Empowering Software with Shift-Left Security

Welcome back to another insight from the DevOps Insights!

Thanks again for being here!

Let’s talk about security vulnerabilities.

Look, I’m not a security expert. If you’re currently working as a developer, it’s OK to not be an expert in this field. However, you do need to be aware of what vulnerabilities exist and how to scan for them.

Here’s the basics…

You can scan applications in many different ways. You can scan dependencies, the code itself, the code in it’s runtime, the built binaries, and more. Let’s dive into a few popular methods of security scanning.

SCA - Software Composition Analysis

SCA, or Software Composition Analysis, is an indispensable application security methodology tailored to handle open source components. With SCA, our development teams can efficiently trace and assess any open-source component integrated into our projects. These tools have the remarkable ability to uncover interconnected components, their supporting libraries, as well as direct and indirect dependencies.

Additionally, SCA tools excel at detecting software licenses, deprecated dependencies, and identifying vulnerabilities and potential exploits. By conducting a comprehensive scanning process, we generate a detailed software bill of materials (SBOM) that serves as a complete inventory of our project's valuable software assets.

SAST - Static Application Security Testing

Static Application Security Testing (SAST) is a method focused on analyzing an application's source code, byte code, or application binaries before the code is executed. SAST peers into the code itself, looking for patterns or errors that could lead to vulnerabilities. It's a preventative measure, catching problems early in the development process. This type of scanning can be done before the code is compiled.

SAST is a more in-depth look compared to other testing methods, examining how the code is structured and how different parts interact. SAST’s thorough approach offers a detailed understanding of an application's potential security weaknesses, catching vulnerabilities that might otherwise go unnoticed until later in the development cycle.

DAST - Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) is a tool that checks applications as they're running, identifying vulnerabilities from the outside. DAST acts like an external attacker, probing for weak spots that could be exploited. This approach allows engineers to see how their applications might hold up against real-world attacks. It doesn't get into the nitty-gritty of the code but focuses on how the application behaves.

DAST is known for its speed and ability to test large areas quickly, making it a go-to solution for many engineers wanting a broader view of potential security risks. From common issues like authentication failures to more complex concerns, DAST offers a real-time look into an application's security landscape.

IAST - Interactive Application Security Testing

Interactive Application Security Testing (IAST) works inside an application, analyzing code in real time to catch vulnerabilities as the application runs. By using agents placed directly in the application’s environment, it spots issues that traditional testing might miss. IAST combines elements of both Static and Dynamic Application Security Testing, making it a versatile tool. It finds problems quickly, points out exactly where they are in the code, and helps DevOps engineers understand how an application responds to different security threats. Whether it's SQL injections or cross-site scripting, IAST provides a fast and straightforward way to keep an application safe.

This is not an exhaustive list of scanning types. I wanted to give at least a brief overview of what is available out there and where to start. If you want to dive in deeper, I recommend checking out the knowledge base that Veracode provides. https://www.veracode.com/security

Real Life Applications of Above

Okay, story time.

A client of mine decided that they wanted to implement security into their pipeline. They were spending ~$20k every 3 months to pen-test their app. The pen-test handled the IAST and DAST, but there was a clear gap.

I did my diligence. The main use cases they wanted to cover were:

• SCA

• Docker image vulnerability scans

• Infrastructure as code scanning

• License scanning

At the time, I found Snyk to be a sufficient option. They offered a solution for all of the above. Developers can even run scans in their IDE with their IDE plugins. That’s what I call shift-left security!

I am not affiliated with Snyk, but I do like their products. The implementation was a breeze. Pop a token into your CI environment, run the CLI commands, and you get results.

Cool, it’s implemented. What value did we get out of this?

Reporting

The client could now produce reports of how many vulnerabilities existed for any given build. This was helpful for tracking releases and understanding what vulnerabilities were there.

They could track vulnerabilities and import them into a ticketing system. The average time to remediate a security vulnerability is ~90 days. If there’s nothing tracking your vulnerabilities, how would you know?

Client Relationships

This client did not run a SaaS. Their customers are the running their software in their own cloud environments. Therefore, their customers were also running security scans. They were able to ensure their customers that, if the customer found a vulnerability from their own scans, the client was already aware and could escalate specific issues. This looks really professional.

New Business

This particular client targets customers in the government sector. One typical trait about government clients, they tend to like security. One such customer loved the product and was willing to pay over $1M/yr for the software. The caveat, there were a few vulnerabilities that needed to be fixed. Since these vulnerabilities were tracked and already being worked on, in about 90 days, they were able to remediate the vulnerabilities and sign the customer.

Conclusion

Software security scanning is a topic that is important for any company serious about creating enterprise software. As DevOps engineers, it’s important to understand the basics. Also, learn what matters most to your client/company when it comes to security scanning. We are all working with limited resources, therefore, prioritizing what matters most will help you in deciding which tool works best for you and your team.

I hope you enjoyed learning more about software security scanning!

Here’s two books I’d recommend on learning security if you are interested.

Building Secure and Reliable Systems

Designing Secure Software: A Guide for Developers

If you found this newsletter to be useful, please share it with anyone else in your network that may be interested in this content.

I am working on a DevOps fundamentals course in the background. The release date will be some time this autumn. I hope to see you there!