Security is of paramount importance to every DevOps team today. You can deliver excellent applications in lesser time due to agile development methodologies like DevOps and CI/CD pipelines. However, if your application is not extremely secure, there’s an imminent threat of attacks. Today, hackers are more proficient than ever, which means your applications need a security strategy that makes them impenetrable and keeps you one step ahead of hackers. Traditional application development approaches put security at the bottom of the priority list. The application development lifecycle was divided into several parts with security falling somewhere at the end. Security teams were separate from development teams and they implemented security based on some predefined standards. Now, the problem with that approach is that security teams had to look at the entire application and implement security which slowed down the speed of delivery. And, since the security teams were separate, they didn’t quite comprehend where the code was picked up from and what libraries were being used. With DevOps, the speed of delivery increased substantially, but security still remains an afterthought. However, there is a new strategy that doesn’t append security to the application, rather, it weaves security into the fabric of the application from the very beginning of the development cycle. It’s called DevSecOps.
Weaving security into your applications with DevSecOps
does for security what DevOps did for operations. It brings all the three, previously siloed, processes together. When developers are aware of security best practices, they implement security from the beginning which puts security in the forefront. Security teams can collaborate with development teams, assisting them to follow best practices in order to avoid security lapses and vulnerability in their builds. Identifying issues early on in the development process is also cost effective. With the help of effective tools, developers can identify vulnerabilities and remedy them. DevSecOps organizations regularly capture feedback from security tools to keep up-to-date with all the new threats.
Open source - opens gates for attacks
While building an application, developers rely on various open source tools and components that can be found in various communities all over the Internet. These components help with faster delivery and that makes them very popular in the development community. However, there’s a completely different fanbase for these open source tools as well. In recent years open source components have been exploited by hackers to infiltrate applications. The biggest example of this is the infamous Equifax breach in which data of over 145 million US consumers were exposed. That came as a wake-up call for every enterprise that didn’t focus on the security of its open source components. Equifax tried to shift the blame on Apache’s open source framework for its vulnerability CVE-2017-5638. However, two months before the breach, Apache disclosed this vulnerability and released a fix the same day. This one example showcases developers’ reliance on open source code for building their applications. However, open source code can’t be avoided. Using open source code is important in this age of faster and continuous releases. So, how can organizations ensure their open source components don’t expose their applications to attacks? Let’s looks at things software delivery teams should keep in mind while applying DevSecOps to their open source components.
1. Evaluate the quality of your open source components
Open source code and tools are developed in a collaborative environment. This means that a component can be made by a number of developers and not all of them would have had security on their mind. So, it’s totally up to the development teams using these components to understand how these components measure in quality. The problem is that there are no agreed-upon standards that measure the quality of open source code. Development teams looking to use open source code need to adopt Software Composition Analysis (SCA) tools that can help them with this. These tools gather information from various security tools and are able to assess an open source component on the basis of the number of successful commits among other perimeters.
2. Do not use open source code as is
Copying open source code and pasting it in a development environment is a common practice, but it’s not recommended. When you copy a snippet and paste it into your application, you also bring the bugs it contains to your application, leaving the app vulnerable. Copying and pasting multiple lines of code can make it hard to track those individual snippets down in case you need to apply a patch or update the component.Forking or cloning the code or libraries can go a long way in this regard. When you fork the code, you are able to modify your code based on your requirements which can later help in case the requirements change. This also helps you from eliminating seemingly suspicious parts of the open source components.
Source:
3. Keep updating the open source code
Open source code and unknown third party libraries may contain serious bugs that can bring unseen vulnerabilities to your applications. The best strategy to deal with this is the constant updating of open source components and libraries. Vulnerabilities aren’t rare at all. Most open source components are regularly updated and their patches don’t take long to be released. However, it’s crucial that security teams are on a constant lookout for these updates. Although, this is quite impractical as security teams can’t go through various vulnerability databases to look for patches. This is time-consuming and, for the most part, impossible. Developers should rely on frontline tools that constantly look for updates and alert admins when a new update is available so that security is at the forefront and attackers can’t find loopholes to exploit possible vulnerabilities.
4. Start with security
Patches are quite easy to apply as they don’t necessarily require updating libraries or components. However, these patches may end up being incompatible to the rest of the application. Users can try to update the source file, but that might be useless if the application is already exposed. Updating the entire component may render it incompatible with the application. Users should always look for functions that pose any sort of risk and choose to remove them or configure security keeping these vulnerabilities in mind. However, with the help of DevSecOps, you can incorporate automated tools throughout the development life cycle so that applying security doesn’t end up becoming tedious and manual. Developers should automate their security through SCAs (Software Composition Analysis). These SCAs can spot vulnerabilities, look for fixes, and provide the best solution when multiple patches are available. This helps users save time and cost while developing their applications. The DevSecOps approach is crucial for modern applications. As the need for security grows, developers need tools that can help them simplify the continuous process of finding vulnerabilities and fixing them in order to deliver an application that doesn’t just have a weak fence around it, but has security built into it.