The threat landscape is constantly evolving, and today’s DevOps professionals are under more pressure than ever to safeguard the software development lifecycle (SDLC). Protecting just one part of application security isn’t sufficient, because threats can appear at any stage of the process. To be fully effective, security must be integrated and baked into each step of the development process.
To extend the security they require across all their processes, many organizations are adopting a “shift left” approach. Shifting left encourages developers to take more ownership over security and security principles throughout their projects. It states that security should move from the “right” side, or end of the SDLC, to the beginning or “left” of the process.
Although shifting left might seem to place an additional burden on developers, it ultimately saves time and enables a more strategic approach. Incorporating stringent security best practices into the process frees developers from manually troubleshooting and chasing down bugs, so they can focus on innovating and improving their applications. Fortunately, a variety of free and open-source tools are available today to help developers get out in front of their security challenges.
A Broad Approach to Application Security
Application security vulnerabilities can extend across several phases of the development process, so it is important to remember that they may not all be addressed by just one product.
Ideally, an organization should be able to spot potential security gaps as early as possible in the SDLC, because issues discovered at this stage are easier and less expensive to remediate. However, discovering every vulnerability early in the development process is not always possible.
A robust approach to security will be based on a multilayered strategy that spans several different stages of the SDLC. Several free and open-source tools are available for:
-Static Application Security Testing (SAST)
-Dynamic Application Security Testing (DAST)
-Integrated Application Security Testing (IAST)
-Run-time Application Self Protection (RASP)
SAST is a commonly-used approach to automatic application security. SAST is also known as “white box testing,” and happens early in the development cycle. This type of testing scans an application's source code to discover any known vulnerabilities. Unlike DAST, SAST does not require an application to be compiled or running to start spotting vulnerabilities, so it can be implemented very early in the SDLC.
SAST also enforces coding standards and guidelines, without executing the underlying code. Several different SAST tools are available, so choose the solution that best fits your technology stack, and ensure that it is properly supported.
For example, a static, self-hosted code scanner can be integrated with CI/CD pipelines and its Docker ready. It should offer flexibility for use as a web-based, CLI, or Python API tool. A robust offering should scan for remote code injection, open redirect, SQL injection, XSS, and other threats.
Several different automated code review tools are also available. Some feature thousands of Static Code Analysis rules. For additional flexibility, choose a solution with support for dozens of multiple modern and legacy languages, to cover your entire project and its continuous development.
Secrets such as database credentials, API keys, and security certificates are critical for organizations, because they can provide access to highly sensitive and confidential systems. To protect them, secrets detection services scan source code, files, and logs for hidden secrets. The majority of secrets are high entropy strings, which are designed to appear random. However, most high entropy strings are not secrets; which makes secrets extremely difficult to detect. To spot secrets with a high degree of precision and recall, you’ll need to employ a highly specialized service that utilizes advanced classification algorithms.
Like SAST, secrets detection scans through source code. However, where SAST focuses only on the latest version of an application, secrets detection focuses on the entire history of the project. For example, version control systems such as Git keep track and store all changes to a project. If a source code was to contain hard-code secrets that were removed in later development stages, code reviews and SAST tools could miss those secrets. The secrets in turn could end up in a git repository and become compromised.
Some effective secrets detection solutions scan developers’ repositories for evidence of secrets. An optimal solution should cover hundreds of different types of secrets—from keys to database connection strings, usernames, passwords, and SSL certificates. Advanced tools can detect secrets through a combination of algorithms, including innovative pattern matching techniques. Consider a flexible, interoperable solution that’s fast and easy to configure and integrate with your GitHub account. It should also feature APIs to detect secrets in directories, email clients, Slack channels, or other services.
Dependency Scanning lets you discover security vulnerabilities in your dependencies while you are developing and testing your applications. For example, it can be utilized when your application is using an external resource that may be vulnerable, such as an open-source library.
A variety of dependency scanning solutions are available, and many are free or open-source. Consider a tool that will help make security part of the development process from day one. The right solution should enable you to detect vulnerabilities from within your IDE and native Git scanning so you can test projects within the repositories.
To keep new security issues from passing through the build process and a production environment, consider a tool with a security gate. A security gate lets you test your running environment to confirm there is no exposure to existing vulnerabilities. A good dependency scanning tool should support multiple programming languages, and offer constant tracking of open-source vulnerabilities databases, such as the National Vulnerability Database (NVD).
DAST, also called “black box” testing finds vulnerabilities in running applications, rather than discovering source code issues like SAST. Utilizing fault injection techniques on an app, it can identify common security problems such as cross-site scripting and SQL injection. It can also zero in on runtime issues that static analysis can’t. For example, DAST can identify server configuration and authentication issues, along with flaws that are visible only when a known user logs in.
When evaluating DAST tools, consider a solution that includes automated scanning for vulnerabilities, as well as manual features for hands-on, expert testing.
Sometimes called “grey box” testing, IAST brings together elements from both SAST and DAST. Most often, it is deployed as an agent within a test runtime environment, such as a .NET Common Language Runtime (CLR) or Java Virtual Machine (JVM). Once deployed, it observes operations or attacks, and identifies vulnerabilities.
One of the advantages of IAST is that it can dig deeper into vulnerabilities than other SDLC tools. Unlike SAST and DAST tools, it can observe the runtime context of applications such as the controller, data layer, presentation view, application server and logic, as well as user libraries and open-source components.
RASP is configured on a server and starts running when an application runs, to detect attacks in real-time. Once an application is up and running, RASP analyzes its behavior, as well as the context of the behavior, to protect it from malicious input. By using the app to continuously monitor its own behavior, your organization can identify and mitigate attacks immediately and automatically, with no need for human intervention.
The right RASP tool should cover major vulnerabilities identified by organizations such as the Open Web Application Security Project (OWASP), such as SQL injection, Server-Side Request Forgery (SSRF), and Cross Site Scripting (XSS). A strong solution will be able to leverage the execution logic of requests to block attacks with minimal false positives. It should also be flexible and easy to set up, with the ability to adapt to your applications’ specific stack, minimizing configuration tasks within your app.
Security has long been top of mind for developers, and as the pace of new threats accelerates, it’s more important than ever to extend your best practices across your SDLC processes. Although the sheer volume of tools and solutions may seem daunting, taking time to understand how a particular solution will fit into your current workflow will enable you to better minimize risk and innovate faster.
Every application is different, so the tools we’ve discussed should be considered a starting point for applying the level of protection you need. With a bit of research, some due diligence, and the right solution, you can start shifting left immediately, to strengthen security and compliance across your entire development life cycle.