How AppSec Can Keep up with Increases in Release Frequency
With modern technology stacks, the way software is built has changed drastically. Long gone are the days when considerable time existed between releases; now we see multiple releases per month, week or even day. This change has largely been driven by the need to keep up with customer demand.
As software is “eating the world” and getting increasingly important for the value chain, it is also growing as an attack target for hacks and breaches. Thus, security is crucial to modern software development.
Build Security in
Instead of relying on security as a separate function that can be bolted onto the end of the software development lifecycle (SDLC), security needs to be built into the development process itself. This allows businesses to move at the speed of market demand. Too often, however, security is regarded as a hindrance to the release process, mostly due to an overwhelming number of false positives and irrelevant notifications.
Security teams must change and adopt the principles of DevOps. This requires an organizational transformation in process, mindset and tools to make DevSecOps a reality.
We know from experience that the more integrated security is with development, the more efficient the overall SDLC.
Achieving collaboration between domain experts and software developers — known as “Domain-Driven Design”, which is similar to what we see with DevOps between operations and development teams — requires code that meets business needs and helps individual stakeholders become responsible for strategic and tactical delivery of software, and how to deliver it securely.
To inculcate application security (AppSec) within your array of application entities and processes, a holistic strategy is required. While tools do not solve problems alone, they can optimize the process and are an important component of any successful strategy.
Important considerations when defining your AppSec strategy include:
- Build a risk profile of all the applications within your organization.
- Provide inbuilt controls within an application and validate them.
- Ensure your security solutions integrate with your processes and technology.
- Consider the amount and types of information a security solution provides your developers — and if it is relevant to them.
- Revisit your strategy often, to determine if it’s working or requires changes to reach a desired maturity level.
Integration of a security solution should be seamless and completely automated with low false positives, thereby helping developers take appropriate actions to remediate them much earlier in the SDLC to reach their goals. There must also be a seamless process that feeds intelligence back to developers in retrospect, to determine what worked well and what (if any) changes are required.
Testing and Automation
Separate phases of the SDLC demand separate tools to achieve security, as the software evolves from code to its end state. Testing is a critical phase that requires dedication and patience to uncover bugs from the running code. The process must be repeated from different perspectives to capture different classes of bugs — and to unmask the approaches an attacker might take to exploit a weakness.
Testing tools should be integrated and automated early in the development pipeline, so that teams can run scans for vulnerabilities on every build without affecting velocity. This is a DevSecOps practice that stands in contrast to traditional software security methods. Testing activities can be performed in series or in parallel to other development activities. For example, when an application is packaged, integration tests and software composition analysis (SCA) can execute in parallel.
Interactive Application Security Testing (IAST)
Finding the right security tools that are highly automated, developer-friendly and deliver low false positives, can be very challenging. A relatively new solution that ticks each of these boxes is interactive application security testing (IAST). It silently checks for security vulnerabilities and bugs while an application is running. Leveraging existing tests, IAST monitors an application during the QA phase — identifying vulnerabilities on the go and thereby making it extremely fast.
There are two aspects to addressing any vulnerability: identification and remediation. Being slow in either of these will slow down the overall velocity. IAST helps to expedite both identification and remediation. It provides insights about a vulnerability with not just HTTP context, but also code-level context, so that developers can find it quickly. Seeker by Synopsys also includes active verification, to reduce false positives so that developers can find and fix the vulnerabilities that matter to their organization.
By providing security solutions that are automated and integrate easily into the developer’s pipeline — and that eliminate the noise of false positives and provide context and remediation assistance — the delivery of secure software at speed becomes inevitable.