Achieving strong application security is hard even when AppSec and development teams are overseeing the simplest applications and the most streamlined application portfolios. But "simple" is relative. Most modern software products are complex, often weighing in at over 10GB, with thousands of components in them.
Software's complicated orchestra of dependencies and integrations includes calls to open-source packages, proprietary software, internal systems, and more. And every piece of software today is a work in progress that's constantly growing, getting tweaked, and having new layers of code and dependencies added to the mix.
Andrew Kim, federal services managing director and cyber-strategy lead at Accenture, said that in a complex environment in which many applications are highly interdependent, every workaround or code inefficiency may increase dependencies and create new vulnerabilities.
And there are a lot of cooks producing each piece of software, said Josh Knox, technical evangelist for ReversingLabs.
"For instance, if we're doing a web application, you're going to have a frontend team, a backend team, you're going to have people that are specifically UX, and there's just different teams working on different pieces of an application. It gets very hard for the security team to watch everybody and everything that they're putting into the mix."
—Josh Knox
Software complexity causes a range of challenges. Here are key problem areas to be aware of — and how to overcome the hurdles with a comprehensive software supply chain security approach.
[ See RL's Essential Guide: Software Supply Chain Security for Dummies ]
1. Software complexity expands the attack surface
Pankit Desai, CEO of Sequretek, said the vast amount of code in modern software increases the likelihood of bugs and security vulnerabilities.
"This complexity is compounded by the varied platforms, technologies, and form factors in use, from large server systems to embedded devices."
—Pankit Desai
2. Complexity makes dependencies and integrations harder to understand
Ramanathan Srikumar, chief solutions officer at Mphasis, said that with highly complex systems, the interactions between components are harder to predict and control, increasing the difficulty of implementing consistent security measures.
"This complexity also hampers efficient collaboration and testing, as understanding and maintaining knowledge about the system becomes more challenging. As a result, organizations find themselves constantly firefighting issues rather than strategically managing their security posture, leading to escalating technical debt and security risks."
—Ramanathan Srikumar
3. Complexity increases chances of poor component hygiene
ReversingLabs' Knox said that each development team is bringing in different packages, and contributors often just seek out a library that helps them put their feature together.
"And then when they're done with that feature, they do a pull request, and if the other team members just rubber-stamp it and don't really do a good code review, the next thing you know, that package has made its way into the codebase, and without really much vetting at all."
—Josh Knox
4. Complexity makes it harder to securely maintain software over time
Greg Rivera, vice president of CAST Highlight, said that brand-new software, though complex, may not have issues, but as complexity grows over time, it becomes more challenging to maintain and transform the underlying software code and architecture.
This means that if a security vulnerability is discovered in the future within a highly complex software system, the required remediation steps can take that much longer to complete due to the increased complexity of the software, increasing the organization’s security exposure and likelihood of exploitation.
Complexity is not just something that software engineering organizations or the AppSec teams that work with them have to accept. Much as with broader technical-debt issues, organizations need to upgrade their risk management and code efficiency strategies to consciously streamline their application architecture and their codebase.
"Business leaders must prioritize hygiene activities, such as coding standards and security testing, within project plans to mitigate the risks associated with this complexity and avoid accruing technical debt that will pose challenges in the future," Desai said.
Managing complex software requires comprehensive supply chain security
Comprehensive software supply chain security strategies also play an important role in managing risks accrued by software complexity. Foundational to that is ensuring that code review and testing are conducted across the entire software development lifecycle. For software engineering teams, those checks should start before code commit. Knox said.
"Back when I worked in government contracting, even before you could commit the code, we had what they called pre-commit hooks. That was a fancy way of saying that when I go to commit the code, the code that I'm going to commit gets checked for certain things before it will even be allowed to be added to the codebase."
—Josh Knox
Those hooks would warn developers early on if a package wasn't allowed or a style or other component was not permitted. But code review and testing are not just a matter of shifting left; testing to the center and right of the development timeline is also needed.
"Good code review needs to happen," Knox said. The review might be automated or involve a human looking at the code and asking, "Why do we need that? Why did you pick that one? Why are you adding it?"
"But all of those things add time and add effort that a lot of development teams feel like they don't have because they're under such pressure to get these new features out quickly."
—Josh Knox
A final exam is critical for assessing software risk across your organization
As a final backstop before pushing code live, organizations need visibility into what a piece of software looks like at the end of the road, Knox said. Review through tools that employ complex binary analysis, for example, can offer a final litmus test to the security of the product, no matter how all the moving parts are combined.
One next-level review procedure that's sorely lacking at most organizations and that no one wants to do is a periodic code efficiency review, Knox said.
"To really tackle complexity, there needs to be a review process that's either quarterly or at the end of a full release cycle where someone looks at older code and asks important questions like, 'Does this need to be streamlined? Does that need to be dropped? Does this component need to be updated.'"
—Josh Knox
While this final piece is extremely time-consuming and requires staff and people to carry out, these kind of efficiency reviews are what will really help an organization simplify their software portfolios and improve their AppSec effectiveness in the process.
