SlideShare a Scribd company logo

AppSec How-To: Achieving Security in DevOps

Checkmarx
Checkmarx

This document discusses the integration of security within the DevOps continuous deployment process, emphasizing that traditional application security tools are often too slow for rapid deployment environments. It advocates for a proactive, collaborative approach to security that involves developers from the start, utilizing secure frameworks, source code analysis, and automated security testing. Key recommendations include engaging developers with security education, automating security processes, and strategically using existing security tools to enhance application security.

Technology
1 of 5
Downloaded 22 times
1
2
3
4
5
Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com

More Related Content

What's hot (20)

PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PPTX
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
PDF
Innovating Faster with Continuous Application Security
Jeff Williams
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
DevSecOps outline
Nickleus Jimenez
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
PPTX
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
PPTX
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Why does security matter for devops by Caroline Wong
DevSecCon
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrating security into Continuous Delivery
Tom Stiehm
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Innovating Faster with Continuous Application Security
Jeff Williams
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The path of secure software by Katy Anton
DevSecCon
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps outline
Nickleus Jimenez
 
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Why should developers care about container security?
Eric Smalling
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Why does security matter for devops by Caroline Wong
DevSecCon
 

Similar to AppSec How-To: Achieving Security in DevOps (20)

ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
Agile Secure Development
Bosnia Agile
 
PDF
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
PDF
Including security in devops
Jérémy Matos
 
PDF
10 Steps To Secure Agile Development
Checkmarx
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PPTX
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PPTX
Dev opsandsecurity owasp
Helen Bravo
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
PDF
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPT
Software Security in the Real World
Mark Curphey
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
AppSec in an Agile World
David Lindner
 
Agile Secure Development
Bosnia Agile
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Including security in devops
Jérémy Matos
 
10 Steps To Secure Agile Development
Checkmarx
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
ProdSec: A Technical Approach
Jeremy Brown
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Dev opsandsecurity owasp
Helen Bravo
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
DevSecOps : an Introduction
Prashanth B. P.
 
Software Security in the Real World
Mark Curphey
 
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Ad

More from Checkmarx (12)

PDF
Application Security Guide for Beginners
Checkmarx
 
PDF
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
PDF
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
PDF
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
PDF
A Platform for Application Risk Intelligence
Checkmarx
 
PDF
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
PDF
Source Code vs. Binary Code Analysis
Checkmarx
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
PDF
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
PPTX
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
PDF
Happy New Year!
Checkmarx
 
Application Security Guide for Beginners
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Checkmarx
 
DevOps & Security: Here & Now
Checkmarx
 
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
Happy New Year!
Checkmarx
 
Ad

Recently uploaded (20)

PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 

AppSec How-To: Achieving Security in DevOps

  • 1. Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
  • 2. Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
  • 3. Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
  • 4. Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
  • 5. Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com