DevSecOps: Protect your business from hackers

Understanding and addressing the cybersecurity risks posed by external or internal actors has never been more important than now as IT departments in modern organizations have more customer-facing applications and websites. The risks are further compounded by a growing number of attacks during the Covid-19 pandemic due to the increase in the number of attack vectors hackers can target (e.g. - remote workers were attacked in hacks involving data theft and malware). As organizations have widely implemented the DevOps (Development + IT Operations) model, they identified existing gaps in its security. DevOps is a set of software development tools and processes that combine software development (Dev) and information-technology operations (Ops) to shorten the systems development life cycle, overlooking the security checks during the application development. Security checks for most applications are not even conducted. If they are, they only take place on major builds/ releases. For the instances where the security checks did take place, they were conducted toward the end of the development cycle which gave hackers room to insert malware into an application during the build process. These types of Security checks act as a brake pedal and slow down the deployment process in order to ensure all checks are complete before the Go-Live, which could take weeks in certain cases. Security was always an afterthought and less prioritized than development which resulted in a reworking of code or applying security patches post-release.

Due to the growing number of cybersecurity attacks where hackers leverage application vulnerabilities in the source code or in the framework the application is built upon, it is important and urgent for organizations to secure their applications using a set of robust principles and frameworks.

DevSecOps (Development + Security + IT Operations) is an augmentation of DevOps (Development + IT Operations) to allow for security practices to be integrated into the DevOps approach. The traditional centralized security team model must adopt a federated model allowing each delivery team the ability to factor in the correct security controls into their DevOps practices.

A federated model allows for better collaboration between the development and security teams. In a federated model, though the policies and guidelines are established under the CISO, the security and development teams for each application have ownership over how they are to be implemented as every application and business line is different.

DevSecOps is a concerted effort in shifting security left in the Secure-Software Development Lifecycle (SDLC) by requiring a cultural change in organizations to encourage “Security as Code” with collaboration between engineers and the security team. DevSecOps enables firms to secure their applications starting from the build process, and without DevSecOps practice malware might not be discovered until the application is distributed to thousands of customers. It also allows organizations to keep up with the rapid pace of development in the DevOps model, to deploy applications securely and at scale.

The DevOps and DevSecOps processes consist of six main high-level stages, however, the focus in this paper will be on the three stages of Build, Test, and Deploy where DevOps and DevSecOps differ:

• The Build stage deals with the development and build of the application.
• The Test stage deals with testing the application against the tests developed by Quality Assurance (QA) in the UAT environment.
• The Deploy stage deals with the release and deployment of the application to production.

Though the high-level stages are the same in DevOps and DevSecOps, the differences arise in the specific steps in each stage. As the pipeline diagrams depict, DevSecOps involves integrating static scanning (SAST) of source code in the build stage, Dynamic application scanning (DAST) in the test stage, and finally Infrastructure & Compliance scan and a Web Application Firewall (WAF) in the Deploy stage.

• SAST analyzes source code to identify vulnerabilities that make an organization susceptible to attacks. It helps developers identify and resolve issues in code (back-doors, poor coding practices, etc.) based on real-time feedback provided by SAST tools without passing the vulnerabilities to production.

• DAST analyzes a web application to find vulnerabilities through simulated attacks. This scanning is important because this is an “Outside-in” approach which simulates how a malicious hacker would try to exploit an application and it provides vulnerabilities that need to be resolved before production. Infrastructure scans focus on the configuration settings (or security hardening) being applied to the underlying system and infrastructure.

• Compliance scans assess the adherence of the system to a specific compliance framework. For example, if your company must comply with HIPAA and/or HITRUST regulations, then your computing systems must be configured in a specific way to meet these regulations. Together, infrastructure and compliance scanning improve the security posture of your systems and infrastructure.

• WAF helps protect web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion and SQL injection etc. by filtering and monitoring HTTP traffic between the web application and the internet. A DevOps pipeline’s focus is to take an application from development to production in the fastest time possible with security scans toward the end of the process. A DevSecOps pipeline’s focus is to try to maintain the speed to market that DevOps offers while integrating security controls in every stage to secure the enterprise.

Once an organization’s leadership and their teams understand the benefits of moving from a DevOps to a DevSecOps model, it is important to adapt the necessary processes, tools, and technologies to ensure the culture and execution are on the same page.

Below are some recommended ways for an organization to get started:

• Organizational Transformation:
  • Process:
    • Developing workflows and process documentation agreed upon by all the stakeholders involved in the DevSecOps process.
  • Culture:
    • Introducing an inclusive culture that is flexible and integrated to ensure collaboration between engineering and security teams.
    • The culture should be centered around the key pillars of cross functional collaboration, clear communication, and continuous development.
  • Agile:
    • Transitioning from a waterfall methodology of software development to an agile framework.
    • Integrating security in their SDLC via the DevSecOps model.
  • Change Management:
    • Define the Scope of change and build an organizational chart detailing the roles and responsibilities of each member in the security and development teams.
    • Build a communications plan.
    • Track and report on all actions and tasks.
  • Training & Awareness:
    • Secure Coding Practices are one of the most fundamental and important things an organization can do to move to DevSecOps. Training the engineering and IT teams in OWASP secure coding guidelines is one of the best investments an organization can make to save a lot of time, effort and cost in the long run that can arise from vulnerable code.
    • Deploy training courses on Security as a Shared Responsibility to both security and development teams. This will foster better collaboration and understanding among the teams about the role they play to keep the applications secure.
    • Gamification of training programs (e.g. - Blue team/ Red team exercises).
    • Send staff to specialized Cybersecurity conferences.

