Cybersecurity teams are starting to play a much larger role in application security as organizations look to implement a more systematic approach to securing software supply chains on an end-to-end basis.
During its virtual CyberArk Impact Live 2021 conference this week, industry experts noted that rather than relying on developers who often lack security expertise to manage application secrets, more organizations are shifting that responsibility to cybersecurity teams with the backgrounds and technical acumen needed to address fast-evolving threats. These teams are employing platforms designed from the ground up to make those secrets available to applications only when they’re required.
Who Owns Secrets Management, Anyway?
It hasn’t always been that way. In many organizations, “ownership” of secrets management — from requirements to platform selection and operations — was never really defined. Many developers shouldered the task themselves, often managing application secrets directly within their applications in the name of simplicity and speed. But if those applications are compromised, all the secrets stored by the developer are readily available in plain text. Given the current emphasis on CI/CD pipeline vulnerabilities, “Security teams are getting responsibility for the application secret management problem, and that’s new,” said Uzi Ailon, Vice President, DevSecOps Solutions for CyberArk, during an “Insider Story: DevOps Subject Matter Experts Share Their Experiences” session.
Cybersecurity teams are now deploying separate repositories to safeguard application secrets that are then made available to applications on-demand via an application programming interface (API).
Organizations are generally either pursuing a prescriptive approach to managing secrets across their entire software portfolio or, at the very least, providing developers with a self-service platform through which application secrets are tightly managed, Ailon noted.
The New CISO Mandate: No Secrets Left Behind
That shift is at the core of a new mandate that chief information security officers (CISOs) now have in the wake of a series of high-profile breaches of software supply chains, noted James Creamer, Identity Security Strategy and Content Architect at CyberArk, during his “The New CISO Mandate: Securing the Entire App Portfolio” session.
Armed with that mandate, CISOs are pursuing a top-down approach as part of an effort to ensure that every application secret is protected. “No secret will be left behind,” Creamer said.
That shift is occurring at a time when many organizations are trying to implement best DevSecOps practices by shifting more responsibility for application security further left to developers. The challenge is that developers are already hard-pressed to keep up with the current rate at which they are being asked to build applications. And if security isn’t automated and integrated into existing workflows, the probability a developer will make a mistake managing application secrets increases with each new project.
Each organization will need to identify the best approach to managing application secrets themselves. Some are prioritizing their efforts based on the level of risk to the business, while others are focusing on applications built by, for example, DevOps teams that are more open to adopting new processes as part of ongoing efforts to automate application development and deployment.
Regardless of who takes responsibility for application security, it’s clear that when it comes to application secrets management there has never been a greater sense of urgency. Cybercriminals are now regularly launching low-level phishing and impersonation attacks against development teams to gain access to credentials and abuse privileges that enable them to compromise entire application environments. Unless, of course, the secrets within those applications are encrypted and then stored in a digital repository that’s really difficult (and expensive) for attackers to try to crack.
Editor’s note: CyberArk Impact Live 2021 has wrapped, but you can still register to enable playback sessions on demand.