Application security is racing to keep pace with an application development environment fueled by DevOps. As a result, DevSecOps, where security processes are shifted further and further left, has moved toward the beginning of the software development lifecycle.
Brent Jenkins, application security evangelist for CyberRes, a Micro Focus line of business, said the writing was on the wall for app sec.
“With DevOps driving application development faster and faster, we need to figure out how to integrate security into that.”
According to Daniel Kennedy, research director for information security and networking for 451 Research, legacy approaches to application security testing suffer from being point-in-time and based on production testing or large-scale code scanning projects. The issue with that approach: It doesn’t keep pace with the frequency of changes in the development and update of an application, Kennedy said.
“If development is consistently making and releasing new changes, prior tests against production are quickly out of date, and security is perpetually closing vulnerabilities in a game of catch-up, hopefully before those vulnerabilities are discovered by bad actors.”
Moving the entire process to a more proactive basis, and identifying problems during the software development lifecycle before changes ever reach production, means those vulnerabilities are addressed before going live in production, Kennedy said.
“That’s where integrating security into DevOps comes into play, specifically integrating security checks into DevOps processes and tool chains.”
Not only do developers benefit from that shift by reducing friction on their efforts to deliver application releases to market as fast as possible, but their organizations as a whole benefit with reduced development costs.
Ajay Arora, founder of BluBracket, maker of a security tool for code, said the math on vulnerabilities supported shifting left.
“It’s been estimated that it’s 60 times more expensive to fix a vulnerability if it makes it into production than if it were caught earlier in the development cycle. That’s why there’s such a big push to find vulnerabilities as far left as possible.”
With major changes in the application security landscape, key trends have emerged. Here are the ones that matter to your application security team.
1. App sec tooling will continue to be embedded in the DevOps tool chain
Commercial vendors are giving developers static application security testing (SAST) tools that are very convenient to use. That means security teams will have less influence over SAST in the development pipeline. Unfortunately, these vendor tools aren’t as robust as those used by app sec teams.
2. Container security will become a battleground for securing the software supply chain
In the wake of the massive SolarWinds hack, organizations around the world have became acutely aware of the security risks lurking in their software supply chains. During that attack, hackers, believed to be working for Russia, planted malware in SolarWinds production system. The malware was then distributed to the company’s customers through software updates.
SolarWinds customers included private companies, such as the high-profile cybersecurity firm FireEye, and US government agencies, such as the Department of Homeland Security and the Treasury Department. “SolarWinds heightened awareness of software supply chain security in ways that couldn’t even be imagined in the past,” observed Said Ziouani, CEO of Anchore, a container security company.
Gina Smith, a research analyst for DevOps at IDC, said eyes are wide open now.
“Attackers have relied on third-party software for their attacks for a while. The SolarWinds breach drives that home in a way few organizations will be able to ignore or delay.”
Containers are becoming a battleground for securing the supply chain because multiple supply chains converge when building and deploying containerized apps, said Anchore CTO Dan Nurmi.
“Containers give you all sorts of value. They bring in almost a miniature version of an operating system. It’s not just an application. It’s an execution environment. That makes them powerful and portable, but it also creates the potential for security violations.”
Just as code dependencies can threaten the software supply chain, so too can containers. “The ability to bring in containers from repositories like GitHub or other places increases the potential for a security breach,” Anchore’s Ziouani said. “Imagine bringing in a container from a depository or registry from a place that hasn’t been vetted.”
3. Security for infrastructure as code (IaC) will continue to grow
IaC technology is growing in popularity because it allows for rapid provisioning and cloud deployment of environments. Poor security decisions when using IaC, though, can result in the rapid and automated deployment of an insecure production environment, resulting in compliance violations and system breaches.
Integrating static and dynamic testing into the CI/CD pipeline can give organizations a more complete view of IaC risk, but it’s important to set up guardrails to keep developers on a secure path when using the technology.
4. Aggregating vulnerability information will become a must-have
To get a more holistic view of an its vulnerability landscape, an organization needs to aggregate vulnerability information from the tools it uses throughout its parts and display that information in a single view, which can improve prioritization and aid in proving that compliance requirements are met. Demand for tools that do that is creating pressure on app sec tool makers to natively offer that functionality at enterprise scale.
