Security is no longer a simple task

Last week’s major news about SolarWinds hacking, which shook the foundations of trust in third-party security systems, illustrates now more than ever the importance of understanding where potential vulnerabilities may lye hidden and how to take appropriate action to remove them.

Most legacy systems run on proprietary hardware and OS (such as IBM Mainframe Z/OS, AS/400, etc). When working with them, one has a limited choice of software, for instance, COBOL. PL/1, etc. which requires access to and modification of the source code.

In the past two decades, the evolution of open systems has contributed to an arms race between diverse systems and applications as well as operating systems. Every few years a new programming language seems to be introduced.

As a result the open systems, though easy to work with and have enabled an internet revolution (and more recently a mobile and cloud revolution), they contain a more complex and diverse set of technologies embedded within them.

Over the years IT departments have grown from simple self contained setups to complex more specialist teams which can encompass Developers, Testing and QA, DevOps, etc. Communication and inter team understanding of what is going on is no longer a simple department’s or team’s responsibility. This is the dangerous ground on which many enterprises are sleepwalking.

It may come as a surprise to some that most developers , do not write all new code from scratch. It is practically impossible to deliver business requirements and meet timelines without third-party (mostly open-source) software libraries).

Some might say that many of todays developers are being zombified to deliver shiny features without knowing what the underlying software is composed of, and how it works. Whatever the truth may be, there are hundreds of thousands of open-source and proprietary libraries swept into the enterprise environment. Most of these libraries need constant updates, as the open-source developers themselves use other libraries that may require updating due to bugs, security patches, etc.

Take the example of the NodeJs application, a simple insurance calculation one-page application which contains almost 5,000 files. No one will have time or the expertise to examine each and every file for security risks.

Here is an example of malicious code found in an enterprise deployed application library by MalwareBytes.

Malicious code found by Malware Bytes.

Digital transformation at its best should not just involve the replacement of one system with another, but the introduction of a better system with fewer risks that facilitates ease of change into the future.