DevOps / Security / Contributed

Security Testing Must Be Part of Software Development Life Cycle

26 Aug 2021 3:00am, by

Chris Medina
Chris has been managing operations and leading engineering teams for more than 27 years with the military and private enterprise. He currently leads the federal vertical as the general manager for the Chef product line at Progress Software. Prior to Progress, Chris served as a Cyber CTA at Proofpoint security, supporting product solutions and integration and also supported Specialty Engineering for Dell/EMC as a director of customer solution architecture. Chris graduated from Radford University in 1995 with an intensity in neural physics and served in the U.S. Navy and U.S. Navy Reserve for nine years supporting intelligence operations and the Explosive Ordinance Disposal groups out of Stump Neck, Maryland.

The DevOps world is acutely aware of the past struggles to integrate with security in the software development life cycle (SDLC). While the pros of uniting these all-too-siloed teams are very clear; the cons remain costly and continue to be a barrier to organizations marrying these functions together for good. Meaning? DevOps makes software deployment faster but, without proper controls, developers may also be unwittingly releasing security vulnerabilities more quickly as well.

Security should be an integral part of the automated testing process to help with verifying compliance requirements. This modern DevOps framework is crucial for developers as conducting security checks afterward increases the likelihood of vulnerabilities. According to a Chef survey, security automation speeds software delivery and improves quality. DevSecOps adopters are three times as likely as non-adopters to see security as something that speeds up software delivery and most organizations (84%) agree security improves quality as well.

Without the mitigation of security, the gap will continue to grow as the software moves further along if it is not addressed immediately. Speed in innovation is nothing without security in the SDLC. In an era of rapidly developing threats and continually evolving compliance frameworks, it’s becoming more alarming that it can take weeks and even up to two months to remediate these violations or vulnerabilities.

So what is the solution? Defining everything as code can help bridge this security gap in the SDLC. Code serves as a single source of truth, a shared common language among teams that can be used to codify infrastructure configuration, security and compliance. Defining “everything as code” — from compliance policies, to infrastructure, to application dependencies — can bridge the gap between teams in the software development life cycle by serving as a common language that can be shared, scaled and automated. From there, conducting unambiguous tests makes it easily readable by all parties involved: security engineers, auditors, systems administrators and others.

Shift-left testing also integrates security earlier in the process and results in fewer errors before reaching production. Developers can be more ingrained in the workflow, and it also creates a sense of ownership. By defining everything as code, teams can easily reference what the security postures are, how their features should comply and how to influence change if necessary.

According to a Gartner study, through 2022, 90% of software development projects will claim to follow DevSecOps practices, up from 40% in 2019. The risks and consequences associated with flawed code and faulty infrastructure configurations are too severe to ignore in the early development stages, especially with the increase of cyberattacks and teams being pushed to produce software on accelerated timelines.

Below are a few best practices for the SDLC integration with security during the building progress. By embracing this DevOps approach, developers can be more agile and efficient.

Define compliance as code to be referenced as one source of truth that is easy to understand and use with teams at scale:

  • Create custom policies — Providing the capability for the staff to quickly get up to speed with writing custom, or extending existing, “desired state” policies in high-level and domain-specific languages (DSL).
  • Infrastructure-as-code (IaC) — Providing infrastructure configurations that must be maintained in a format that is compatible with version control systems (VCS), enabling peer code review, version control, change auditability, automated testing and deployment via CI/CD processes and tooling.

The less human intervention during the review and testing process the better because it will reduce the amount of error:

  • Rollback/ grace period — Where configurations might have been changed directly on the server, e.g. in operation emergencies, an ability to define a grace period within which urgent configuration changes can be undone.

Create a regular cadence for secure coding practices such as managing gap analysis, threat modeling and create a checklist of security risks:

  • Workflow/ case management tools — Provide integration of workflow tools (e.g. ServiceNow, Jira, webhooks) for dealing with compliance deviations that may require manual intervention. Supports change and/or request management.
  • Exception management — enabling the integration of workflow tools (e.g. ServiceNow, Jira, webhooks) for exception management, e.g. approval/review of individual deviations from desired state configuration, two-person rule observations and CI/CD pipeline visibility.

Provide a set of security baselines that can be easily customized such as CIS Compliance Benchmarks and DISA STIGs:

  • Configuration drift — Customers can use Chef for mitigating the configuration drift problem, preventing servers from deviating from a desired state (known-good) state. Hosts can perform self-healing by detecting configuration drift and perform automated remediation.

  • Monitor configuration — Monitor and control the configuration on thousands of different servers (Linux and Windows), ranging from physical to virtual machines, using IT automation software.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.