• Technology:
  • Adopting Dynamic Application Security Testing (DAST) tools:
    • It is a black-box security testing methodology in which an application is tested from the outside in real-time. An automated or manual tester using DAST examines an application when it is running and simulates an attack like a malicious hacker would.
  • Adopting Static Application Security Testing (SAST) tools:
    • It is a white box testing methodology. An automated or manual tester using SAST examines the application from the inside, scanning its source code for conditions that indicate that a security vulnerability or poor coding practices may be present (scanning for backdoors or poor coding convention which could introduce leaks/vulnerabilities).
  • Adopting Interactive Application Security Testing (IAST) tools:
    • The IAST approach analyzes the application from the inside at runtime and keeps track of code execution in memory, looking for specific events that could lead to a vulnerability. These events are further analyzed to see if they are clean or pose a risk of causing a vulnerability.
  • Adopting Compliance scans tools:
    • It is used to focus on the configuration settings or security hardening. Hardening consists of applying security guidance from various compliance frameworks applicable to your company.
  • Deploying a Web Application Firewall (WAF):
    • It is used to protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It protects applications from common attacks such as SQL injection, cross-site forgery, cross-site-scripting (XSS) among others.
  • Leveraging automation to perform scanning

Automation can and should be leveraged in DevSecOps to take it to the next level of maturity. The scanning tools mentioned above can be used to manually scan applications or they can be automated. Organizations that have automated all or most of the scans greatly benefit by reducing time to market for the application and having a standardized process.

DevSecOps main benefit is to improve the security posture of the organization which also results in instilling confidence in the customers and increasing your credibility.

By shifting left in the SDLC process, organizations can identify and fix security vulnerabilities much earlier in the life cycle resulting in lower costs to fix them and instilling a culture of security and collaboration in your entire organization. Organizations save anywhere from 2 weeks to 6 months in development efforts to address the code vulnerabilities using a DevSecOps approach instead of the traditional DevOps approach with app scans at the end of the deployment phase or a waterfall development method. DevSecOps is also extremely important for organizations to comply with industry standards and best practices such as National Institute of Standards and Technology (NIST), Application Security and Development (ASD) etc. Specific NIST guidelines to information security testing and assessment.

In summary, with the right people, processes, culture and technology in place, businesses will have a better understanding of how to handle security for their applications. This can reduce the likelihood of a cybersecurity breach caused via exploiting the applications. Along with a strong DevSecOps program in place it is also recommended that organizations still conduct source code reviews periodically to catch for unknown patterns in code that could potentially be exploited but aren’t caught by tools in the DevSecOps process.

Implementing effective DevSecOps measures can be challenging. One of the major challenges’ firms will have to face is dealing with the cultural change that comes with shifting from a DevOps to a DevSecOps approach. Below are a few key questions management teams should consider while evaluating the robustness of their DevSecOps program or shifting to one if it does not exist:

• Talent:
  • How can your hiring teams evaluate development and security candidates to fit in to the security culture of your firm?

• Governance:
  • How can your business ensure your DevSecOps program is reasonably governed or overseen?
  • How are the development and security roles and responsibilities defined?
  • Training and awareness. How can your firm increase application security training and awareness among stakeholders?
  • Training to slowly change the culture of your firm.

• Technology:
  • Are we investing in new technology?
  • Have we identified processes that can be automated?

In consideration of these enhanced cybersecurity challenges posed by third-party vendors and magnified by remote working and virtual communication, Sia Partners is ready to assist our clients with implementing DevSecOps and best practices to keep firms up to date with the latest innovations.

Assisting Clients Transition from DevOps to DevSecOps:

• Assist Information Security stakeholders to write or enhance policies and procedures including performing a gap analysis and updating cybersecurity concerns in the master BCP.
• Assist organizations with hiring the right talent that is in line with the DevSecOps framework to continuously improve the company’s security culture.
• Provide security awareness workshops to information security and development teams.
• Define an incident response plan to help IT staff detect, respond to, and recover from an application security breach.
• Facilitate change management process to implement enhanced procedures.
• Provide robust reporting and metrics to management and IT Security leaders to help them gain insights into the benefits of the DevSecOps program via applications scanned and vulnerabilities resolved.

Assisting Clients with Vendor Selection:

• Assist management and Information Security stakeholders to evaluate and select the appropriate vendors for scanning tools and infrastructure technologies needed to support them.
• Assist clients with choosing the appropriate license contract structure and negotiation.

Governance, Risk & Regulatory Compliance:

• Support the development, design, and enhancement of our client’s cybersecurity programs including defining roles and responsibilities, policy and procedural support, and compliance with regulations such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) Compliance in combination with industry best practices such as National Institute of Standards and Technology (NIST).
• Provide project management solutions to help the firm implement a robust DevSecOps program.

Automation:

• Automate and optimize security processes using bots.
• Build custom-made AI tools and bots to manage scanning results and reduce the number of false positives. Learn more about our Data Science and AI capabilities here.

Performing Scans for Clients:

• Support clients by integrating scanning tools and technologies into the DevOps pipeline.
• Perform scans, filter false-positive results, and provide actionable results to development and IT Operations teams.