5. SAST and DAST are becoming integrated
Static and dynamic testing complement each other, but because DAST is applied to an application’s functionality, it’s often applied during the production phase of development, 451 Research’s Kennedy said.
“Starting that testing in production means the vulnerabilities it would identify are already part of a deployed application, so catching them earlier by running DAST or IAST [interactive application security testing] in a test or development phase makes a lot more sense.”
One way to move DAST left is to use a scan-central environment, in which those dynamic tests can be orchestrated in the CI/CD pipeline, Micro Focus’ Jenkins explained.
Sandy Carielli, a principal analyst at Forrester Research, said dynamic testing can also be moved left through IAST.
“It allows you to do security testing as you do functional testing of your application. It’s a way to move testing of running code further left.”
A lot of vendors are moving toward IAST, BluBracket’s Arora said. “It’s the best of both worlds. It lets you look at both static and runtime vulnerabilities much earlier in the lifecycle.”
6. Security of cloud-native apps is requires a continuous application security approach
While the cloud model transfers many tasks to a cloud services provider, organizations remain responsible for the security of the data they send to the cloud. Because the cloud is such a dynamic environment, a continuous application security approach is needed. That includes using SAST RulePacks to detect vulnerability categories related to specific cloud service provider’s framework and to cloud-native apps.
In addition, there’s a need to go beyond basic scans of IaC, which cloud-native apps are using more and more to define the cloud infrastructure on which they operate. The most basic form of IaC security is being able to identify misconfigurations and security issues, explained Larry Gordon, CEO and co-founder of xOps, an IT services company.
Scanning IaC enables you to identify all the variables for which the proper settings are either missing or are incorrectly set, Gordon said.
“Scanning IaC involves checking templates, files, and modules and their variables against known policies. Policy violations occur when proper settings are either missing on variables, or the settings are incorrectly set.”
Expanded coverage of IaC should seamlessly detect configuration, structural, control flow, and data flow issues that are beyond the capabilities of basic IaC scanners.
7. APIs will remain a top challenge
APIs are growing in importance because they’re a key part of digital transformation and cloud computing. They’re also a rapidly growing attack surface because they’re not widely understood by developers and application security managers.
When securing APIs, SAST should be incorporated into the DevSecOps pipeline for each independent component. That will allow API security to incorporate DAST scanning at both the component and system-level APIs, where HTTP is utilized, said Michael Rezek, vice president for cybersecurity strategy at Accedian, a networking provider for mobile backhaul, business services, and cloud connectivity.
“As public and private cloud adoption continues to grow, data platforms are becoming more and more interconnected. Platform interoperability requires API integration introducing new attack vectors, underscoring the importance of securing code, applications, APIs, platforms, networks and cloud infrastructures.”
8. FAST will help move DAST left
The desire to move dynamic testing left in the application development lifecycle has given rise to functional application security testing. FAST uses DAST with functional testing to integrate seamless, fully automated dynamic testing into the DevOps pipeline. It allows developers to test critical portions of an application with sub-five-minute scan times without complex setup and configuration.
9. Susceptibility analysis will focus security teams on vulnerabilities that matter
Open source code is a significant part of all applications produced now. In 2020, it’s estimated that open-source software downloads reached 1.5 trillion. Meanwhile, attacks on open-source software rose 430% from 2019 to 2020. In that environment, it’s important to focus on vulnerabilities that matter to an application. Susceptibility analysis quickly identifies vulnerable open-source components that are directly or indirectly invoked by an application so a security team knows they will affect the security of the software.
10. DAST will gain Hacker Level Insight
Over the coming year, expect DAST to evolve from just an instrument of vulnerability detection into more of a risk assessment tool through the addition of Hacker Level Insight. HLI is a technology set that provides developers and app sec teams with the same set of data that a hacker would be looking at to perform reconnaissance and targeting. Seeing what the hacker sees enables defenders to prioritize their resources so they’re directed at the most critical gaps in their security environment.
Continuous app sec takes shape
All these trends have a common connecting thread. They all fit into a modern development framework where security is developer-driven and focused on actionable results that enable digital innovation.