniques for safeguarding your code
The security industry has learned to adapt over the years. As new hacking tactics succeed, the industry responds with new tools and techniques to detect, prevent and mitigate potential impacts.
Phishing, for example, has been a popular way to compromise email accounts for many years. Security awareness training emerged to combat phishing and reduce the frequency of users being fooled by phishing gambits. But cybercriminals are renowned for refining their strategies. They have learned to adjust phishing email subject lines to fit current events and develop new variations that suddenly gain real traction.
Some of the top topics of late that snare a good percentage of users masquerade as:
Messages from the IT help desk to change passwords
Account charges from online services
Information requests from HR.
As phishing techniques morph, security professionals respond by updating training videos. They also change email screening settings to catch phishing gangs' latest messaging favorites.
Similarly, ransomware has become one of the most potent forms of attack over the last couple of years. According to the latest Verizon Data Breach Investigations Report, 24% of data breaches involved ransomware. No wonder ransomware prevention tools are in high demand, and so many other security tools are incorporating ransomware detection and mitigation features.
Spotting anomalous developer behavior
The world of software development, too, has become a target for threat actors. With hundreds of millions of developers worldwide, many of them operating in the open-source arena, cybercriminals work hard to infiltrate platforms such as Github, Azure DevOps, GitLab or Bitbucket to insert malicious code or uncover security weaknesses.
Attacks on the likes of Kaseya and SolarWinds demonstrated the potential value to be derived from compromising the trusted code used by many different organizations to bypass security controls. Hence, tools and techniques are being developed that address developer behavior. Their goal is to find any backdoors or vulnerabilities that may have been put there by the bad guys.
Defining normal development
The idea of detecting developer behavior or traffic that falls outside normal parameters is sound in theory. But who determines what normal is? Take the case of the developer account takeovers that have become commonplace via phishing and other tactics. Developer accounts can be safeguarded by looking at the historical behavior of each developer and reviewing their audit trail, commits, pull requests, and other parameters. This provides an overall picture that can be used to gauge normal activity.
For example, Developer A might clone up to three repositories at once during a sprint. But if that same developer suddenly clones 30 in an hour, it is an indicator of a potential code exfiltration attempt.
“It’s not about performing too many clones,” said Nir Valtman, CEO and Co-Founder of Arnica. “It’s about the profile that you build for that identity.”
Normal can also be categorized based on how the code is written. Most developers have a particular style or follow a specific pattern or sequence of logic. That pattern can be classified by security software as normal for each developer. Anyone inserting a piece of malicious code or introducing a backdoor stands out as outlying coding habits are exhibited, along with different forms of metadata being generated and code being committed at unusual times. All of this is like a signature that can be identified; it is difficult to forge. Current hackers have yet to mimic these characteristics.
Yet another facet of behavior-based code protection relates to permissions. Any developer who is sloppy or overly generous on account permissions is asking for trouble. By retaining a tightly controlled list of people allowed access to a repository or set of code, alerts can be generated the moment anyone else has accessed it.
Enhancing code security
Developers, therefore, can and should implement techniques for scanning vulnerabilities, static code analysis, software composition analysis, secret scanning and anomaly detection. A smart practice is to scan before opening a pull request to offer feedback on security issues for code that has just been written.
“It is wise to also figure out an approach to prevent high severity secrets from being introduced in the code,” said Valtman.
Security automation functions can help to catch and fix any errors developers make that expose secrets. In addition, there are plenty of open-source tools that can help developers to identify such vulnerabilities.
Coders must embrace security
The time-honored distinction has been for coders to code and security personnel to clean up the security mess after the fact. However, the move into the world of agile development and the appearance of DevSecOps has necessitated a blurring of the boundaries between developers and security professionals.
It has become the duty of every employee to follow security best practices, be on the alert for possible phishing attempts, and do all they can to protect enterprise security. And it is now the duty of every coder to embrace their security responsibilities and build cybersecurity best practices into their coding workflow.
Yes, IT and security staff will continue to monitor their tools and ensure that no malicious code is included or can be inserted. But it is up to developers everywhere to adopt the right tools, mindset and educational programs to ensure the code they generate serves the needs of the business. In this era of rampant cyberattacks, a vital way that they can serve the business is to safeguard their code from outside influence or tampering.