Secure software development in all phases DevSecOps anchors IT security in development cycles
The importance of modern software development, which offers short release cycles and flexibility, has increased significantly with the digitization of society. However, safety must not be neglected.
By raising the awareness of the developers, security can be significantly improved with little additional effort.
A few years ago, there were many companies that have traditionally developed software in the waterfall model. In the meantime, however, customers expect that there are regularly new products and updates that run quickly and easily even on the latest smartphones.
In order to be able to continue to exist on the market, companies are required to accelerate their development processes. DevOps, as an approach to improve collaboration across the entire product lifecycle, is already widespread.
DevSecOps goes one step further and places a strong focus on IT security, which makes sense in view of the increasing importance of digital products. GitLab’s DevSecOps Report 2021 shows that the majority of companies have already been the target of attacks:
- about 70% of companies have already lost critical data due to cyber attacks
- about two thirds have experienced operational disruptions
- more than 60% have found a negative impact on their brand
Since it is not to be expected that the importance of data will decrease again, the attempted attacks are also likely to increase. The importance of security is therefore increasing.
In theory, by moving away from traditional, downstream security tests through a “shift left”, security can be improved and release cycles can be shortened at the same time. This approach is already followed by many DevSecOps teams. However, the challenge is to get the necessary knowledge from existing AppSec teams into the development teams. On the one hand, developers need more knowledge about the actual topics, but also have to get an awareness of security in order to apply the knowledge.
Attackers don’t reinvent the wheel
The good news is that most of the attacks exploit known vulnerabilities. The “State of Cybersecurity 2021” report by ISACA has shown that in addition to trying to exploit humans as a vulnerability through social engineering, the following types of attacks are very common:
- incorrectly configured security systems
- broken authentication and authorization
- lack of logging and monitoring
All these types of attacks can be found in the top 10 of the Open Web Application Security Project (OWASP) – a list that shows widespread types of attacks on web applications and provides details on attack scenarios. By covering the OWASP Top 10, many potential attacks can already be thwarted.
Security ambassadors raise awareness of security
The shift-left approach is already used in many DevSecOps teams, or is in the process of implementation. The big challenge is to close the knowledge gaps of the developers. An important success factor is to establish security specialists as ambassadors in development teams.
For a high level of acceptance, these come directly from the teams, as developers who already care about the topic of security become ambassadors. If there was previously an AppSec team in the company, these specialists can also be integrated into the teams in order to expand the cross-functional DevOps teams with the security aspect. Both procedures have their advantages and disadvantages:
- Security Ambassadorthose that are developed from an existing team are very likely to have a great acceptance in the team from the outset. However, they often have to undergo further professional and methodological training.
- AppSec Specialiststhose who are integrated into teams from outside already have very good knowledge, but will probably have to work harder to be accepted by the team. In the traditional approach, the relationship between development and AppSec teams is often strained, as the last ones report errors and developing ones might feel attacked in their honor.
A combination of both approaches is also very suitable: AppSec specialists can be integrated into teams and ambassadors from the teams can be further developed at the same time. The combination has the advantage that there are several contact persons for security in the teams. This allows you to share the tasks and thus prevent a “bottleneck”.
However, this is only an interim solution. The goal must be to distribute the knowledge about the ambassadors in the teams holistically and to integrate learning content directly into development processes. Security must become an integral part for those developing it. This can also be done, for example, by appropriate extensions of the DoR (Definition of Ready) or DoD (Definition of Done).
Essential training of the team
In order to integrate knowledge on the subject of safety into everyday working life, learning content can be integrated directly into development processes according to the principle of micro-learning. As a result, the knowledge is situationally bound and provided in small bites.
There are already corresponding solutions to integrate the learning content in the form of videos and exercises for all common programming languages and the OWASP Top 10 into development processes. The security specialists can then alert their team members to potential security gaps through reviews or task descriptions. Thus, the developing ones can acquire and apply the necessary knowledge directly during development.
Another option is to use automated real-time coaching. With this approach, developers receive feedback on potential security vulnerabilities directly when writing the code. For this coaching, there are extensions for IDEs that check the code in real time and give suggestions for implementation based on best practices.
However, these extensions do not yet recognize all potential vulnerabilities and are dependent on the best practices being extended by the teams. Due to the individual extension, however, they offer a lot of potential for product-specific safety issues.
Gamification as a learning incentive
In addition to the integration of learning content into development processes, it is also crucial how the content is conveyed. An important success factor is the fun of learning, which can be increased by gamification, especially for developers. In this way, rankings or badges can spur the natural urge to play and compare.
Solutions, such as the integration of learning content in code reviews, offer opportunities with which the developing badges and points can work out. It is also conceivable that the expansion of security best practices will be supported by the awarding of rewards.
Often the offers of the services for learning content already include rankings and awards, which can be a starting point. Own awards for found or fixed bugs, suggestions for improving security or sharing knowledge can increase gamification even more.
Open competitions go one step further, in which the participants can compare themselves with other experts. The advantage is that competitions do not only ask for existing knowledge. The participants also face new challenges that they have to solve under time pressure. Existing knowledge is thus re-linked in a new context. Such competitions can be held in a wide variety of forms, e.g. very compact in just a few hours or distributed over a longer period of time.
Conclusion: Security is an important aspect of software, which often only receives great attention in the event of damage and is therefore often not given enough attention in everyday software development. If there is an attack, the damage is immense.
Daniel Huchthausen (Picture: Jan v. Diechen / www.JanDeichen.com)
By raising the awareness of developers, security with regard to everyday attacks can be significantly improved with little additional effort, since attack vectors from the OWASP Top 10 can be well secured. This change of consciousness is worthwhile – but it also takes time, as security ambassadors must first be established and processes must be adapted.
* Daniel Huchthausen uses his many years of experience as an IT consultant to convey the complex issues surrounding modern software development in an understandable way. Cloudogu GmbH has set itself the goal of mapping the entire product lifecycle of software development through an easy-to-use toolset that helps to develop software even more efficiently through standardization and automation.