Why DevOps pipelines are under attack and how to fight back

NotPetya proved the effectiveness of an attack on the software supply chain, and attackers are targeting it more now. Here's advice to reduce risk to your DevOps processes.

1 2 Page 2
Page 2 of 2

McGladrey expects forward-thinking software vendors to start including these lists with their software because it's something that their customers will want to see. He recommends that software vendors go a step further and provide information on how their software is supposed to act, and how it's not supposed to act. "If software vendors provided a list of normal behaviors for their software, we could say, 'This piece of software is behaving oddly because it's connecting to servers it shouldn't,'" he says.

Whether an SBOM becomes mandatory, companies should be scanning their software for known vulnerabilities and other potential security problems. All the major scanning software now looks for vulnerable Log4j packages, says Ray Kelly, fellow at NTT Application Security, a cybersecurity vendor.

It's clear that companies are not using the tools. "Even though the patches have been out for two months, companies are still using old versions of Log4j," Kelly says. "That speaks to how far behind a lot of organizations are when it comes to securing code."

Copyright © 2022 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)