DevSecOps Focus: On the Way to Secure Source Code

October 7, 2021

David Balaban Headshot

WRITTEN BY David Balaban A computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
DevSecOps Focus

Developer’s concerns should not boil down only to digital infrastructure security. Source code security becomes a very important factor these days.

A stand-alone class of tools is in place to test apps for vulnerabilities and bugs during the development process. These tools are now on the rise and quickly improving their performance. The improvements partially result from the regulatory framework getting more stringent.

This article will shed light on IAST, DAST, RASP, and SAST solutions.  I will explain how they operate and differ from each other. In addition. Finally, I will try to predict the future of code scanners.

Code security testing background and developments

Standard methods for protecting the IT infrastructure include patching vulnerabilities in operating systems and other common software. Meanwhile, some applications are designed to operate in a narrow area and are less common. This software can easily become a gateway for malware unless its operators detect and patch vulnerabilities in time.

Tracking all fragments of the source code distributed across your corporate infrastructure is critical. You should also mind the authorship side of it. Should any bugs be found in a specific area, the security professionals need to identify all systems that use the faulty piece of code and patch the flaws immediately. 

A corporate environment is a system of interrelated layers. The security umbrella shall extend from the ground up covering every layer of the digital architecture. Specifying a goal, the code security scanning is to achieve helps to reduce the costs involved in the analysis. Objectives are to ensure the applicable legal framework is complied with and to ensure the mitigation of cyber threats posed by malware and other attacks.

Harnessing code scanning solutions enables software engineers to exclude any actions and expenditures involved in fixing the code vulnerabilities spotted after the product release. Businesses ignoring code scans are going to invest resources again and again in fixing the bugs emerging in the future.

Securing source code at the development stage goes beyond its scanning. However, scanning is the initial measure enabling the developer to be on top of this process. When the cybersecurity team makes use of patches only, the approach is more awaiting than preventing. Moving security scans to the earliest possible stage of the coding workflow (Shift-Left) minimizes the expenditures arising in the case of any issues both for the software developer and the software user.

Besides, disregarding legal compliance walks you on thin ice. Business leaders should understand all details of the code ownership for the event of business dividing into parts, as well as the licensing conditions for the software they use. The code analysis in such scenarios contributes best to the legal department activities.

Is open-source software really helpful in this niche?

There is no such thing as low-cost cybersecurity. Neither free nor paid solutions ensure the code security for good. The discussion revolves around choosing the best solution to address a specific issue. The analyst can mix various kernels to scan the software at specific periods of its engineering and harness apps specifically for certain development processes.

Open-source scanners can ensure basic security, but odds are that you will need some dedicated suites to fix more sophisticated flaws. Paid software tends to come up with in-depth advisory features. That is essential as just flagging an issue does not suffice in too many cases. Detailing the follow-up may also be necessary, including every step to automatically fix a faulty code.

The vendors of paid security scanners spend a good deal of money and time to integrate handy remediation tips into the scanners they provide. Open-source software developers often do not have such capabilities.

Explaining static, dynamic, and hybrid approaches

Let me disclose some terms. Time-honored techniques include SAST, DAST, and IAST (static, dynamic, and hybrid application security testing). Besides, there is feedback-based application security testing (FAST). The fifth approach is RASP. This acronym stands for real-time application security testing and acts as an app firewall detecting and responding to malicious intrusions in real-time.

Another tool to review is SCA (software composition analysis). Apps within this category aim at exploring third-party software products. Basic implementations of such scanners detect non-native libraries embedded into the coding workflow and identify potential flaws in those libraries. 

All these suites are to come into play at a specific DevSecOps stage. SAST facilitates secure coding output and sets up a design for the software, whereas DAST and IAST are helpful on the compiling stage. Not a single of these scanners ensures your code is fully secure while applying a combination of several scanners enables strong protection. This way or another, static testing is a good point to start, adding alternative tools later on. 

Keep in mind that SAST and DAST do not compete with each other. Companies should benefit from both of these approaches reinforcing their security. Detection of certain vulnerabilities is only possible with static scanning, other vulnerabilities are only visible in dynamics, and some bugs require a combined approach.

The selection of the best testing tool is subject to the client’s rights in the system, that is, whether they have a privilege of handling the code or they can only run the app.

What restricts the implementation of code scanning solutions?

The sophisticated nature of cooperation between security professionals and coders restricts the introduction of code testing tools. Developers stick to their own vision of how to assess security flaws, and if detected vulnerabilities should be fixed immediately.

Databases of security vulnerabilities may in some cases provide a mutually acceptable denominator. However, each program has its distinct threat model, and the security flaw impact assessment should be carried out within a particular software development framework. To prioritize vulnerabilities to be patched, interactive analysis comes into play. Security requirements should be laid down at the initial stages of software development while shaping its features and architecture.

Security scanners in the future

Code testing is moving to the cloud. Many service providers already get half of their income from the code analyzing systems operating in the cloud. The regulatory framework is going to impose more stringent requirements on the security of the code. The impacts of the growing popularity of open-source scanners and increased code sophistication also shape the future of this segment in the upcoming years. The above factors are going to boost demand for the scanners offering the features adequate for analyzing ever more interdependencies and nested layers.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.