In my previous article on the GovDevSecOpsHub, I examined the need for identifying and eliminating application-level cybersecurity vulnerabilities – such as those found in IaC and APIs – and explained why application security is becoming such a difficult challenge for government agencies today.
However, regardless of how complicated and difficult AppSec becomes, it remains critical that all organizations implement and leverage approaches and technologies in the application development process that ensure the applications they’re creating are free of the vulnerabilities that virtually welcome malicious actors to abuse them.
One of the ways agencies can ensure their applications are more secure is to reevaluate the process and approach that they follow to develop them and embrace DevSecOps.
In the past, organizations used the “waterfall approach” to develop applications and software, which entailed discrete steps in a process that resembled successive plateaus in a waterfall and corresponded to an application moving ever forward from one team to the next as it progressed through the software development lifecycle (SDLC). This approach to application development reserved the responsibility of the application’s security for the very end of the SDLC. Essentially, security was “tacked on.” The security team became a bottleneck or roadblock to deployment, often slamming the breaks on applications that the development and operations team thought were ready to be deployed.
Thankfully, many application development teams and organizations are evolving away from the waterfall method of application development and adopting DevSecOps. In the DevSecOps model or method of application development, all the parties – the development team, operations team, and security team – work in unison to develop software. DevSecOps ensures that the infrastructure needed to run the application is defined in advance and configured correctly at the time of deployment. It also shifts security left within the SDLC to happen earlier in the process.
Shifting security left effectively bakes security into all new applications and software as soon as possible during the development process. It also ensures that vulnerabilities are identified earlier in the SDLC, requiring less time and effort to address them. With security testing and vulnerability remediation a continuous process, there are no surprises that keep new applications, services, capabilities, or updates from deploying to the user. However, embracing this approach to application development is just one step toward making applications more secure.
Automating security to protect critical software
In addition to embracing a DevSecOps approach to application development, organizations can shift security left by adopting security automation solutions on the market that function to scan code for known vulnerabilities. Today’s next generation of application security testing (AST) solutions enables security to become an intrinsic part of development instead of security as a post-development add-on.
AST allows organizations and their developers to start scanning source code as early as possible in the SDLC: when developers write code. There are multiple types of AST solutions available for application development teams that can work in tandem to ensure the software they’re developing is secure and free of vulnerabilities.
The first solution is static analysis security testing (SAST), which identifies potential security vulnerabilities in custom code. SAST is an essential vulnerability identification and remediation tool for applications that are being custom coded. However, many of today’s applications rely on Open Source software tied together with custom code.
For identifying and remediating the vulnerabilities in third-party code, there are Software Composition Analysis (SCA) solutions. These tools scan software projects to enumerate the open source components and third-party libraries used by the projects and identify any known vulnerabilities in the third-party code. SCA is essential as many Open Source vulnerabilities are known to malicious actors and known vulnerabilities are among the first to be exploited.
Both SAST and SCA solutions are essential for automating security testing and identifying vulnerabilities early in the SDLC. It’s also important, however, to identify vulnerabilities that arise as the application is running. Interactive Application Security Testing (IAST) fills that role by leveraging existing functional testing activities to automate the detection of vulnerabilities on running applications. And while all three of these solutions can combine to make the applications that development teams are creating secure from the jump, there is still the problem of IaC security to address.
Suppose the cloud infrastructure that has been provisioned and configured for the application is insecure. In that case, it can undercut the work that these applications and the development teams have put into building a secure application. However, a new generation of automated security solutions called IaC Scanning solutions can help ensure that all cloud and virtual infrastructures and configurations are secure. Utilizing these IaC Scanning solutions, application, operations, and security teams working together in a DevSecOps environment can scan their IaC to ensure that everything meets their intended security standards.
To ensure that the IaC that’s running next-generation software solutions and applications is secure, some AST solution providers – including Checkmarx – have developed IaC Scanning solutions and make them available at low or no cost to users. The Checkmarx solution, called Keeping Infrastructure as Code Secure (KICS), is an open-source solution for static code analysis of IaC. Checkmarx is committed to keeping both the scanning engine and security queries clear and open for the software development community.
These tools can help identify exploitable security vulnerabilities during the SDLC and not after being deployed, essentially eliminating any pre- and post-deployment surprises. This security can make all the difference between being compromised or standing firm against potential malicious actors and cybersecurity threats.
Train like you fight
In a DevSecOps environment and with security automation and scanning tools being used in the SDLC, the application developer takes on a much more significant role fighting against malicious actors and cyberattacks. Unfortunately, application developers infrequently have sufficient training in cybersecurity and cyber best practices. Keeping up with the constantly evolving and shifting cybersecurity threat landscape is difficult. And surveys of application and software developers show that approximately seven out of ten claims to lack the necessary application security training to secure the software they develop adequately.
If application developers are going to stop committing code with common vulnerabilities, they need training on how hackers attack applications and how to design and develop software without common vulnerabilities. To accomplish this end, organizations must educate their application developers.
Organizations need to instill good cyber hygiene and habits, continue to assess the employees’ skills, and train based on the results of those assessments. Application security education needs to be mandatory and a priority. But it also has to be effective, and that’s where things like gamification can play a role.
Studies show that hands-on, interactive training solutions that fit into developers’ daily routines are more effective than whole-day training sessions about out-of-context security vulnerabilities. Instead, these organizations should be embracing developer training offered in on-demand sessions that are relative to the specific challenges they are facing in their code.
By training the developers responsible for creating the apps and software used within the food and agriculture supply chain, we can prevent them from developing vulnerable, exploitable software.
Embracing cultural changes that prioritize security, scanning and automation tools that can improve application security, and training to turn application developers into cyber warriors can help improve the security of the applications that our government agencies rely on.
To learn more about securing the new attack vectors – APIs and IaC – click HERE to register for the upcoming ICIT Webinar, “The Newest Attack Vectors – Infrastructure as Code & API Security Virtual Briefing.”