In the digital age, software is more than just code—it’s the very fabric that holds together the intricate digital tapestry of our world.
Software powers our banks, our hospitals, our transport, our communications. The recent cyberattack on an Australian software provider to critical infrastructure—including energy, environmental and carbon trading markets—Energy One underlined an urgent need for heightened software security. The ramifications of a breach are no longer limited to data loss but can now extend to potentially catastrophic real-world consequences.
Related article: Australian energy software firm impacted by cyberattack
Following the attack, we sat down with Phillip Ivancic, head of solutions strategy, APAC at Synopsys Software Integrity Group, to understand the state of application security in Australia and what Australian organisations can do to safeguard their software and business risk alike.
What is the current state of application security in Australia?
Application security is becoming mainstream across all industries, but, in comparison to other parts of Asia Pacific, we still have quite a ways to go. Every large Australian organisation—be it government, financial services or Critical Infrastructure (CI)—has finally realised that it is both enormously expensive and often very difficult to re-engineer new software if major security vulnerabilities are discovered within the late stages of the development cycle. These bottom-line KPIs—time and cost savings—are the main drivers of organisations adopting automated application security.
What challenges are organisations in Australia facing, in particular the critical infrastructure vertical?
We’re in an age where Australian utilities and critical infrastructure (CI) providers in are now also software businesses. Not only does this signal a seismic shift from even a decade ago, when CI networks’ industrial controls systems, operational technology and their corporate IT infrastructure were isolated from one another, it’s also perhaps the most critical emerging challenge for these industries
Now, with Application Programming Interfaces (APIs) and real-time, two-way communication with Internet of Things (IoT) devices via by cloud service providers and software-defined infrastructure, the modern CI provider is highly interconnected and software-driven.
Unlike the financial services industry, which has already been dealing with increased cloud adoption and application connectively security threats for over a decade, CI providers are only just now being introduced to this massive paradigm shift and its potential implications.
It is this new interconnectivity, combined with the government’s own threat intelligence, that prompted the passing of the Australian Security of Critical Infrastructure Act 2018 (SOCI Act) to empower CIs with a codified baseline of security controls and governance frameworks. CIs are now software businesses and SOCI Act is the baseline framework to help them deal with this fundamental change.
What do you see are the threats ahead? How should businesses keep safe?
The shift in CI providers becoming hugely interconnected software-driven businesses requires a change in how we think about securing them against the threats we know about today, and how we prepare for the threats of tomorrow. Perhaps most importantly, businesses should:
- Understand the new threat landscape. Conduct threat modelling exercises as you are planning new projects. Identify potential threats, document the impact and use ‘secure by design’ principles to ensure appropriate security controls are in place. Also, be mindful of your existing assumptions; like the old paradigm assumption of CI’s “network isolation” — there is a good chance it’s no longer the case.
- In the modern threat landscape, organisations can no longer get away with waiting until the annual penetration test to gauge the security posture of the applications they have in live production environments. The first step is to Invest in automated application security platforms that provide real-time, continuous security testing and also, for when potential vulnerabilities are discovered, the contextual information that teams need to ensure they are remediated in the early stages of the development. An effective, modern application security platform should, at a minimum, include a Software Composition Analysis (SCA) solution that provides up-to date-information on all open source and proprietary software components within an organisation’s software supply chain, as well as Interactive Application Security Testing (IAST) to understand vulnerabilities that come from application behaviour.
Are there any examples that comes to mind where software vulnerabilities led to actual disruptions?
Every high-profile data breach that we remember seeing on the news—like Optus or Latitude Financial, or the attack on the Colonial pipeline in the US a couple of years back—can be linked back to software vulnerabilities and application security failures. None of them occurred because a hacker “breached a firewall” or exploited an infrastructure problem.
This, really, is the point. In the modern world, it is software vulnerabilities that are most likely to lead to mass exfiltration of data or disruption. That is why application security is becoming mainstream and a must-have for interconnected CIs.
Related article: Bridge over troubled data: confronting cyber threats hiding in Australia’s utilities sector
What is the future of AppSec, advancements in the pipeline and how does that help the critical infrastructure vertical?
The future of application security is continued automation and helping software and cloud engineers in real-time as they are developing projects. Be it “auto-correcting” vulnerable code in real-time or providing contextual and gamified training, application security solutions should be intuitive for its users and work seamlessly with their native environments and workflows. For CIs, simplicity and automation will be vital, as it will allow engineers to focus on driving innovation.
