EDITOR ’ S QUESTION
development is now more frequently a matter of ‘ gluing together ’ different pieces of existing code , and these varied components often have complex dependencies themselves – the software supply chain – and so can be very difficult to holistically assess .
Between this increased use of code components , and an increase in the level of vulnerability research , it ’ s perhaps no surprise that we ’ ve seen a hike in software common vulnerabilities and exposures ( CVEs ), surging from 5,000 in 2013 to roughly 30,000 in 2023 . Fortunately , known vulnerabilities can be protected against – but that still means the correct monitoring , controls , and secure software supply chain must be in place .
The hike in hacks , exploits , and breaches has been met with a healthy rise in cyber security spending .
Market intelligence firm IDC noted that , in 2024 , with the frequency of cyberattacks increasing , Australia contributed over 25 % of security spending in the region , alongside India , across all of Asia Pacific , excluding Japan .
Even where software code vulnerabilities aren ’ t the direct vector for attacks , the increasing complexity of distributed cloud-native applications and systems means configuration errors or omissions can introduce paths that can be exploited .
Just in recent memory we ’ ve seen some high profile breaches of Australian brands , apparently as a result of this kind of issue , including Optus , Medibank and
Ticketmaster , which clearly showed how impactful security incidents can be .
While continued security investment is essential , the vulnerability scanners that form part of that security spend only work against known threats . That exposes organisations to zero-day attacks – think Log4Shell – which targets a security vulnerability that has not previously been identified and for which a patch hasn ’ t been issued .
Another potential source of zero-day attacks is a bad actor within an organisation : proper implementation of zero trust means that even code from ‘ the inside ’ must be treated with caution .
Although the consensus is that no one is immune to vulnerabilities or breaches , an uptick in cloudnative security solutions that protect applications from zero-day attacks at runtime will ensure threat actors are blocked even if malicious code is present , unauthorised access to sensitive resources is detected , code is executed remotely , or attempts at data exfiltration are made .
As digital landscapes expand , so will the reliance on multi-cloud environments , each with its own nuances as dictated by cloud providers . A combined focus on consistency , developer productivity and zerotrust security stands to strip away the complexity of managing heterogeneity , ultimately making the core objectives of technology investments achievable while mitigating the risk of a storm . p
www . intelligentcio . com INTELLIGENTCIO APAC 35