Comments by: Jon Ng, Head, Cloud Security Engineering, APJ, at Check Point Software Technologies
Following the SolarWinds Sunburst attack, this is another supply chain hack that further highlights the security challenges resulting from the rapid-release cycles that are typical of modern application development and deployment, also known as the DevOps movement. Organisations need to be aware that the use of public code repositories and development platforms, while necessary, carries inherent risk. In many cases, applications are developed either without proper security controls in place, or at best with security being bolted on at the end of the development cycle as an afterthought.
As a security best practice, Check Point strongly recommends our customers to extend their DevOps workflow to ensure that security features are automatically integrated into an application from the beginning. This is known as shifting left, and involves not only a mindset change, but also equipping the development team with automated security tools such as code scanning, container image scanning and runtime protection. Shifting left allows for security to become a seamless and frictionless part of the development workflow and ensures accurate identification and remediation of any vulnerabilities and threats.