Automation: 5 Reasons to Developers Early Adopt in Application Security

By Douglas Bernardini

 

Moving to a DevSecOps model doesn’t happen overnight. Rather, it’s both a strategic and continual improvement process aimed at delivering:

  • Continuous security: Embracing a “secure by design” principle, leveraging automated code scanning and automated application security
    testing throughout the development lifecycle and at a granular level (e.g., in the integrated development environment (IDE), on code submit
    to the repository, during code build, test-driven security).
  • Increased efficiency and product quality: Security vulnerabilities are detected and remediated as early as possible in the pipeline, when
    the cost to fix them is lower. This increases the speed at which quality code can be delivered.
  • Enhanced compliance: Security auditing, monitoring, and notification systems are automated, and outputs are fed back into the pipeline,providing continuous, demonstrable compliance.
  • Increased collaboration: By integrating development, security, and operations, DevSecOps fosters a culture of openness andtransparency from the earliest stages of productdevelopment.

douglas-bernardini-automation-security

1.Development-based security controls

Traditional models use “tollgates” and “checkpoints” to test for vulnerabilities after development is complete. This stops the forward flow momentum by sending the product back to development for rework and remediation; however, in the  DevSecOps world where speed and quality is paramount, this does not work.
Instead, by using a ‘shift-left’ approach, the objective is to secure the product in the design stage and create as many secure services that developers can take advantage of in the CI/CD pipeline.

The following table highlights the fact that many security services can be leveraged before and after the product development lifecycle, reducing workload and impact to the actual code development pipeline.

douglas-bernardini-automation-security-table

2. Operations-based security controls

  • Due to the ephemeral nature of IT assets in the cloud, traditional methods of tracking assets and monitoring activity have become obsolete. Rather, dynamic attribution methods such as tagging should be built into the DevSecOps environment so that assets created and deployed
    through automation can be instantly visible and traceable.
  • Additionally, if a misconfigured or unauthorized publicly-accessible service is stood up, an automated configuration correction/deletion using AWS Lambda can be applied within minutes, keeping the organization safer from accidental or intentional vulnerability exploits.

douglas-bernardini-automation-security-process

3.Development-based security controls

  • Integrate code analysis tools early into the development process, even within the developer’s IDE.
  • Automatically discover and apply patches to vulnerable open-source software prior to deployment.
  • Perform automated dynamic application security testing against pre-production code.
  • Perform regular vulnerability assessments to identify and remediate potential application weaknesses.

4.Operations-based security controls

  • Use proactive, automated monitoring of log health and relevant security events.
  • Implement automated configuration monitoring, patch management, privilege access controls, and user management controls.
  • Monitor the production environment for deviations from expected behavior and/or exploitation of known/unknown vulnerabilities.

5.The DevSecOps team

DevSecOps emphasizes the culture change, one that results in a world where developers, operations, and security teams can collaborate more efficiently. Security teams working more closely with the application developers and operations team can better understand daily habits and workflows and devise ways to effectively integrate security into the software development lifecycle (SDLC), infrastructure as a code (IaaC), etc.

douglas-bernardini-automation-security-diagram

• Hardened security practices: An approach that was developed over many years of implementing cloud and application security for our
prestigious client.

• Improved time to market: Automated checks built into the cloud deployment pipeline look for regularly occurring failures and autocorrect them without human intervention.

• Increased compliance: Ability to reduce compliance findings and decrease time from audit request to evidence delivery.

Some references users in this article:

https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-integrating-and-automating-security-into-a-devsecops-model.pdf

Some reading recommended:

douglas-bernardini-cisco-application-security
douglas-bernardini-deloitte-application-security