Cybersecurity is hard. Companies stacked with security talent, and no shortage of cybersecurity budgets get breached.Every. Year. The ones that make the headlines are the ones we know about. One can only assume that there are many more that have yet to be discovered…
Why does it seem like we are unable to stop these big breaches? While not exhaustive, here are some factors:
1. Asymmetry of effort:
Attackers only need to succeed once at exploiting a vulnerability, and practically have unlimited tries, while defenders need to succeed at preventing vulnerabilities from being exploited, every single time.
2. Motivation is prioritization: incentive to exploit vs. pressure of timely releases
Attackers are organized and motivated by financial as well as political incentives — and as such have plenty of resources and tooling available to them to achieve their goals; i.e. the exploit is their ‘job’. Defenders do not have nearly the number of security professionals they need, and for the most part, their development organizations are feeling the time pressure of getting features out on time; getting features out on time is the ‘job’ — adding security on top is a ‘best effort’ endeavor in all but exceptional circumstances.
3. New attack surfaces:
Furthermore, new technologies (such as cloud, k8s, serverless, IaC, etc…) emerge and get adopted and end up in production, before the industry has a chance to understand how to use these technologies securely, let alone build the security capabilities into the stack, or distribute the knowledge to the developers and users of the tech stack.
Over the past couple of years, attackers have been successful at exploitation via a new attack surface; the Software Supply Chain.
What is the software supply chain?
The software supply chain is everything that is used to produce the software your team is working on, and that includes:
Developer(s) along with the machines they are working on
The code the developers actually produce
SCM systems (Github, GitLab, etc.)
CI systems (Github Actions, CircleCI, Jenkins, Travis, etc.)
CD systems (Argo, etc.)
All 3rd party dependencies, along with the package repositories they reside in
Distribution systems for artifacts (dockerhub, ECR, etc…)
And finally, the production environment in which the code finally lives, until the next code push…
Over the past couple of years in particular, every single one of these components that make up the supply chain was successfully exploited.