Cybersecurity is hard. Companies stacked with security talent, and no shortage of cybersecurity budgets get breached. Every. Year. The ones that make the headlines are the ones we know about. One can only assume that there are many more that have yet to be discovered…
Why does it seem like we are unable to stop these big breaches? While not exhaustive, here are some factors:
Attackers only need to succeed once at exploiting a vulnerability, and practically have unlimited tries, while defenders need to succeed at preventing vulnerabilities from being exploited, every single time.
Attackers are organized and motivated by financial as well as political incentives — and as such have plenty of resources and tooling available to them to achieve their goals; i.e. the exploit is their ‘job’. Defenders do not have nearly the number of security professionals they need, and for the most part, their development organizations are feeling the time pressure of getting features out on time; getting features out on time is the ‘job’ — adding security on top is a ‘best effort’ endeavor in all but exceptional circumstances.
Furthermore, new technologies (such as cloud, k8s, serverless, IaC, etc…) emerge and get adopted and end up in production, before the industry has a chance to understand how to use these technologies securely, let alone build the security capabilities into the stack, or distribute the knowledge to the developers and users of the tech stack.
Over the past couple of years, attackers have been successful at exploitation via a new attack surface; the Software Supply Chain.
The software supply chain is everything that is used to produce the software your team is working on, and that includes:
Over the past couple of years in particular, every single one of these components that make up the supply chain was successfully exploited.
And this trend is going to continue.
Our mission at boost security is to help all software teams ensure that that they build secure software, and that they do so in a secure manner…