Phil Richards, vice president and CSO at Ivanti, explains how organizations can design DevOps processes and systems to thwart cyberattacks.
Security should never be an afterthought when developing software and applications. However, as technological advances continue to take hold, the security tools many rely on are changing in real-time, and combatting potential breaches or hacks of your wares before they arise now requires new strategies. To stay one step ahead of bad actors, it’s time to reimagine the application-development process from “DevOps” to “DevSecOps.”
DevOps is an evolution of the agile development lifecycle for software that bridges the gap between development and operations teams. It breaks down silos and increases an organization’s ability to deliver applications and services faster than traditional software-development models. Previously, the traditional “waterfall method” required long cycles upfront and resulted in strenuous and tedious processes – and by the time these solutions were deemed ready for release, the market had likely changed.
Today, agile software teams have release cycles that are a matter of days or hours, which increases the risk of making mistakes and introducing vulnerabilities. So, how can organizations produce more secure code and applications when working at breakneck speeds, and thwart potential cyberattacks when they do not yet know what those attacks look like? To bolster cybersecurity for their products, solutions and partners, a company must shift from a DevOps culture to “DevSecOps” culture.
Start Secure, Stay Secure
DevSecOps puts security at the forefront of the development process as a whole, ensuring that good cyber-hygiene remains top-of-mind for developers and operators from start to finish. This shift in mindset encourages organizations to find the best possible approaches to developing secure code and applications – and there are a variety of resources and strategies to help development teams do exactly that.
Here are some of the most important:
- Security Frameworks: It’s always best to start with a roadmap – and by looking to third-party resources for best practices, organizations can ensure their software is prepared for just about any situation. For example, The Building Security In Maturity Model, a.k.a. BSIMM, is a great resource listing over 120 security best practices (such as security testing automation through static and dynamic analysis), to help development teams keep these measures top of mind when designing their solutions.
- Security Code Training: Developers don’t know what they don’t know – so it’s up to organizations to train them on critical threats and best practices. By implementing ongoing security-awareness trainings, organizations can rest assured that their teams are adequately prepared to detect and correct any vulnerabilities in their code and products.
- Security Gates: In DevOps build processes, security gates can block a release – giving security and engineering teams adequate time to determine what level of severity of these bugs will break the overall build. Implementing security gates will help teams identify precisely what needs to be fixed ahead of release.
- Implementing a Multi-Layered Security Strategy: To ensure security across the board, organizations must make security everyone’s responsibility. For example, this could begin by giving developers tools to detect vulnerabilities as they write code, and then utilizing an internal team to run static and dynamic application security tools regularly. For additional security, organizations can then bring in external testers to perform black-box and gray-box testing; or, they can set up a bug-bounty program and pay security researchers to look for vulnerabilities that are more difficult to find.
Why Third-Party Libraries Are Your Responsibility
Third-party libraries like Apache Struts, Telerik UK (a third-party .NET library) and others are considered both a blessing and a curse for organizations. On the one hand, organizations can leverage work built by others, adapt it and create more rich experiences on top of it, allowing them to bring their expertise without having to make everything from scratch. On the other hand, continued updates and upgrades of the libraries is required to maintain a clean code base. It’s easy to import malicious code from code repositories, too.
Developers will need to update toolkits to ensure third-party materials have their vulnerabilities patched regularly and in real-time, because even the most minor oversights by your team or your partners can result in the most significant breaches. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) recently released a list of the most-exploited software vulnerabilities and Apache Struts was the second-most attacked technology on the list.
Attackers also often exploit vulnerabilities in open-source web services, such as Apache Tomcat, which is bundled in an untold number of products.
The Ongoing Game of Whack-a-Mole
Threats and attack styles that do not exist today will attempt to exploit vulnerabilities in your systems tomorrow. However, by placing security at the forefront and implementing a DevSecOps culture, organizations are better positioned to mitigate threats as they appear – and before they cause any issues or interruptions.
The next wave of threats is coming. Is your organization prepared?
Phil Richards is CSO at Ivanti.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.