Written By: Anshuman Goswami, Associate Vice President Global Head of Security Practice, Persistent Systems
Background
The last few decades have seen the world being revolutionized by IT. Currently, India is at the forefront of an accelerated transformation, thanks to the widespread digitization of services. Software is becoming intertwined into our lives at a molecular level. This creates a new layer of security concerns regarding our personal information traversing these applications, as threat actors are becoming more sophisticated and creative in their deceptive approaches.
This makes application security extremely relevant. It became evident more than a decade ago that the old “castle and moat” approach to secure applications is no longer effective. Security had to be ingrained at various levels, including the application code itself. There are multitude of tools, technologies, processes, and approaches for securing an application. Let’s have a brief look at the latest challenges and the trends.
What is DevSecOps
To understand this, we must understand the term “DevOps”. Traditionally, all the development tasks (plan, code, build, test) and Operations tasks (release, deploy, operate, monitor) used to work in siloes and run sequentially – called a “Waterfall” model. Once a plan was created, it cannot be modified until the whole process ran its course. No work can happen in parallel. This greatly impacted entire application release timelines.
In the “Agile” model, teams were brought together, merging several of these roles. Hence the term DevOps -(Development + Operations). Another frequently used term is CI/CD (Continuous Integration and Continuous Delivery). To keep it simple, this refers to adding automation to the integrating of new code to existing, testing and deployment in production. In DevOps lingo, this automated integration process is called “CI/CD Pipeline”.
The big question now is- where does Security fit into all of this?
Traditionally, Security checks were performed at two stages – during planning and after testing, right before deployment in pre-production or in staging environments. Any vulnerabilities detected must be analyzed and prioritized based on risk. This gave a very short timeframe to fix it and perform all the quality checks again before actual release.
Often, the codes were deployed with a known vulnerability, accepting the risk, just to keep up the deployment timelines. This introduced serious security risks. With Agile, this risk persisted as security scans were usually performed at the far end of the development process.
This is where DevSecOps enters the picture.
The answer was to introduce security at every stage of the development life cycle, starting right from planning where threat modeling is performed and automated security scans at every stage. With Agile and DevOps, developers can work on smaller chunks of code, test the individual functionality, and merge them with larger application code. Security scanning has been included at this step, bringing security closer to developers. Now, developers get security recommendations for the specific subset of code they are working on.
With this approach, the biggest relief for organizations is that there is no last-minute panic due to a security risk getting uncovered.
Considerations
There have been debates and concerns with this approach. A few major ones include:
- Speed of delivery – With the introduction of an additional task at each layer, will there be a considerable increase in timelines?
- Skillsets – Are developers skilled enough to analyze security vulnerabilities discovered?
- Governance – How will security governance work with this approach?
- Operations – Who maintains the tools, integrations, upgrades, etc.?
- Cost – What are the additional costs associated?
Fortunately, the answers to all these questions are simple. There is a hoard of tools in the market today that integrate with DevOps pipelines to perform automatic security checks as a task. There are tools that integrate with a code repository, meaning every time a developer checks in a new code, security scans are automatically run.
Veracode, BurpSuite, and Checkmarx are some of the market leaders in this space. These tools do not add any considerable delays as most of them run in the background and can produce results quickly. The reports are usually in-depth, and the tools prioritize risks as they are discovered. Usually, the developers can understand the vulnerabilities reported.
Having said that, it’s always recommended to have a security role dedicated to monitor, analyze, and report on vulnerabilities found. The insights from a Security Specialist is absolutely required, which saves time by removing false positives and low-risk vulnerabilities, and results in better prioritization of risks based on understanding of business functionality.
The only downside is cost. The tools are usually pricey, and there are different tools dedicated to different functions – Static Analysis, Dynamic Analysis, Software Composition Analysis, Penetration Testing, etc. Organizations end up buying only one or two of the tools. The skillsets required to manage these tools and the security role also contributes to the cost.
Fortunately, there are companies that provide application security-as-a-service. They provide tools, skillsets, and governance at a lower pricing model, as the tools and resources are shared with multiple customers. Also, there are niche players in the market who provide all or most of these functionalities in one tool (for example, CloudDefense.ai).
Conclusion
As per a recent study, the number of attacks in 2020 increased by 273% compared to 2019. The biggest attack was the SolarWinds SUNBURST attack. The threat of a cyber-attack is real and constant and will remain so for years to come. A strong security foundation is key for any organization, with application security being one of the topmost priorities, not only to protect an organization’s IP but to protect sensitive customer data as well.