We won’t start yet another blog yammering about how bad the consequences of an attack are. There’s a lot on the line, including both financial and reputational losses. You get it. We get it. Cybercriminals definitely get it.
Another thing cybercriminals get is automation. Attacks are up and their rise is expected to continue, in no small part due to the fact that attackers are using automation to scale their criminal enterprises. With automated tools they can locate more victims faster, launch more attacks at once, and reach further along the supply chain than ever before.
Well that’s just great. What’s to be done about it? The obvious answer is that software vendors must use defensive automation of their own.
The automation revolution in cyberattacks
Automation plays a significant role in the modern business of cyberattacks. Malicious actors use automation to their advantage to lower their costs, streamline their organizations, lend speed and scale to their attacks, and increase their chances of success.
Here are just a few ways adversaries are using automation:
Malware and botnets – The creation and management of botnets, networks of compromised computers which can be remotely controlled to perform various malicious activities including the distribution of malware, is largely done through automation.
Phishing campaigns – Automated phishing kits are readily available for purchase on the dark web. These kits allow adversaries to easily create convincing phishing websites complete with fake login forms which can then be distributed, automatically of course, to a large number of potential victims.
Credential stuffing attacks – Attackers use automated tools to test large lists of stolen or leaked username-password combinations against various websites and online services to gain unauthorized access. Let this be yet another reminder to not use the same passwords across multiple websites, systems, and services.
Exploiting vulnerabilities – If you’re not scanning your code and infrastructure for security weaknesses, well you’ll never guess who is. Attackers employ vulnerability scanning tools to automatically identify security weaknesses in target systems, particularly outdated software and misconfigurations.
The race for automation in application security
Even with a generous budget for a large, well trained security team, manual testing cannot reach the scale, completeness, speed, or consistency of coverage that modern automated security tools can. Although manual testing certainly has its merits, it has many limitations that could have severe consequences for your organization.
And let’s face it, most security teams are overworked and understaffed. Here’s a formula that should help: automation plus a shift-left approach to application security equals shift smart. With the right tools, you can put some of the work of securing your code onto your developers and earlier into your software development lifecycle (SDLC) without slowing down releases.
Here are some automated application security testing tools you should be considering.
Dependency updating tools – Chances are your software relies on a lot of open source components that are constantly releasing updates, many having to do with security. A good dependency health tool like Renovate enables automatic dependency updating by creating pull requests for your team to review and accept or reject. Free as both a GitHub app or self-hosted, Renovate also includes a Merge Confidence score to make decision making even faster and easier.
Software composition analysis (SCA) – About those open source components… just because you have the latest version, doesn’t mean there aren’t still security concerns. SCA tools scan your open source code, including containers and other artifacts, and give you feedback on vulnerabilities. Advanced SCA tools (like Mend SCA) also give developers automatic alerts about vulnerable open source packages before a pull request is made and the component enters the system.
Static application security testing (SAST) – For your bespoke code, SAST tools are used in both the coding and testing stages of the SDLC to analyze your code for coding errors and policy or regulation noncompliance that may indicate security concerns. We like Mend SAST, but we would – not just because we made it, but because it features automated remediation which writes the code to fix the security flaw for you.
Security everywhere all the time
Of course it’s not only automation that keeps attackers at bay. You also need to develop a good security culture in your organization that includes training and awareness programs, encourage responsible coding practices, and shift security left (and everywhere) so that it’s part of the fiber of your day to day activities.
But embracing automation in the SDLC with automated code review and continuous security testing must be on your menu if you want to have a robust and mature security program at your organization.
The bad guys are using automation to wreak havoc across the web. It’s time for the good guys to catch up and use automation to stop them.
AJ Starita is fascinated by the challenges and triumphs of cybersecurity and open source software. When not writing about technology, AJ can usually be found exploring nature or reading detective novels.