Micro Focus’s 2018 Application Security Risk Report clearly showed the breadth of the threats facing those working with applications in DevOps. According to the report, 90 per cent of applications have at least one issue outside of the Open Web Application Security Project (OWASP) Top 10, with OWASP tracking the 10 most significant Internet security threats at any given time.
Furthermore, 49 per cent of applications contained a high-severity weakness that wasn’t part of the OWASP Top 10. What this shows is that it’s impossible to simply lock down an environment by determining the biggest threats and addressing them. Instead, DevOps security needs to protect against everything, including emergent and unknown threats.
When DevOps goes wrong
The need to get this right is pressing as the risk profile around DevOps is substantial. In 2018, hackers used Tesla’s Amazon Web Services (AWS) account to mine for cryptocurrency, after the login credentials were left on an unsecured IT administrative console that lacked password protection. This was an expensive breach (Bitcoin mining is notoriously resource-hungry) but an even more serious breach happened to Uber in 2016, when hackers targeted the company’s GitHub repository, and found the log-in credentials for its AWS account. Rather than just use the AWS account as free resourcing, the hackers instead decided to walk away with more than 57 million customer and driver data records.
With the heightened focus on security via regulation (such as the GDPR regulations in Europe), and the escalating penalties for consumer data loss, the experience of Uber shows that DevOps has the potential to be a highly vulnerable and costly point for an organisation.
DevOps risk can be attributed to a couple of factors that are largely unique to DevOps within the business environment:
- DevOps tends to focus on speed: The value of DevOps to an organisation is centred on its ability to work rapidly. For example, predictions are that, by 2020, each application will need to be released 30 times per year to keep up with the demand from customers and partners. This sheer speed can leave the security professionals flat-footed and working reactively.
- DevOps works in the cloud: It’s impossible to close off a DevOps environment or take it offline, but at the same time it’s difficult to work in the cloud securely when the typical DevOps environment also involves new, open source, or immature tools. Many of these tools will have security flaws inherent as part of the design, as well as inconsistent standards, making it difficult to manage them from a security perspective.
- DevOps teams tend to be dispersed: Because DevOps works in the cloud, organisations tend to leverage the expertise of numerous teams working across different locations, and using different sets of dev, QA and monitoring tools.
- DevOps has access to it all: Hackers love environments such as GitHub, as DevOps programmers need access to the entire network environment in order to do their work. This makes them the ideal target.
The solution to these security challenges is seamless application security.
The five steps to seamless application security
For a DevOps team to succeed, it needs to adopt a DevSecOps approach to its work and make security core to what it does. That means adopting a seamless application security methodology, and a five-step approach to integrating security with DevOps work:
- Develop with security in mind. The typical organisation will have many more developers than security specialists, so it’s important that the organisation look to ways to empower developers to take responsibility for the security of their own code. This involves more than simply education; it’s important to provide tools such as Fortify Security Assistant that give real-time security feedback.
- Test early, often and fast. Adopting static application security testing is a good best practice step to take, as it will identify the root causes for security issues right from the outset of the coding process. Meanwhile, having tools that will provide real-time feedback as security issues are created helps to keep the DevOps team on a continual process of testing.
- Renew focus on security as part of lifecycle management. Dealing with the dispersed nature of DevOps within an organisation requires strong lifecycle management tools, which will perform security scans as part of a build, to immediately expose vulnerabilities and provide teams with the information needed to track and fix them.
- Introduce automated security tools. To free up limited security resources the typical organisation has, automating the security tests in the same way that you automate unit or integration tests is critical. Through automation, tests can be set more frequently, which will not only maximise security by getting vulnerabilities fixed more quickly, but it will be cheaper, as those vulnerabilities can be fixed before they become too embedded into the code.
- Monitor once released. A final security tool organisations should leverage is runtime application self-protection (RASP). It focuses on existing applications in production, protecting the environment from risk profile changes and zero-day vulnerabilities.
Integrating a tool such as Micro Focus Fortify, which provides solutions to each of the above steps to deliver seamless application security, will provide your organisation and DevOps team with the security best practices necessary to protect the environment from the ever-expanding range of potential threats.
For more information on Micro Focus Fortify, and other DevOps security solutions, click here.