Continuous Application Security in DevSecOps
Digitization is evolving the businesses to adopt modern approaches in their IT infrastructure. This is the reason everyone talks about speed, agility and time to market, but security is the least discussed and focussed part of the infrastructure.
DevSecOps takes care of continuous security along with continuous integration and deployment. There are different types of securities in DevSecOps; infrastructure security(where the workload is running), pipeline security(DevOps pipeline) and the application security(least discussed).
In this article, I will discuss application security and it’s different types.
Application security starts when the developer is writing the application code and goes till the end where the application is up and running.
Linter (Static Code Analysis)
Linters are static analysis tools that analyze source code and report problems. These are IDE extension that helps you detect and fix quality issues as code and make code more consistent, understandable, and maintainable. Almost 50% of the issues are fixed at this stage. Some of the Linter tools also detects the basic vulnerabilities in code along with dependencies and libraries. Some of these tools provide the threat modeling for OWASP top 10 threats too. This helps in securing the code during the development itself.
Some of the famous Linter tools are SonarLint, Veracode Greenlight, etc.
Repository Scan
Nowadays, most of the famous source code repositories come up with their security and vulnerability scans. If any secret/access keys or password are committed to the repository then they are immediately flagged and the pipeline stops there itself. Vulnerability scanners also scan the code based on famous security frameworks like OWASP and SANS.
Famous Repository scanners are Git secrets, Gitlab scanner, etc.
Static Application Security Testing(SAST)
SAST is also known as white-box testing. It ensures best coding practices & guidelines are followed while writing the code. It is one of the many checks in an application security assurance program designed to identify and mitigate security vulnerabilities early in the DevSecOps Pipeline. SAST tool scans are tuned based on the requirements to reduce false positives.
SAST tools cover bugs, vulnerabilities, code smells, code coverage, code size and duplications. Some of the enterprise tools demonstrate compliance with famous standards like NIST, PCI, OWASP, HIPPA, GDPR, NYDFS, etc.
Famous SAST tools are SonarQube, CheckMarx, Veracode, etc.
Software Composition Analysis(SCA)
SCA enables the identification of third-party and open source components that have been integrated into the application. SCA checks if open-source frameworks have open vulnerabilities (CVE) and newer versions are available. SCA tools identify which open source components a company uses in its source code. Then they align those components with community databases, advisories, and issue trackers to detect code vulnerabilities.
Famous SCA tools are Veracode, CAST Highlight, Chekmarx, etc.
Image Scanner
Image scanner scans the container image created for the deployment of the application. It scans for known vulnerabilities, embedded secrets, OSS licensing issues, hidden malware, and configuration issues present in the images.
It provides real-time actionable information on vulnerability and configuration remediation, hence preventing unapproved images and functions from being deployed in your environment, preempting operational errors, image sprawl, and rogue deployments based on your policies.
One of the famous Image scanners is TwistLock.
Dynamic Application Security Testing(DAST)
DAST is also known as black-box testing. It is integrated into the pipeline after the application is deployed. It analyzes and find vulnerabilities/threats in a running web application based on the request & response model. eg. SQL Injection, CSS (Cross Side Scripting). DAST tries to detect patterns that indicate a security vulnerability in a running application. When running DAST for a mobile application, consider an additional aspect for vulnerabilities: the aspect related to the device on which the mobile app is executed. It does not have access to your code and tests for vulnerabilities in the application flow and is great for End-to-End (E2E) testing and pen-testing, finding about 20% of issues.
Benefits of DAST:
Determine different security vulnerabilities
No need to access the code
Perform the actions/scenarios of an actual attacker
Vulnerabilities which exist outside the source code and in the third–party application
Crawl the whole web application before scanning
Famous DAST tools are Veracode, OWASP ZAP, Arachni, etc.
Interactive Application Security Testing(IAST )
IAST is a modern class of security detection tools that help teams finding vulnerabilities in the applications before they are exploited. Interactive ASTs combine Static and Dynamic techniques: source code visibility through the bytecode and runtime request visibility. IAST is also known as grey-box testing. IAST tools are designed to address the shortcomings of SAST or DAST. It places agents within an application and performs the real-time analysis. The agent, which is integrated with the application’s runtime engine (for example, JVM), has insight into the application’s logic flow, data flow, and configuration, monitors the test attacks triggered by the DAST attack, and then reports possible weak points.
Benefits of IAST:
Higher accuracy
Share security awareness
Real-time detection of vulnerabilities
Actionable feedback
Find vulnerabilities in third-party components
Improves time-to-market without compromising the security
Famous DAST tools are Veracode, CheckMarx, Acunetix, etc.
Run-time Application Security Protection(RASP)
RASP works inside the application, but it is less a testing tool and more a security tool. It’s plugged into an application or its runtime environment and can control application execution. That allows RASP to protect the app even if a network’s perimeter defenses are breached and the apps contain security vulnerabilities missed by the development team. RASP lets an app run continuous security checks on itself and respond to live attacks by terminating an attacker’s session and alerting defenders to the attack.
RASP intercepts all calls from the app to a system, making sure they’re secure, and validates data requests directly inside the app. Both web and non-web apps can be protected by RASP. The technology doesn’t affect the design of the app because RASP’s detection and protection features operate on the server the app’s running on.
Famous RASP tools are Veracode, Fortify, etc.
Conclusion:
In an ideal world, you will use all the application security testing in your pipeline to make your application completely secure, but this is rarely the case. There is a trade-off between deployment time and security. Both are inversely proportional. A balance has to be maintained between them. So, it totally depends on the requirement of business to which level of security will be used.
