During a recent audit, I saw a problem with AppSec (application security) testing in the client’s software development lifecycle. They were embracing DevOps practices (the integration of software Development and IT Operations), but had so far failed to integrate application security testing into the new process.
Many organizations are moving to support Agile, DevOps, continuous delivery, etc. But all too often traditional security processes are not catching up. Thus application security testing may be ineffective or even overlooked altogether in the DevOps security process.
A Major DevOps Security Risk
The lack of adequate DevOps security is a major problem because application security breaches are known to be even more frequent, dangerous and severe than network security breaches—as this recent study from the Ponemon Institute details. Application attack vectors like injections remain a favorite with hackers despite the fact that we know how to prevent them.
So why is application security testing taking a back seat in DevOps pipelines? The reason is that the pressure to release updates often overrides security concerns. DevOps security is simply a lower priority than rapid innovation for most organizations.
There’s no doubt that vulnerability remediation takes time, especially when it’s tacked on at the end. DevOps security needs to be built into applications from the start. Also, AppSec needs to be fast-moving like other agile development processes. Rapid development cycles can’t screech to a halt while a traditional security model is imposed.
Penetration testing and code analysis still have a very important role to play, but they can’t be the only AppSec testing you do. Instead, those responsible for AppSec need to make it happen continuously. This is the future of AppSec and it is a great opportunity to actually improve application security. But how do we get there?
How to Integrate AppSec into DevOps Practices
It’s clear that the first step in bringing AppSec testing into DevOps is to break down existing barriers between security-focused people and developers. Security people need to be part of the DevOps culture, not brought in as an afterthought. Also, developers need to be better educated about security in the specific ways that will help them in agile environments (e.g., how to appropriately validate input).
We also need new DevOps security processes that can happen fast and within continuous integration pipelines. This includes finding security issues earlier in the dev/test processes, which tools can help us with. The OWASP AppSec Rugged DevOps Pipeline Project is focused on this.
Some other steps organizations can take to do “AppSec at the speed of DevOps” include:
- Identifying security issues with APIs, frameworks and third-party code before these are used
- Identifying the “security sensitive” parts of the application upfront, like user authentication
- Thinking ahead about how to handle regulations and compliance
- Implementing secure frameworks like Spring Security, Apache Shiro, or the OWASP ESAPI framework
- Building some security testing automation into the build process (and fail builds that don’t pass)
- Submitting production applications to periodic penetration testing, which can be very cost-effectively and quickly done by third-party experts
- Code review—for security sensitive code, there’s no substitute
Because the number of web applications and their importance to businesses just keeps growing, and DevOps just keeps growing, the problem of building security into DevOps just keeps growing, too. Organizations need to move quickly to evaluate and address this problem in their specific environments.
To bring a fresh security perspective into your application development process, contact Pivot Point Security.
For more information on DevOps security:
- Newly available on the SANS Institute’s InfoSec Reading Room: Continuous Security: Implementing the Critical Controls in a DevOps Environment
- A survey from Prevoty on how DevOps speed pressures are negatively impacting AppSec testing
- White Hat Security’s take on how to get to “secure DevOps”
- A high-level view on “Effective Application Security Testing in DevOps Pipelines”
- An HP white paper on “the true state” of AppSec and DevOps