Times are changing. The days of rigid and lengthy software development life cycles are nearly gone as we move forward into a world of agile code development and DevOps. This is great from a user perspective, as we deliver more features and improved user experience, but this brings about new challenges for security. It was difficult enough to incorporate security into the software development life cycle (SDLC) when developers were only doing monthly releases, but now that the cycles have been reduced to weekly or even several times a day, what can be done to ensure that our applications stay secure? There are several pieces to this puzzle.
First, ensure security is integrated into the SDLC so code being written is secure by design. Reviewing source code as it is updated will identify known vulnerabilities that are susceptible to exploitation. Static application security testing (SAST) solutions can be leveraged to identify insecure code, and provide more feedback to developers, accomplishing the same function securely.
The second part of this puzzle is having good vulnerability management processes in place that continuously monitor your applications, and the supporting infrastructure, for newly identified vulnerabilities. Vulnerability scanning tools and dynamic application security testing (DAST) solutions contribute to the program, but it should also incorporate a step for manual review and validation of the findings before moving forward with remediation. While helpful, vulnerability scanners and DAST solutions can be prone to false positives, and do not always consider compensating controls that may already be in place to mitigate a vulnerability.
Taking a risk based approach to vulnerability management will result in a more effective program. Newly identified vulnerabilities should be prioritized for remediation based on the overall risk that they present to the organization. In a perfect world, all vulnerabilities would be addressed immediately, but unfortunately in the real world, with limited resources, things must be prioritized to ensure that vulnerabilities presenting the highest risk to the organization are addressed first. Base remediation priorities on the resulting impact the exploitation of said vulnerability would have on the business, instead of solely on a CVE score. Conducting routine risk assessments and tabletop exercises on the environment can measurably improve the ability to efficiently prioritize remediation activities, ensuring minimized potential impact resulting from an exploit.
So how can the gap between vulnerability identification and remediation be closed? Security tools such as Web Application Firewalls (WAF) play a role here. WAFs sit between the user and the applications to identify and prevent attacks that leverage web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations. These solutions help to minimize the potential for exploitation of known vulnerabilities that cannot be remediated quickly. Another emerging technology that can help in this area is known as Runtime Application Self-Protection (RASP) which is built-in or linked into an application allowing it to control execution at runtime to detect and prevent attacks in real-time. RASP solutions add an essential layer of visibility and protection that was not previously possible. Since they are built-in to the application, they see all activities occurring throughout the entire application stack giving you greater insight into exactly how applications are being attacked as well as the impact of these activities. These technologies can significantly reduce the application attack surface, provide increased capabilities to identify and respond to successful attacks in real-time, and provide better visibility into the overall effectiveness of existing security controls, all while minimizing the impact to the speed of development activities.
Finally, you should think of this process as a cycle with continuous improvement in mind. Each time you discover a better, faster, more effective way to do something, have a method to securely incorporate this into the process going forward. With speed of development becoming a competitive differentiator, maintaining security with agility is the key to success in a DevOps environment.