The digitalisation of business processes is increasingly bringing applications to the centre of the company’s activities. At the sametime, customers expect utmost ease of use and up-to-date functions. Applications must therefore always be updated as soon as possible. This leads to several release cycles per day. This speed, however, can also cause security policies to be violated. To prevent this, application security must be integrated via infrastructure as code in the CI/CD system.
Traditional businesses today need to increase their agility to withstand the
competitive pressures of faster, cloud-based start-ups. Increased speed
and efficiency of application development through DevOps processes must
not, however, come at the expense of security.
Conscious security breaches
There have already been several documented cases this year where
companies disclosed sensitive data as a result of deliberately
misconfigured S3 buckets or cloud databases. In a recent study,
researchers from F5 Labs analysed cases that have come to light since
2017, in which companies exposed cloud resources due to conscious
security issues. The growth rate increased by an alarming 200 percent
between 2017 and 2018.
Why would anyone consciously endanger the security of applications?
According to the results, the reasons are rarely found on the operational
side: database administrators, network, system, and security engineers
typically pay close attention to compliance with security guidelines. It may
happen, however, that product developers fail to integrate existing
security features. This is often done to save time in development and so as
not to cause or discover other errors.
This may result in developers creating applications with poorly configured
security features. This is not necessarily done with the intention of
harming the company or the users. Rather, they may not realise or
understand the potential consequences, or they may assume that a
security breach is unlikely to occur.
Involve all IT teams
As a result, companies must use the DevSecOps approach to implement
proven security measures when creating applications. All IT teams have tobe
involved – from development through to testing and security as well as operation,
network and infrastructure. These teams need to transform
their previously silo-based culture, including processes and tools, in line
with the cross-departmental approach. This is the only way they can
ensure that they deliver high-security code while meeting development
speed and efficiency requirements.
Developers must be in the position to trigger tests automatically. This
helps in identifying code quality trends, sharing test results, creating
repeatable tests and enforcing test policies. In addition, they prevent
development being decelerated by manual unit tests. With automatic unit
tests, developers can ensure not only higher speed and efficiency, but also
the necessary quality. As they detect errors at an early stage, the errors
are not dragged along in the software development lifecycle, where they
become increasingly difficult and expensive to fix.
Five simple steps
The seamless integration of SecOps, DevOps, and NetOps using a
declarative approach, combined with the inclusion of Role Based Access
Control (RBAC) – a multi-user access control process – is considered the
principle discipline in the rapid development of secure applications.
Fortunately, there are a variety of simple measures that companies can
implement in advance to improve security without compromising speed.
Companies should pay particular attention to the following five steps if
they do not want to become part of a negative headline as a result of a
security incident.
1. Operate components internally
Today, 80 to 90 percent of company applications comprise third-party
components. This has been shown by various studies. Very often, these
components are loaded with requests from external locations. To reduce
latency and increase performance, they are excluded from existing source
code analysis scans. Companies mistakenly assume that the external
components are automatically secured and trusted. However, one of the
ways to exploit vulnerabilities is to infiltrate a software container with
malware, which is subsequently downloaded without further testing and
used in an application.
The same applies to UX components loaded by third-parties. Therefore,
whenever possible, companies should host third-party components on
their own website to reduce the risk of tampering. Anyone who thinks this
is not really necessary should read this article about compromised
ESLint packages discovered in 2018.
2. Scan components
In principle, all third-party components may have vulnerabilities. If they
are part of the application, they should also be considered in the
implemented security processes.
After following step one, these components can be easily incorporated into
the testing processes within the context of the CI/CD pipeline. When
checking components for vulnerabilities, it should always be remembered
that the entire code – no matter where it is executed – must be checked
for potential risks.
3. Lock the door
The third step consists of a simple but effective means of preventing
attackers from gaining control of the environment. Whether it’s a web,
application, database, middleware server, or a container orchestration
environment: personal access credentials must always be required to
access administrative consoles.
This not only applies to containers, but also to all public storage locations
and cloud applications in use. In fact, many security incidents result from
failures to secure cloud consoles and storage devices.
4. Hide the key
When you lock a door, you don’t put the key on the doormat where it’s
visible to anyone. Security management requires a certain amount of work
to be done properly. However, it is also extremely important to protect
applications and processes from unauthorised access.
Businesses should not store credentials and other classified information
such as keys and certificates in files stored in publicly accessible locations.
These locations should also not be used for key management. The
consequences of not handling private data correctly can be seen in the
Uber incident
.
5. Secure APIs
APIs receive user input and forward it on to applications. This information
should fall under the highest security level as, in principle, user input can
never be trusted.
Businesses should therefore ensure that they do not use APIs to easily
transfer data to internal applications or microservices. You must examine
and secure APIs with the same care as your own applications. An overview
of significant API violations is provided by this
Forbes article
Conclusion
These five simple steps are a crucial foundation for companies to increase
their security and supplement their existing procedures with additional
measures. These include, for example, the integration of IT teams into a
comprehensive, holistic approach to security, automated unit tests and
Role Based Access Control. This ensures that companies can quickly
develop secure applications.
