Following a year of high-profile cyberattacks, developers are understandably concerned their software could be the next to be compromised.
Developer caught up with Boris Cipot, Senior Sales Engineer at Synopsys Software Integrity, to discuss the cybersecurity landscape and how developers can secure their software.
Cipot came to Synopsys following the company’s acquisition of Black Duck Software. Prior to those companies, Cipot held senior roles at anti-malware giants F-Secure and Avira.
The cybersecurity veteran also specialises in open-source. Unfortunately, we know that many vulnerabilities are imported through open-source libraries.
“Open-source should boost our development and give us this competitive edge,” says Cipot. “Many times I see that open-source components are used that are already old or have vulnerabilities that are not hard to fix. However, they are not fixed before – or when – released into the public.”
ENISA (European Union Agency for Cybersecurity) recently published a report predicting a four-fold increase in software supply chain attacks in 2021 compared to 2020.
We’ve all seen the devastation caused by attacks like SolarWinds – linked to Russian state-sponsored hacker group APT29 (AKA ‘Cozy Bear’) – that made international news for its widespread implications.
“The problem is not only the software but also many times the hardware on which this software is delivered,” explains Cipot.
“When looking at the supply chain, we need to look at each and every segment that we bring into our company—starting from development, where we need to check what we are developing into the software that we are then giving to our customers.”
The hardware side of Synopsys’ business recently became one of the first companies to use AI to design chips. As an AI pioneer, we wanted to know how the company is using the technology for software integrity.
“We are using AI in order to help customers with their tasks,” says Cipot. “In our Black Duck Security product, [it’s used for] identifying open source components. There is also AI in the whole process of gathering open-source information—of putting it together, of finding the right way to identify open source components in projects that customers use.”
While AI is posing a key tool in the fight against security threats, it’s also being increasingly wielded by cybercriminals. We asked Cipot whether he believes the industry at large will be able to keep up with offensive AI threats.
“That’s a good question. So, as always, cybercriminals will be a step ahead of us. They will find a loophole that is there,” explains Cipot. ”This is what they are searching for and unfortunately many times they are finding it faster than we are and this is why it’s a threat.”
“I believe that if we use best practices to our advantage then those loopholes will be really small and cyberattacks will not have that large reach as they are having today. Starting with the processes, many times cyberattacks are possible because somebody just forgot to configure the container that was put in production in a safe environment or used wrong security measures.
“Many of the cyberattacks today would not be possible because the attacker would not get his hands on usernames and passwords like admin admin [laughs] and such things. From that perspective, not only AI or new technology is needed in the future—but just basic cyber hygiene.”
Synopsys was recently named the leader in Gartner’s Magic Quadrant for Application Security Testing for the fifth consecutive year. Cipot puts this impressive feat down to the company’s approach of first ensuring the integrity of the chips and then acquiring specialists to ensure the same of the software.
Cipot says this means Synopsys has built a great portfolio that – rather than attempt to create a one-button tool that will make every problem disappear – which ultimately doesn’t work, Synopsys is following “a more DevSecOps way of working and putting the right tool at the right place in order for the right people to find out about vulnerabilities at the right time in order to repair them.”
One of Synopsys’ most interesting new solutions is Intelligent Orchestration which helps to determine what tools will actually be beneficial.
“You can have a large portfolio of tools but the point is not about buying tools and putting them somewhere, you have to also use them. You have to know when to use what in order to achieve the results that fit you best in the given moment, and this is what Intelligent Orchestration will give you,” explains Cipot.
“Running a pipeline next to your pipeline that will give you results with policies that define gateways and will do real testing at the time when you need it and present you with the results that you need at that time in order to progress from one stage to the other.
“That helps you to make sure that you are not, for example, introducing a simple SQL injection from inception until the launch in one large pipeline—how can it happen that such a small thing can go through every step of your development?
“This is what Intelligent Orchestration should do; getting the noise out of everything, setting up the right policies, right stages, and progressing your software from one stage to the other with the right results.”
An exciting strategic acquisition by Synopsys was that of Code Dx which brings some powerful capabilities to Synopsys’ portfolio for developers.
“Code Dx is a consolidation and triaging tool, if I may simplify the message like this,” says Cipot. “You have many tools that you have to gather results from and decide what you will focus on first. If you have ten thousand problems, you have to focus on the right things in order to get this list done.”
“Code Dx helps you with this so that you can do all the steps in your pipeline, all the testing in your pipeline, and still come to a workable set of problems that you can work on. Code Dx also has its own AI built-in which then selects the vulnerabilities that are most exploitable and can help you to keep your software the safest possible.”
A recent survey of 1,000 DevOps and IT security professionals resulted in 48 percent saying that development teams are responsible for security and 48 percent saying their IT teams are. We hoped Cipot could end the stand-off.
“It’s always somebody’s else’s fault, but I would say that none of those teams are responsible by themselves—every company has to put teams together to work as one in the end,” comments Cipot. “[If] we teach security people and teach developers how to become security-aware, then they will focus on this.”
“However, you cannot expect that a developer will be able to do this without tools that will tell them: ‘Hey, watch out there, you may have developed a vulnerability in the code even if you did not want it.’ Then the security team can also not do everything by themselves.”
“The IT team just needs to make sure that everything runs and that developers have their tools, security has their tools, and that everything is in production and running. However, now the big problem is to get DevOps into DevSecOps so that really security is implemented in every step of the DevOps loop.
Cipot has some key advice for making this work.
“The responsibility cannot lie at the development team security team or anybody else that is just a part of this DevOps, but has to lie high up in the management structure—it has to be a CTO who has the clear vision and view on what he wants to achieve, what products he wants to deliver to the world, and then define stages with those teams.”
Next month, Cipot will be speaking at the Cyber Security & Cloud Expo Global event in London. We asked Cipot what insights he plans to share with attendees.
“You mentioned in the beginning that I am in the malware business,” says Cipot. “I started with this and if you see how malware evolved, what kind of points it went through to get to those attacks that we see today, then you understand what is basically important.
“When you see that a lot of software is today delivered vulnerable, then you question yourself ‘Ok, where is the problem of this whole supply chain attacks?’ I hope that every attendee will get their share of knowledge so that they can improve on their side to make this harder for the cybercriminals.”
You can view our full interview with Cipot below:
Boris Cipot will be sharing his invaluable insights during this year’s Cyber Security & Cloud Expo Global, which runs from 6-7 September 2021. Find out more about his sessions and how to attend here.