ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

Breaking the cycle of reactive security

Linked InTwitterFacebook

It’s time to toss out security band-aids and start building a stronger foundation, argues Randall Degges at Snyk

 

Ever feel like your software supply chain is a leaky ship, and all you’ve got is a bucket? You’re not alone. Snyk’s 2024 Open Source Security Report reveals that many organisations are still stuck using outdated security approaches, struggling to plug holes as they appear instead of building a stronger, more seaworthy vessel from the start.

 

The cracks in the pipeline

Your build pipeline is like the assembly line for software - where code, tools, and packages come together to create your product. But here’s the kicker: this critical piece of infrastructure is often riddled with vulnerabilities because many companies rely on “security scanners” that haven’t evolved since floppy disks were cool. These old-school tools aren’t equipped for modern cloud-native environments, where speed and complexity create unique challenges.

 

Think of it like using a metal detector to find treasure underwater - it works on land but is useless in the ocean. To secure a modern build pipeline, you need tools that can keep up with today’s fast-paced, containerised, and cloud-driven development.

 

AI: Your frenemy in code

Let’s talk about AI. It’s like that friend who always seems confident but sometimes gives terrible advice. Our report found a whopping 78% of developers trust AI tools to write secure code, even though these tools have a nasty habit of introducing vulnerabilities. It’s like asking a robot to bake cookies - sure, it might get the recipe right, but don’t be surprised if it burns half the batch.

 

Why the misplaced confidence? Developers see AI as fast and efficient, and to its credit, it often is. But speed without scrutiny is risky. The good news? Smarter hybrid AI systems, which combine generative AI (the creative type) with symbolic AI (the rule-following type), can provide better results with fewer risks.

 

Supply chain’s security woes

Software supply chains are like your grandma’s famous lasagna recipe - layered, complex, and full of secret ingredients (read: dependencies). Each layer can be a potential point of failure. And guess what? We found that 45% of organisations identified vulnerabilities in their supply chains last year (and I strongly suspect that’s a conservative estimate).

 

Why? Most are stuck using traditional risk measures like CVSS scores (fancy numbers that tell you how bad a vulnerability could be). But these scores don’t always account for context, like whether that lasagna layer is on the top or buried in the middle. More modern techniques, like reachability analysis, can pinpoint whether a vulnerability is actually exploitable in your specific setup. Yet only a few organisations are using them.

 

And audits? Fewer than 25% of companies regularly audit their software supply chain. That’s like driving your car for years without ever checking the oil.

 

Breaking free: the recipe for success

It’s time to toss out the band-aids and start building a stronger foundation. Here’s how:

 

Upgrade your toolkit: Ditch the outdated scanners and adopt tools designed for modern pipelines, like SBOM (Software Bill of Materials) monitoring. Think of SBOM as a nutrition label for your software. It tells you exactly what’s inside so you can spot the bad stuff.

 

Prioritise the big risks: Not all vulnerabilities are created equal. Focus on the ones that could actually impact your business, instead of chasing every little flaw.

 

Get smart about AI: Use AI wisely: Validate its suggestions like you would double-check a friend’s “shortcut.” Establish clear rules for testing AI-generated code to keep your team safe from rogue bugs.

 

Embrace automation (with caution): Automating package safety checks can save time, but don’t rely on one tool to do all the work. Cross-check results to make sure nothing slips through the cracks.

 

Reassess processes: Security isn’t just about tools; it’s also about people and workflows. Sustainable practices and clear communication help prevent burnout and keep your team sharp.

 

Breaking the cycle of reactive security

Security is like cooking - people, process, and technology are your ingredients. Get the balance right, and you’ll have a recipe for success. But ignore one element, and things could boil over fast.

 

By focusing on proactive measures, embracing smarter tools, and giving AI the side-eye when needed, we can break the cycle of reactive security and build a supply chain that’s as strong as the software it supports. The future is here. Let’s make sure it’s secure.

 


 

Randall Degges is Head of Developer and Security Relations at Snyk

 

Main image courtesy of iStockPhoto.com and porcorex

Linked InTwitterFacebook
Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543