In September 2022, Philippines Airlines lost the personal data of frequent flyers when its IT provider was hacked, adding yet another example of supply chain attacks that have bedeviled businesses globally in the past year.
The cyberattack on a third-party IT provider for the airline caused the names, birth dates, nationality, gender and points balance, among other details to be stolen.
Although it is unclear how the malicious actors managed to get into the victim’s systems, the incident once again reinforces the need to tighten up security against supply chain attacks.
For many of today’s IT systems, using third-party software in one form or another is inevitable, such is the interconnectedness of the Internet and the complexity of digital infrastructure.
An estimated 40% to 80% of the lines of code in software come from third parties such as libraries, components and software development kits. Unfortunately, they are one reason for the increased vulnerability of third-party production code that goes into digital services.
By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to research firm Gartner.
A lack of visibility hampers defense
This is a problem facing any digital economy and the Philippines is no different as it delivers more services over digital channels in the years ahead. The way forward has to involve better detection of such vulnerabilities without impacting performance.
To begin, you can only defend against something if you know what you are up against. Since many organizations do not peer into the nuts and bolts of the many third-party programs they use, they often are working on the hope that the code is free from vulnerabilities.
Even with a vulnerability detection tool in place, many organizations fail to act on a threat, because alerts are often too general or unable to differentiate between production and non-production code. This means the work required to clean up an infected or vulnerable system is too broad to be undertaken by already beleaguered security and application teams.
Today, organizations continue to grapple with Log4Shell, a critical vulnerability found in a widely used Java-based logging component (Log4j). This loophole enables threat actors to run code on a victim’s system and take control. It has impacted countless servers and applications that used Java software because Java software is used widely in today’s modern IT infrastructure.
Yet, when the threat first emerged last year, few organizations had the ability to quickly find the exact location of the vulnerability in their IT systems because Java was used so extensively. The challenge was knowing where to look even when the dashboard lit up with a warning.
More precision needed
What is needed is greater precision, which can only be possible with improved visibility over existing solutions. Application scans in CI/CD, application agents, or application inventories (SBOMs) are valuable approaches as part of a comprehensive security strategy. However, these approaches also have drawbacks, including false positives which waste time via alert fatigue as well as a performance impact which adds burden to Java teams and their applications.
Take Azul Vulnerability Detection, a new Software-as-a-Service (SaaS) product that continuously detects known security vulnerabilities that exist in Java applications. By eliminating false positives and with no performance impact, it is ideal for in-production use and addresses the rapidly increasing enterprise risk around software supply chain attacks.
Azul Vulnerability Detection uniquely identifies code run using sophisticated, highly granular techniques inside Azul JVMs (Java virtual machines) and maps against a curated Java-specific database of common vulnerabilities and exposures (CVEs). This produces more accurate results, even for custom code and shaded components, so IT teams can get to a vulnerability and remediate the issue quickly and efficiently.
Gaining agility while beefing up security
To be sure, vulnerability detection tools are not new. Unfortunately, some end up providing the added security at the expense of performance. This means business agility suffers, because one’s security tool is slowing down transactions and requiring more computing resources and cost to run.
Organizations need to find a way to overcome the software supply chain problem. They need smarter tools that can beef up the security without adding overheads and dragging back performance.
When it comes to security in Java applications, what’s different with Azul Vulnerability Detection is its use of Azul Java virtual machines (JVM), which provide highly accurate runtime-level visibility into what code is actually running and whether it is vulnerable. This enables faster remediation of vulnerabilities with significantly less operational overhead.
Additionally, because the tool is agentless, it avoids the performance penalty commonly associated with other security tools that require teams to install and maintain a separate piece of software. Taken together, Azul Vulnerability Detection makes security a byproduct of simply running Java software.
Fighting a winnable battle
Security has to be baked in from the start instead of an add-on feature in a connected world. In other words, it has to be built into a piece of software or part of a technology stack that is then used to build other digital services. Unfortunately, supply chain attacks against trusted vendors and third-party code pose substantial enterprise risk.
The key to winning battles against increasingly sophisticated threats is to be armed with the right tools that deliver a solid defense while retaining the agility that organizations need today. Even as cyber threats evolve, they have to believe they can keep out the bad guys over time and continue delivering the trusted digital services and experiences to their users.
The author is the vice president for Asia Pacific at Azul