Vulnerability vortex: Can we break free from the cycle of insecure code?

Every time a shiny new technology rolls out, attackers are right there, ready to pounce on any opportunity to exploit it. They find a gap, we close it, and then it's off to the races again. In this edition of the Code to Cloud Monthly Digest, we're tackling this cycle — from why the latest software innovations often come with old-school vulnerabilities to how data protection has changed with the rise of GenAI.?

Why is software still vulnerable??

Here's a question we can't stop thinking about: Why, despite decades of innovation and advancement, do we still have so many flaws in software? Sean Wright, Head of Application Security at Featurespace recently talked with Field CISO Andreas Schneider about some of the reasons why this problem just won’t go away.?

How can developers write secure code if they've never been taught how? One glaring issue is the lack of proper security education in computer science programs, like those at colleges and universities. Many graduates enter the workforce without a basic understanding of common vulnerabilities like cross-site scripting and SQL injection, leading to insecure code being deployed in production environments. These institutions need to embed security fundamentals into their lessons, ensuring that future developers are aware of these risks from the start.?

We’re ignoring the long-standing issues. Another challenge is the industry's fixation on cutting-edge technologies, often at the expense of tackling long-standing, critical issues. SQL injection attacks, for example, have been around since the 1990s, yet they continue to be a significant problem, as evidenced by recent high-profile breaches. While innovation is essential, we must also focus on solving these persistent security problems using the tools and knowledge already available to us.?

Security needs to be built in by default. Finally, the rapid pace of technological change makes it difficult for developers to keep up with new languages and frameworks while simultaneously ensuring their secure implementation. To mitigate this, security must be built into these technologies by default.?

Want to learn more about navigating AppSec in the cloud age? Check out Sean’s full episode of the Code to Cloud podcast.?

Why security by obscurity doesn’t work

As GenAI gains momentum in the enterprise, it exposes the ineffectiveness of security by obscurity. Jeff DeVerter , Chief Technology Evangelist at Rackspace Technology , pointed out that in the early 2000s, when enterprise search products like SharePoint emerged, they quickly revealed the flaws in this approach. Sensitive information, previously hidden deep within shared drives, suddenly became easily discoverable. Fast forward to today, and the rise of GenAI has amplified this problem. As organizations consolidate data to fuel AI systems, they inadvertently create opportunities for bad actors to exploit. Relying on the obscurity of data is no longer a viable security strategy. Instead, security professionals must adopt a proactive approach. “You’ve got to be a partner with the business on a day-by-day basis now and understand what they're doing to help them be efficient while keeping the company safe,” Jeff said.?

In the age of GenAI, the focus must shift from hiding data to properly securing — otherwise, you’ll miss out on the benefits that AI has to offer. Listen to Jeff’s full episode of the Code to Cloud podcast for details.?

Storytelling: A surprising skill for security leaders

You probably already know that effective communication is crucial in building a strong security culture — but did you know storytelling is a powerful tool to help you do so??

When you talk to people about security, it can be confusing or overwhelming. Storytelling humanizes cybersecurity, making it more relatable and accessible to non-technical audiences.

?“Explain the ‘why.’ We focus a lot on the ‘what’ and sometimes forget to share the ‘why,’” said Bronwyn B. , an experienced CISO and security transformation leader.?

By conveying the reasoning behind security practices, leaders can build emotional connections and foster better understanding among stakeholders. This, in turn, can create advocates and champions for the cause. Read Bronwyn's full interview to learn more.?

K8s: When the stakes are high, you need to move fast

Kubernetes (K8s) has taken the cloud computing world by storm, but with its widespread adoption also comes significant security risks. It’s extremely common for K8s clusters to have internet exposure, which presents a level of risk. In fact, the Lacework Labs team has found that nearly 40% of the thousands of K8s clusters monitored by our platform are exposed to the internet. Here are a few tips for securing your Kubernetes clusters:?

• Restrict internet exposure: Limit the exposure of your K8s clusters to the internet by only exposing necessary services and using strong authentication and authorization mechanisms.
• Implement strong access controls: Employ the principle of least privilege and use role-based access control (RBAC) to ensure that users and applications only have access to the resources they require.
• Monitor for suspicious activity: Continuously monitor your K8s clusters for anomalous events, such as unusual resource consumption or unauthorized access attempts.?

Lacework has a unique threat detection feature called Composite Alerts, which detect malicious activity by automatically tying together low severity signals. Our platform now automates Composite Alerts on the K8s control plane, which helps users detect early signs of K8s credential compromises so you can stop them as soon as possible. Learn more about it here.?

What would you like to see in the next edition of Code to Cloud? Let us know in the comments.