Open-source technologies and software code repositories are undoubtedly lowering organizations’ ‘entry point’ for innovation and accelerating time to market – Statista forecast in July that global mobile application revenues will reach $935 billion by 2023 – but what of the security risks inherent in this growth?
While interest has focused on organizations adopting open source tools and an innovation culture to gain competitive advantage, there has been less attention on application security issues. Each layer that developers add to an application increases the attack surface and opens new intrusion points while the application code itself often contains many vulnerabilities. The 2021 Hacker Report noted bugs in 20 different vulnerability categories and also found “huge growth in vulnerability submissions across all categories.”
A closely related challenge is getting developers and security colleagues to collaborate more closely and embed security tools, processes and culture within DevOps.
Our research of 4,300 professionals worldwide indicates that organizations still struggle with determining who is in charge of security, with 31 percent of security professionals stating they were fully responsible for it, but almost as many – 28 percent – reporting that everyone was responsible.
Another more recent survey was also split on whether DevOps and security professionals should be responsible for software security. Given such lasting uncertainty, how can software teams more effectively configure and test new applications and components from a plethora of open-source providers?
Research indicates gaps between application releases and organizations’ ability to test them, whether because of confusion over testing responsibilities or developers’ lack of proper testing tools. Some researchers have gone so far as to suggest that 80 percent of devs admit having knowingly released code with problems.
Leading DevOps companies believe that improving applications’ security depends on combining the functionality of a modern DevOps platform with holistic security programs, to enable IT teams to gain effective control and visibility of their growing software supply chains.
These efforts will require a combination of people, processes and tools, along with cross-department collaboration.
- Here's our take on the best VPN services available now
Step 1: Assess your security hygiene, considering new attack surfaces
Many attacks may exploit organizations’ lack of focus on basic security hygiene (think patches and passwords) and revisit exploits that have been around for a long time. While this recommendation may not in itself be anything new, the scope of the effort may be.
organizations need to review security policies and consider potential attack surfaces such as software development toolchains, containers, orchestrators, and infrastructure as code. Is multi-factor authentication being used? Are secrets detected? Companies need to check their admin settings for visibility and access controls.
Step 2: Automate scanning, policies, and compliance
Many organizations might be surprised at the scope of DevOps tools to do the heavy lifting of testing and compliance.
Does your organization automate security scans within standardized CI pipelines? Most people use SAST and/or dependency scanning. Each type of scan will find different types of vulnerabilities but applying point scanning solutions to entire application portfolios can be prohibitively expensive.
Companies that prioritized bigger developer teams and complex toolchains, may not have kept up with recent DevSecOps innovations and the ever-growing application security and scanning resources. These products can be used just as effectively by small startups as well as mid-size companies and enterprises and enable companies to automate tasks such as code scanning, as well as encourage closer collaboration between senior IT executives, developers and security professionals, because they are simpler to use than multiple point solutions.
As an example, a leading platform for DevOps delivers comprehensive application scanning with SAST, DAST, dependency, container scanning, secrets detection, and fuzz testing which allows developer teams to do three main things:
- Keep your organization safe with the best business antivirus solutions right now
- Scan all of an organization’s code, including third-party code and code in containers
- Scan every code change: leading DevOps tools enable app security testing scans for every code change using multiple scan methods while the best CI tools allow even DAST can be run within the CI pipeline by leveraging the review apps, with all such scans capable of being arranged before the code is pushed into a main branch, introducing fewer vulnerabilities into shared environments
- Use fuzz testing to find insecure logic flaws that do not have a signature of a known CVE. Leading DevOps providers' security scanning includes both coverage-guided and behavioral testing for web APIs and tools. Products with integrated fuzz testing in CI pipeline are easier for teams to use than stand-alone fuzzing.
Getting security and efficiency gains from automation depends on applying it in standardized, controlled CI processes. As the CNCF points out, "Automating as much of the software supply chain as possible can significantly reduce the possibility of human error and configuration drift."
Does your organization require a standardized CI template for all projects? Do you automatically apply compliance to an industry-standard? When vulnerabilities are found, who can approve MRs with policy exceptions?
Automating CI/CD is one vehicle to apply common controls that include things like:
- Segregation of incompatible duties
- Identity and access approval controls
- Configuration management and change control
- Access restrictions for changes to configurations and pipelines
- Protected branches and environments
- Licensed code usage
- Security testing.
Automating policy execution through these common controls ensures more consistent compliance while also reducing the audit surface.
The leading products deliver many different compliance capabilities within a single DevOps platform, including a compliance dashboard, compliance management, and audit reports.
Step 3: Protect application infrastructures
Modern applications rely on much more than the code itself. You have to consider your cloud-native infrastructures such as Docker and Kubernetes environments. Apply container scanning and use SAST to scan Helm charts. Consider using container host security and container network security monitoring and protection. OpenSource tools such as Falco and AppArmor, when used in the CI environment, can alert and prevent build servers from doing unexpected things such as modifying scheduled tasks and OS configuration in general.
Dev and security teams also need to check more obscure things like the container registry. Who at your organization has write access? Compromising a single person could compromise the container registry, and result (via pipelines) in vulnerabilities in multiple software projects.
Step 4: Secure the software factory
- Here's our rundown of the best identity theft companies out there
Modern DevOps platforms are designed to simplify the effort required to secure the software factory itself, with one place for managing access, software factory policies, and repeatable, measurable processes. Best practices include:
- Applying Zero Trust principles: things like least privilege access and authentication of all entities in the supply chain environment
- Consider hardening DevOps instances, then check and verify regularly
- Code signing and attestation
- Use the latest tools that detect malicious code in dependencies in dependencies
- CI/CD Variables can control the behavior of pipelines. Scoped environments can limit the scope of a CI/CD variable by defining for which environments it can be available (production, for instance).
- Compliant pipelines where admins control templates used to determine security scans employed by development projects.
Step 5: Iterate with continuous assessment and improvement
Securing the modern software supply chain will require teams to revisit steps 1-4 above continuously, making it even more challenging to juggle complex toolchains and security integrations. Modern application development processes demand new ways of thinking, tooling the software factory itself for security and controls, rather than inspecting code after it is built.
There can never be guarantees regarding security. A defense-in-depth strategy, combined with the simplicity of a single DevSecOps platform, is nevertheless a powerful enabler that can simplify your security efforts and improve your organization’s visibility and control points.
Cindy Blake, senior product marketing manager and security specialist, GitLab