With application-related attacks on the rise, it’s never been more critical to ensure that security is baked into the fabric of your software development and operation practices.
Furthermore, addressing issues early in the lifecycle of an application can result in significant cost savings of up to thirty times as compared to addressing those issues after the application is in operation.
Given this reality, the best way to develop and deploy a secure and cost-effective application is to shift towards a DevSecOps model, integrating security every step of the way.
What is DevSecOps?
To understand DevSecOps, we first need to look at the evolution of the Software Development Life Cycle (SDLC) methodologies.
Traditionally, SDLC involved separate development, operations, and security teams that worked in silos, far removed from direct interaction with customers.
Agile gained popularity in the 2,000s and brought clients closer to development teams who would collaborate continually to improve the application based on the client’s evolving needs. Automation and use of Continuous Integration / Continuous Delivery (CI/CD) tools were a key part of the Agile movement. However, operation teams were left out of this model, resulting in delays in the release of applications and new features.
DevOps addressed this by bringing together the operations and development teams as well as their processes. This resulted in the building, deployment, and operation of an application component under a single roof. Security remained an outside process, however, provided as a service by external teams. Releases were delayed due to remediation efforts required to address risks identified late in the game. As well, many issues identified by security operations were not communicated to the development teams to strengthen the product in a timely and appropriate manner.
Rather than being a blocker, security should act as an enabler, complementing and enhancing the application lifecycle with minimal impact on the agility of the end-to-end processes. This is where the DevSecOps (Development + Security + Operations) model comes in, bringing Security into DevOps and integrating it at all phases of the application lifecycle.
How To Implement DevSecOps
Time and time again, organizations ask us: “How can DevOps be transformed to achieve DevSecOps?” The answer does not lie in hiring a security team member labeled as “DevSecOps” to perform all security tasks. The solution is to cover security holistically across the following three pillars:
Developing and operating an app securely always starts with the people behind it. Promoting a security mindset at all stages breaks down silos and creates a culture of accountability. Everyone involved should be enabled to address security at all stages, rather than having security act as gatekeepers.
An existing team member should be appointed as the Security Champion within each team to act as the primary for security tasks. This Champion should support others within the team and address low-hanging fruit (more on that later). These individuals should receive relevant training and support from a security team who can be internal or external, depending on the size of the organization. While large companies typically have their own application and cloud security teams, small- and medium-sized organizations will find it more cost-effective to work with an outside security services provider.
Incorporating well-defined security policies, requirements, and related processes within DevOps creates a flow that achieves the desired security goals without introducing delays and additional cost. A secure DevOps process should include:
- Incorporating well-defined security requirements, aligned with OWASP’s Application Security Verification Standard (ASVS);
- Integrating security design reviews and threat modeling at different stages of the application lifecycle;
- Determining how issues are addressed without slowing down the development and deployment processes;
- Identifying areas of weakness at all stages and setting up a feedback loop to continually improve the app’s security; and
- Providing regular security training opportunities to the team such as OWASP Top 10. Consider using the Security Knowledge Framework and the OWASP DevSlop project, containing several modules with the goal of teaching DevSecOps to participants.
Tools can assist your people and support your processes. Agile introduced automation to increase the speed of application delivery. DevOps further built on this concept and increased the scope to cover the operational side. The goal is to improve this model and speed up the release cycle by using tools to automate security testing and reduce dependency on manual methods as much as possible.
However, automated tools are only able to identify the “low-hanging fruit” and cover less than half of verification requirements outlined in ASVS. As a result, manual assessments are still required periodically, particularly as related to access control and business logic flaws.
If you’re using multiple automated security tools such as SAST, DAST, and SCA, and not correlating the results, then you could be missing some critical vulnerabilities that put your business at risk.
Having a platform that enables you to aggregate issues from automated and manual processes into a single view, normalize the results, and correlate them allows you to better identify actual issues and reduce risk.
When running multiple scanners independently, these scanners aren’t talking to each other, so a low severity found by one scan, combined with an issue found by another scanner may actually be a pathway to a much more serious threat. So, by correlating issues together, you can look for patterns and identify threats that may otherwise go unnoticed.
Cutting down on the number of issues will save your team a lot of time, avoid false-positive fatigue, and reduce errors. It also allows you to have better prioritization and focus your limited development resources.
At a minimum, the following automated security test activities should take place during build and deployment phases:
- Verification of code security using Static Application Security Testing (SAST) tools and identification of vulnerable packages using Software Composition Analysis (SCA) tools before accepting code from developers;
- Live testing using Dynamic Application Security Testing (DAST) tools as well as scanning for TSL and infrastructure-related issues when the app is deployed to a staging environment.
In addition, it is also important to address the security of the app while in operation by incorporating security tools such as:
- Interactive Application Security Testing (IAST)
- Runtime Application Security Protection (RASP)
- Web Application Firewalls (WAF)
- Security Information and Event Management (SIEM)
You can find a list of free open source security tools that cover the above areas of concern at this OWASP project.
Addressing security by enabling your team, putting well-defined processes in place, and automating as much as possible using technology along with proper support from a security team, will put you on the path towards an effective DevSecOps model. This investment will help protect your business from cyberattacks, reduce costs and speed up the release-to-market process.
Thanks to ATC member company Forward Security for submitting this guest blog. If you want to submit a blog, let ATC know.