How many vulnerabilities are lurking, ready to boobytrap your apps and lay your brand open to exploitation by hackers? As in, not just your company, but your customers, suppliers and partners? 

You need to know. 

It matters when it comes to brand reputation. The environment you create for customers goes beyond the physical world to also encompass the code that runs your applications. If this broader ecosystem isn’t secure, cybercrime will occur.

Just ask SolarWinds or Kaseya: Both were victims of historic supply-chain attacks that spread to the two companies’ clients. The 2020 SolarWinds attack, in which cybercriminals broke into the company’s systems and poisoned its Orion IT resource management software system, triggered an incident that affected thousands of organizations, including the U.S. government and private companies such as FireEye, Microsoft, Intel, Cisco and Deloitte. 

A similarly horrific domino effect was set off when a supply-chain attack hit Kaseya in 2021, as hundreds of organizations around the world — including 50 managed services providers (MSPs) — saw their systems flooded with ransomware, their data encrypted and the REvil ransomware gang demanding extortion ranging from a few thousand dollars to over $5 million.

Clean code matters more than ever because vulnerability-pockmarked code can, and will, lead to regulatory penalties, as the recent White House and OMB mandates have made clear. 

Feds throw down the gauntlet with M-22-18 

A memo (PDF) from the Office of Management and Budget (OMB) — M-22-18, published in September 2022 — is clear in setting expectations for federal agencies when it comes to using software that’s potentially hiding buggy libraries or other threats:

“Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.” —OMB M-22-18 

This legal document may seem like eight pages of dry legalese, but you can think of that dry verbiage as being TNT ready to explode in the government’s quest to institute radical transparency into coding practice. In contrast to the obscurity that has up until now shrouded the components of software and obscured the presence of ticking timebombs such as the Log4j library, the new guidelines introduce the requirement for software producers to provide self-attestation letters about their software security profiles and practices. 

As well, the guidelines require that each software provider that sells to federal agencies provide a Software Bill of Materials (SBOM): in other words, a complete list of all open-source and third-party components present in a codebase. It should also list the licenses that govern those components, component versions used in the codebase and their patch status, so that security teams can quickly zero in on any associated security or license risks.

As the new guidelines come into effect, expect to see far more litigation relating to failure to follow coding best practices — failure that will be evident in the newly required documentation. 

It has to do with duty of loyalty, which is one of the fiduciary duties owed by a company’s directors and which requires those directors to place the interests of the company and the shareholders before any of their personal interests. Duty of loyalty could well be a premise used in the courts in M-22-18-related cases. Such litigation will reflect how much due diligence you pay to ensure that your code is clean.

Besides avoiding litigation, keeping your code clean and your security practices strong are particularly crucial when it comes to keeping attackers from island-hopping through your partners’ systems and into yours. 

Brand protection in the era of island hopping

In its annual risk index, the World Economic Forum stated that cyberattacks posed a severe risk to corporations. 

A recent, growing threat comes from cyber cartels. Their modus operandi is simple: Infiltrate the corporate environment via application attacks or application programming interface (API) attacks, and then use access to the environment to launch attacks against the customer base. 

This is called “island hopping” — a form of attack through which malicious cyber actors infiltrate organizations’ third-party partners, using them as access points from which to worm their way into a primary target’s network. Island hopping enables attackers to circumvent their primary target’s defenses by exploiting the networks of partners that are already trusted enough by the company that they’ve been granted network access. 

Pirates hijack partners & your reputation

There has been a dramatic increase in island hopping: According to VMware’s fifth annual Modern Bank Heists report (PDF), 60% percent of financial institutions experienced an increase in island hopping in 2021, representing a 38% increase from the previous year. This represents a new era of conspiracy, whereby the ultimate outcome has become hijacking the digital transformation of a financial institution via island hopping to attack its constituents. This poses a tremendous operational and reputational risk. 

PricewaterhouseCoopers (PwC) has reported that 87% of consumers are willing to take their money and their business and walk away if, or when, a data breach occurs. Companies run the risk of losing not just customers, but also their best talent, suppliers and investors, as the first two look for companies they can trust, while financial analysts include reputation metrics as part of investment criteria.

How to keep pirates off your island

Serverless environments represent a high-value target for cybercrime cartels.   Serverless computing is a cloud-native model that allows developers to write code and deploy applications without needing to manage servers and other infrastructure running the services. 

Though you’re technically still working with servers, there’s also a cloud provider managing and provisioning the infrastructure on your behalf. This creates significant security challenges. The shared approach to security responsibility necessitates a different procedure to mitigate. For example, because developers don’t have total control over infrastructure configurations, you can secure your application but still be susceptible to your vendor’s vulnerabilities. As well, serverless has a multitude of independent components that increase the attack surface, further complicating your security strategies.

In addition, application programming interfaces (APIs) represent a high-value attack vector. According to the Modern Bank Heists 5.0 report, 94% of financial institutions suffered attacks against their APIs. 

Cybercriminals are evolving their conspiracies and escalating their intrusions. Mitigating island hopping is paramount to protecting one’s brand. Thwarting island hopping goes beyond perimeter security due to the ephemeral technology environments of corporations.

Research shows that applications are attacked 433 times a day. We must recognize that adversaries will get in and that success is defined by the speed in which we suppress the cybercriminal to prevent the island hop. Application security and security for serverless environments must become a priority in order to combat island hopping and to protect your brand. 

Mitigating island hopping is paramount to protecting one’s brand. Thwarting island hopping goes beyond perimeter security due to the ephemeral technology environments of corporations.

This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of your customers. As your organization digitally transforms, it must invest in application security. It must practice cyber vigilance. Doing so will enhance customer loyalty and protect your brand, thus allowing you to ward off island-hopping cybercriminals and regulatory penalties. 

Cybersecurity can no longer be viewed as an expense but rather as a business functionality, given that cybercrime has a material impact on businesses. CISOs and CMOs must work in concert to protect the organization’s digital brand.