By taking advantage of an open-source toolchain
The rise of agile methodologies has changed the software development landscape for the better. However, while most teams involved with the process of building software are already taking advantage of those methodologies, software security is still lagging behind.
In this article, we will take a look at DevSecOps, an approach to security targeted at agile teams. We will discuss some challenges organizations might face while implementing it and provide examples of tools that can help in the journey.
Problem: a waterfall model to security
Usually, vulnerability checks are executed at the end of the development process. They generate heavy documentation and can force large sections of code to be rewritten. This approach also creates friction between teams: while developers are trying to release quickly and deliver value, a waterfall approach to security ends up slowing this process down. Tests are mostly manual and can take a long time to finish. Most of the time, developers don’t have the necessary tools to avoid introducing vulnerabilities in the first place.
The benefits of DevOps
When looking at DevOps, we can see solutions to most of these problems. Prior to its emergence, developers used to think about the Operations team as a barrier, slowing down releases and stopping innovation. The Operations team, on the other hand, thought developers didn’t care for costs, security or reliability of the environment.
With a focus on collaboration and heavy use of automation, the DevOps paradigm drastically changes this relationship. Development and Operations teams work together towards a common goal, with close collaboration and constant communication.
Common DevOps practices include unit and integration tests executed on every build, with code sent to the main branches only if the build passes after a commit. Also, DevOps transforms releases into normal and frequent occurrences. In conjunction with test automation, this promotes much shorter feedback cycles: organizations using DevOps have become quicker as a whole.
In some cases, these principles are pushed to the extreme. Code is written, tested and sent to production in a fully automated fashion, multiple times a day. When code is pushed to production at this pace, a waterfall approach to security is not only less effective but not even possible.
Fixing the problems
As we can see, while an automated pipeline promotes new challenges to the classical security approach, it also offers opportunities to teams willing to embrace it. Embedding security checks throughout the pipeline, as well as applying DevOps principles and philosophy to initiatives regarding security is the essence of DevSecOps.
Techniques like ChatOps can be used to provide quick feedback and promote learning. For example, when a vulnerability is detected, a message can be sent to developers including not only an alert about the issue but also tips on how to solve it and avoid this type of problem in the future.
It’s also possible to take advantage of development standards and agile events to increase security: developers can make a Rapid Risk Assessment at the end of each sprint. These should take about 30 minutes and are valuable to detect high-risk components (with access to client data, for example).
The Security toolchain
The sources of vulnerabilities are many and so are the tools used to detect them. SAST tools can be used to find vulnerabilities by scanning the code itself and DAST tools to explore an application during runtime.
SAST and DAST tools can be used at different parts of the development process. SAST solutions like OWASP Find Sec Bugs can be used in an early stage of the pipeline, and even be integrated into the developers’ IDE. DAST tools like Arachni or ZAP can be automatically deployed along with the application.
It’s also possible to:
- Check imported libraries with Software Composition Analysis tools like OWASP Dependency-Check, js, etc.;
- Analyze and harden the infrastructure by using, for example, Inspec, Nmap, or other cloud-based tools;
- Check for secrets out in the open with git-secrets or similar solutions.
- Target specific issues with SQLMap, SSLyze, and others.
Wrappers like OWASP Glue or Gauntlt can help with the implementation of these tools, providing a common interface to many open-source tools, including most of the solutions described above.
That said, a fast build process is essential to the development pipeline and care must be taken to not increase the time it takes to execute the pipeline. It may be better to take a step-by-step approach, fine-tuning the checks and targeting specific, high-risk portions of code. Consider running slower tests during the night or through a parallel, non-blocking build.
While this toolchain is mostly focused on open-source offerings, commercial solutions also exist. At a cost, they usually provide additional features and extensive reports. As an example, BlackDuck and WhiteSource are software composition analysis solutions that are not only capable of verifying vulnerabilities on imported libraries, but also provide information about the licenses of each of them. This knowledge is important and can avoid problems of large proportions in the future.
Dealing with auditors
One challenge that can be faced while automating the Security testing stack is the push-back from auditors. This is a new territory for them, and at first, they might be skeptical about the viability or effectiveness of the DevSecOps approach. It’s important to create a document listing the risks associated with the application and explaining the steps used to minimize them. If possible, include the auditors in the journey, explaining the advantages that automation can bring to security checks.
Conclusion
DevSecOps is a complex topic and its implementation requires cultural change on different teams. Automation and the application of DevOps principles will help the security team to keep-up in an agile environment. A step-by-step implementation plan will prevent big changes to the development pipeline from disrupting the software development lifecycle.
The benefits are clear, executing more security checks more often will increase the security of the product and executing them as early as possible in the pipeline will reduce the cost of fixing security problems.
About Encora
Fast-growing tech companies partner with Encora to outsource product development and drive growth. Contact us to learn more about DevSecOps and how you can implemente it to achieve a enable a secure CI/CD pipeline.
