The Top 3 Security Threats Developers Need to Defend Against Right Now – DevPro Journal

4 minutes, 28 seconds Read

Priority and proactivity: two variables that can make all the difference in securely developing applications from ideation to shipping. But as headlines across security media continue to show, doing so is often much easier said than done.

Security throughout the development pipeline is, of course, a holistic process, but here are three especially urgent areas where many developer teams still need to catch up:

1. API security

In the rush to implement new API connectivity and expedite application development lifecycles, API security continues to take a backseat—and that proposition gets more dicey by the day. Attackers view APIs as a ripe and continuously expanding vector for infiltrating enterprise systems and exposing sensitive data. Developer teams must be more intentional about the most current and effective API security best practices.

API development is becoming synonymous with GraphQL as teams modernize around the API query language and move away from REST APIs. That’s good (and certainly the future), but GraphQL’s freeform architecture introduces fresh attack surfaces that demand immediate attention (ideally at the onset of a GraphQL API implementation). While some developers may find direct security responsibilities unfamiliar territory, GraphQL places considerable access control and operational functions squarely in their hands. Success can often hinge on developers embracing this security role.

The depth of the security hole is concerning: 34% of enterprises openly admitted to having zero API security strategy whatsoever, leaving them perilously exposed. Equally concerning, 85% acknowledged that their existing tools proved inadequate in effectively countering API attacks. This is somewhat expected, given that traditional security measures struggle to fend off attacks that hide within the intricate logic of APIs.

Consider, for instance, how attackers can exploit APIs by overwhelming registration endpoints with malicious clients, launching frequent login attempts, leveraging account information to expose user information, and tampering with various parameters. Compounding the issue, GraphQL API traffic and vulnerabilities often go unnoticed due to the lack of proper security tools. It’s a big issue that is getting bigger, and teams need to prioritize and execute a well-defined security strategy that can shore up growing (and glaring) API security vulnerabilities.

2. Supply chain security

Protecting against attackers injecting vulnerabilities into widely used libraries, frameworks, or tools is becoming a larger concern for developer teams by the day. The impact can quickly become widespread: if a popular library gets compromised, it can affect myriad applications relying on it.

The security challenge lies in ensuring the trustworthiness of dependencies. Developers often use third-party libraries and open-source tools to expedite development, but without thorough auditing, these dependencies become security risks. Furthermore, modern software development is complex, with various dependencies, from package managers to build tools. This intricacy provides multiple potential entry points for attackers to infiltrate the supply chain.

Cybercriminals and state-sponsored actors have become more sophisticated in their methods. They can compromise a developer’s account, insert malicious code into a repository, or initiate attacks at different stages of the software supply chain. (To use GraphQL as an example, bad actors know how to detect and identify server types and target attacks specific to that server’s weakness.) Additionally, regulatory bodies are beginning to scrutinize supply chain security, which could lead to legal and compliance challenges for developer teams.

To mitigate this concern, developers should more proactively manage their dependencies by keeping them up to date and using tools to identify vulnerabilities. (Developers should also be wary about in-house tools, which can be costly to maintain and could also carry weaknesses.) Thorough code reviews are essential—especially when it comes to changes in dependencies. Strict access controls, coupled with multi-factor authentication for repositories and build systems, can prevent unauthorized alterations. Encouraging transparency within the supply chain can help developers understand the dependencies they rely on. Finally, integrating security testing into the development process via automated checks can help detect vulnerabilities early on.

3. Container security

While not new at this point, the complexity of rapidly deployable and scalable containers continues to give developers security fits. There’s been a lot of progress here as container ecosystems have matured, but security-at-scale has remained a challenge. Teams need to stay vigilant around continuous vulnerability scanning, runtime security monitoring, image signing and verification mechanisms (and even resource execution).

Also important here is thorough access controls, and being able to get access controls around disparate technologies (in GraphQL, for example, it is the schema). But as much as possible, security practices need to be integrated directly into the software development pipeline. Without end-to-end security processes, continual audits, and the right analytics tools for visibility throughout, the entire container deployment can be compromised. Attackers can insert unauthorized or malicious images into the environment, or gain lateral movement within the network once they have access. If they get to that stage, they can potentially compromise other containers, applications, or systems.

Shahar Binyamin

Shahar Binyamin is the CEO of Inigo, a GraphQL management platform. A software engineer by trade, he has extensive experience working on high-profile enterprise application and security projects. Among his roles, Shahar spent several years within the InfoSec Unit of the Israeli Defense Forces. He has also led product development at Dropbox and Kiteworks, with a focus on ensuring data and API security. He co-founded Inigo to address the disconnect between developers using GraphQL and the API security and operation challenges they were having. Shahar lives in Silicon Valley, where Inigo is headquartered.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts