The SolarWinds software supply chain attack, which was delivered to over 18,000 customers via the company’s own software update process, was the result of malicious code deployed in SolarWinds’ Orion network monitoring software. The Wall Street Journal reported that the attack gave hackers potential access to sensitive corporate and personal data, and The Verge reported that “9 federal agencies and about 100 private sector companies were compromised.”
Takeaways from the SolarWinds supply chain attack
Supply chain attacks are not new, and recent headlines are an important reminder for organisations to look more closely at supply chain risks. That goes for both commercial software producers (companies that produce products and services for other organisations or for the public) and software supply chain consumers (companies that consume materials, products, and services from various third parties). Some of the takeaways from the recent attack are:
- Producers need to improve how they modernise and secure their development environments and DevSecOps processes.
- Consumers must ensure they’re using certified and legitimate supply chain software from trusted producers/third parties. They also must improve the criteria for their software acceptance.
- Companies should re-evaluate how they design and implement their systems and software in order to better protect themselves against increasingly sophisticated cyber attacks.
How can organisations better protect their sensitive data and corporate intellectual property, with a focus on application security?
Data protection requires collaboration
One of a CISO’s primary responsibilities is to protect their company’s important digital assets, which can include corporate intellectual property such as proprietary source code and other patented technology or confidential information. However, because of emerging privacy and regulatory laws and standards, CISOs and data protection officers now also need to protect user data — personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) data.
These new privacy laws are increasing the restrictions on the use, retention, and geographic residency of user data. This requires many organisations to protect this data and its use both internally as well as with third-party vendors that handle this data. CISOs need to work with their colleagues in data protection, privacy protection, IT infrastructure, compliance, and software development to ensure compliance with these data protection and privacy laws, standards, and guidelines. In addition, the emergence and adoption of hybrid clouds and multi-cloud services creates new challenges for data security. Other factors — the geographic origin of data, storage location, and user access location points — further complicate what services providers and major cloud infrastructure providers need to do to secure their data.
Consumers are concerned about their data privacy
Consumers are becoming more wary about how their personal information is used. The National Conference of State Legislators, citing a report by the Pew Research Center, notes “More than 80% of Americans say they go online on a daily basis. Of those, 28% go online almost constantly and 45% go online several times a day. Consumers are now more aware that businesses, social media sites, and other websites may collect and share their personal information with third parties. They also hear more about security breaches, cyber attacks, and unauthorised sharing of personal information.”
Similarly, a survey of 1,000 consumers from the U.S. and the U.K. conducted by Entrust showed that 79% of consumers said they’re concerned about data privacy, and 64% said that concern has increased in the past 12 months. According to an article from Security Boulevard, the top reasons for consumers’ heightened concerns were news stories about data breaches and seeing an increase in targeted ads on social media.
The recent surge in remote work has also resulted in increased worker data privacy concerns. “What we found was that roughly two years ago most companies barely had a privacy team; it was tucked away in a legal office,” says Robert Waitman, director of data privacy at Cisco. “But with the shift to remote work because of the pandemic, privacy has become more important, mainly because employees were uncomfortable with the privacy of the tools available and the need for companies to provide a safe workplace.”
The role of application security in data protection
Understanding how application security ties into data and privacy protection is essential. With the digital transformation happening in many industries, organisations are compelled to digitise their business web presence to more quickly gain and retain new customers versus their competitors. This is especially true in the financial services industry, healthcare, and e-commerce/retail market segments, where usage of mobile and web applications and websites has increased significantly. However, these websites and applications can also serve as attack vectors for hackers who leverage them as entryways into organisations’ databases, which contain sensitive user data that can be monetised on the dark web.
This whitepaper provides a summary of recent privacy laws and describes how different frameworks and security tools — including application security tools — can help ensure data protection and privacy. Software security services, architecture analysis, and threat modelling of new systems from both a security and systems engineering perspective are equally important.
CISOs should work collaboratively with their heads of software application development, third-party application procurement, and systems engineering to better protect sensitive data against potential cybersecurity attacks that can lead to costly data breaches. The recent SolarWinds software supply chain breach points to the urgent need for improved DevSecOps processes, secrets management, and sensitive data detection throughout the stages of the software development life cycle.