Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
Threat Modeling and Software Supply Chain Security
By Josh Wallace, GuidePoint Security
2021 has brought many things, but from an
application security perspective, we've seen new standards from NIST and OWASP
around threat modeling and we've seen the impact of supply chain attacks that
have wreaked havoc on systems, industries and consumers. As we look to 2022, we
can use the application security related events from 2021 as our guide for
what's to come.
Threat
modeling, threat modeling... and did someone say threat modeling!?!?
Following the Executive
Order for Improving the Nation's Cybersecurity, the National Institute of
Standards and Technology (NIST) put out their Recommended Minimum Standard for Vendor or Developer
Verification of Code, which included six recommended technique classes for software
verification. And in no surprise if you read the subhead for this section,
threat modeling topped the list, which included automated testing, code-based
analysis, dynamic analysis, check included software and fixing bugs.
Additionally, NIST recommends that threat modeling should be performed
"multiple times during development, especially when developing new
capabilities, to capture new threats and improve modeling."
In addition to the
publication from NIST, the Open Web Application Security Project (OWASP) has
published a new version of the OWASP Top 10, the first new version since 2017.
As part of this release, OWASP has added a new item to the Top 10, Insecure
Design. This item focuses on design flaws within applications and advocates for
the use of Threat Modeling and Architecture Reviews.
Most organizations are
using the standards published by NIST and OWASP to drive their application
security program. As a result, we are going to see a spike in threat modeling
activities and tooling in the coming year.
The earlier you can
identify design-related flaws and potential threats, as well as implement
effective compensating security controls to mitigate those threats, the better
you will be from both a security personnel's and an application owner's
perspective. Since it ultimately helps both developers and security teams,
threat modeling can also drive positive culture change between these
organizations and viewpoints. Think about it... if you can identify design flaws and potential threats in
applications BEFORE time is spent on application or feature development, that's
a win for the development team. If threat modeling is performed from the
start, it will help the security team drive relevant, subsequent security
activities.
Threat
modeling provides a win-win scenario by educating teams on the use of security
leading practices, and allowing teams to scale their security efforts while
avoiding costly design flaws that are difficult to fix once the application has
already been deployed to production.
Greater
emphasis on cybersecurity within the software supply chain
Another prediction for the coming year is that
we will see more organizations focusing on supply chain security due to the
attacks and breaches that we saw in 2021, as well as the Executive Order on
Improving the Nation's Cybersecurity.
The big impact we will see is that organizations
will be struggling to understand the 3rd party and open source libraries that
are used in their software development. Tools in this space are increasing in
maturity and many organizations will leverage these tools to start creating a
Software Bill of Materials (SBOM) for many of their key solutions.
Additionally, it will become a normal part of the procurement process to
request an SBOM for solutions purchased from third party vendors. This will
cause some friction between organizations and their suppliers as many
technology suppliers have been hesitant to share this information in the past.
As this need to understand, manage, and document
our own software supply chains grows, we're going to see organizations create
new positions to support this need - particularly, software supply chain
architects and teams that will manage this process internally and for the
organization's suppliers. These teams will be responsible for monitoring
software dependencies, documenting secure usage, approving new libraries,
managing internal and vendor SBOMs and identifying risk to the organization
based on this data.
There are several key players in the software
composition analysis (SCA) space today and I think we'll continue to see new
vendors emerge. The lead SCA vendors will need to scale and adapt to manage
information provided by vendors as well. There is also opportunity here for new
vendors to emerge in an adjacent space - we are already starting to see new
vendors that have built products to consume SBOMs created by these SCA vendors
and perform additional analysis to identify risks in these components, not just
CVEs.
Conclusion
Organizations are writing more code than ever
before. Not only this, but they are also deploying at a much faster pace as
business needs are driving shorter release cycles. The only way that security
teams can keep up with this deployment rate is to enable developers to write
secure applications and prevent vulnerabilities earlier in the development
lifecycle. As we increase our vendor and open source footprint, it is also
critical that we understand the risks associated with these components and
enable application teams to make better decisions.
##
ABOUT THE AUTHOR
Josh Wallace is the Application Security
Strategic Services Practice Lead at GuidePoint Security. Since 2004, his
primary focus has been on helping organizations secure their products by
building business-aligned application security programs and leveraging
DevSecOps principles to embed security throughout the entire SDLC. He has
extensive experience in application development, cybersecurity architecture,
and application security consulting, specializing in DevSecOps and product
security. He has led multi-million-dollar application security transformations
crossing all areas of business and has consulted organizations of all shapes,
sizes, and maturity. Josh's experience includes designing and building global
application security programs, penetration testing, architecture reviews and
threat modeling, malicious code detection, and leading organization-wide
DevSecOps transformations.
Prior to GuidePoint, Josh served as the DevSecOps Practice Lead for a Big 4
consulting firm. In this role, Josh led a team of global security consultants
to perform Agile security testing and malicious code detection for a
multinational financial institution. Additionally, he was responsible for
creating several innovative services, such as a Security-as-Code program and
developing the foundations for "inner-loop" security. Josh's portfolio includes
customers across multiple sectors, including hospitality, power and utility,
tourism, healthcare, technology, and financial services.
Josh holds a Bachelor's degree in Psychology and an Associate's in Information
Systems. He also holds several certifications including the SANS GPEN and
Certified Ethical Hacker. He has presented at many industry conferences,
including LASCON, CodeMash, Protect, and DevSecCon.