It’s clear the exponential growth in the utilization of in-house software development: applications, plugins, scripts, and APIs, among others. Increasingly, companies need to internalize their customizations to achieve results more targeted toward their goals and needs.
Why worry about security in development?
A research conducted by SERPRO (Federal Data Processing Service of Brazil) indicates that the majority of vulnerabilities are related to the application layer and can compromise even the system access permissions of users. Nowadays, it is common sense to assume that the amount of vulnerabilities in applications surpasses those found in operating systems.
This shows that systems haven’t been built following a secure development process and programming best practices. Therefore, it is important that programmers care about this topic and think about security measures from the plan/design phase. By doing this, it is possible to mitigate the most common security risks in a much more efficient and inexpensive manner.
Preventive actions tend to be cheaper and more efficient than corrective actions.
A few years ago, the attackers used to focus on infrastructure components. It was very often to see attacks carried out on Apache, IIS, operating systems, and other infrastructure platforms and perimeter segments. Because of that, the maturity of security controls regarding infrastructure has risen organically and so have the security solutions related.
Over the years, things like agile methodologies have become increasingly relevant and empowered teams that develop software. To become more agile, teams began to assume a series of responsibilities and became fully responsible for what they built, including disciplines such as quality, infrastructure, security, and others. However, most teams do not have knowledge or maturity on how to develop safely. Consequently, attackers have shifted their attention and invested more time and effort in exploiting vulnerabilities at the application layer.
Another important factor to emphasize is the ease of finding ready-made attack methods (exploits) on the internet. With just a simple Google search, you can find a menu with a large variety of exploits, scripts, malware, tools, forums, etc and it is no longer necessary to have extensive knowledge to exploit some vulnerabilities out there.
Implementing security… What is needed?
A secure development process is based on three components – people, process and technology – and they are ordered by their importance.
The first component is people and they are represented not only by developers, but also by product owners, project managers, clients, and everyone else involved in the project. People are used to prioritizing tasks in order to deliver new features, but they tend to ignore security findings or postpone remediation. They often do this because they are neither aware of the security risks nor properly oriented. The best way to change this scenario is to invest in security awareness and training
The second component is the process and it is necessary to consider a set of security controls and practices in an end-to-end manner. In the beginning, it’s wise to start smoothly by implementing the most seamless controls as soon as possible in order to avoid any friction with the people involved in the project.
The third component is the technology and there are several kinds of solutions that address different security issues at each stage of the process. The most popular solutions are the AST (application security testing) family:
- SAST (Static Application Security Testing): it analyzes the source code to identify security vulnerabilities and ensure compliance with internal coding guidelines. It plays a crucial role in early vulnerability detection during the software development life cycle (SDLC) by scanning code before deployment. Developers can seamlessly integrate SAST into their development tools, allowing them to address issues such as hardcoded secrets, buffer overflows, code injections, misconfigurations, vulnerable dependencies, and so on.
- DAST (Dynamic Application Security Testing): it analyzes running applications by simulating attacks and assessing how the application responds. DAST is particularly useful for addressing misconfiguration and web application common vulnerabilities like cross-site scripting, SQL injection, IDOR, path traversal, local/remote file inclusion, and many others.
- IAST (Interactive Application Security Testing): an innovative approach that combines the strengths of both SAST and DAST. It runs from within the application server, evaluating code as it interacts with real-world data.
DevSecOps: what is it?
DevSecOps stands for development (Dev), security (Sec) and operations (Ops). It is a collaborative framework that extends the DevOps practice by adding security elements to the continuous integration and continuous deployment processes.
How do I add the “Sec” to the “DevOps”?
Implementing security practices in the CI/CD pipeline is not a one-size-fits-all approach. Each company must tailor their security measures to their specific context, needs, and constraints.
The most common practice is to include a cycle that involves scanning, analyzing, and remedying potential vulnerabilities at every phase of DevOps, adapting to a process of continuous improvement, monitoring, and managing the threats and vulnerabilities found.
Best practices for your code
Here are some tips that can help with secure development:
1. Secure development tools
If you have the possibility of using secure development tools, it will be a significant advancement to ensure your code is created with the best security practices. Nowadays, it is possible to find software that analyzes code in real time while you are programming.
2. Source code management
Source code management is very important for organizing and collaborating with other developers. Additionally, it helps ensure the integrity and versioning of your code.
3. Testing
Conducting tests on small pieces of code simplifies and aids in evaluating the final outcome.
4. Documentation
Creating clear and detailed documentation of your code and the architecture used not only improves the quality of your software but also facilitates the correction of bugs and security vulnerabilities.
5. Creating checklists
During key actions and reviews of your application, create checklists that include security items to always analyze these issues.
Learn to develop in a more secure way: final thoughts
Ensuring the security of your company, your home, your data, or any place that uses technology is not an easy task and cannot be assigned to just one person or team. Security depends on everyone, from the programmer to the user.
We know that software development is an area of constant evolution and study. However, security cannot be neglected. Implementing security controls into development makes you a more responsible and collaborative developer. I am sure that this habit will only bring benefits to your career and your company.
