Published Mar 5, 2018 | Updated Apr 09 2020
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
DevSecOps is becoming more and more important for companies to stay afloat. There are constant attempts to crack into companies, steal information and cause disruption. Hackers are stealing for financial benefit, for strategic considerations and are often acquiring highly sensitive information. They are using SQL injection attacks, cross-site scripting attacks, cross-site forgery attacks, and many others. In order to protect themselves, companies must think creatively and implement a wide range of security precautions. There are now more methods than ever for protection. Importantly, everything must by synchronized and integrated into one coherent team. Without this kind of coordination, hackers will eventually find the cracks in between departments and infiltrate the system.
Here are 5 best practices that are particularly good to avoid this fate and improve your DevSecOps implementation.
1. Automate Everything
Automation is the best way to ensure that mistakes are not made and to prevent human error. Any process that requires humans to upload information, carefully process data or confirm is subject to error and mistakes. Automating as much as possible helps to prevent errors before they occur.
Integration is one area where automation is crucial. Different systems often have different formats and are much more vulnerable to error. Instead of one-off integrations between systems, firms must build a continuous integration and continuous deployment (CI/CD) environment. That ensures the continuous flow of data between systems will not be a place where hackers can infiltrate.
In particular, security controls and tests need to happen automatically. Of course, humans will forget to run security tests when they are more focused on creating a product that is intuitive and useful for users. In fact, many companies slightly update apps up to 50 times per day through push updates. However, they do not run security tests as often. Companies must put these automated tests in place.
2. Test Smartly
Not only do you have to automate your security tests, but you also have to do them smartly. For example, you can program a static application security testing (SAST) to run every night. However, make sure that the test prioritizes errors and holes that have occurred during that day’s programming. Often times the SAST returns many issues that are built up over time. A lot of them are merely yellow flags that do not necessarily need to be patched immediately. With all the data, programmers may miss something major that occurred the day before. For that reason, SAST must be prioritized for timeliness as well as threat level. That will ensure that no major issue is missed before it is more difficult to fix the problem.
3. Verify Code Dependencies
A recent study of 1,000 different commercial products found that 96% of them relied on open-source software products to some extent. Furthermore, 60% of those open source products have security holes that are already well-known. That means that virtually every company has a product already within their system that is vulnerable at some point in the value chain. This is especially true due to the proliferation of cloud software. Unfortunately, only 27% of those in the survey had the tools to identify the vulnerabilities that were already within their system.
Companies need to be serious about this issue because it is one of the most common means that hackers enter commercial systems. Most important of all, companies need to patch holes in open source tools that they are utilizing, so that they do not have the same gaping vulnerabilities as other firms.
They need to regularly check for all of the different libraries and databases that their software relies upon. Of course, developers don’t have time to read up on all the new libraries and vulnerabilities of each and every open-source system. For that reason, these systems must be automated, checking both open source and traditional third party systems.
4. Choose Your Tools Wisely
Security tools are constantly changing and upgrading. However, having too many tools can be overwhelming and some will be underutilized. Companies must choose the tools that are optimized for their specific issues. Additionally, they must be feature-rich and effective for protecting all the company’s systems.
These tools must seamlessly integrate into the development pipeline. They also have to allow easy coordination between the development and security teams.
Tools usually need to be both accurate and fast. There is often a tradeoff between speed and accuracy with these tools. Try to find those that minimize the costs of these tradeoffs.
Lastly, scanning tools are crucial and allowing developers to initiate independent scans is critical as well. Teams need to place these scanning tools in the hands of developers and empower them with the right to do as many scans as they like.
5. Conduct Detailed Threat Modeling
Before you even begin, experts recommend that you conduct a detailed threat modeling assessment. There are several ways to do this test. One way is to insert a benign virus into your network. This benign virus will drop a packet of data in different silos, leaving a digital trail. It is then able to determine which systems protect themselves and which are easily infiltrated. Companies utilize that data to model the potential threats against them.
This virus, as well as traditional threat modeling, seeks to expose your system to the harsh light of potential vulnerabilities. In particular, you are looking to see where there risks to assets, the sensitivities of those assets and the current controls for protecting the assets.
Unfortunately, threat modeling has the effect of slowing down production because it takes up network resources. It also consumes the time and energy of engineers who would rather be working on other problems. However, threat modeling is a crucial link in protecting your firm.
Overall, firms are working closely across teams to integrate their entire system into an impenetrable network. Constant vigilance is needed through the top tools, threat modeling, scans and sharing across teams. With those strategies in place among others, the firm’s DevSecOps will improve and perform much better and the company as a whole will succeed.
If you want to learn more about DevSecOps, how to improve your DevSecOps, and any other topics related to cybersecurity in software development, contact our team at Kiuwan! We will be glad to answer all your questions.