Continuous Security. Improve Web Application Security by using Continuous Security Scans

Transcription

1 Continuous Security Improve Web Application Security by using Continuous Security Scans 1

2 The world of software development has changed. Nowadays around 65% of software projects use agile development 1. Through Continuous Integration (CI) and Continuous Deployment (CD), companies can react faster to market trends and publish new versions of their software much more frequently than before. These developments also lead to new challenges in the area of software security testing, as the security tests also have to adopt to the shorter development lifecycles and become more agile. 65% of software developers use agile development techniques Agile software development needs agile security testing Continuous security guarantees secure software in each sprint New ways of development also need a new way of testing. The days in which a software project took one year from initiation to deployment with a manual security check at the end before deployment are over. With development cycles shortened to weekly deployments, manual security tests cannot keep up the pace anymore. Hence tests need to be automated and integrated into the daily workflow of developers. The Open Web Application Security Project (OWASP) calls these form of tests continuous security (testing) 2. Quality management and quality problems have been thoroughly researched. The rule of ten3 states, that an error detected in a certain stage of product development costs ten times the money to resolve it than if the error was found one stage earlier. Compared to an error found in the planning stage, an error found in the production phase can cause costs that are up to 1000 times higher. These numbers are similar for security errors (i.e. vulnerabilities) in software products. In agile software development where a twoweek development sprint contains all the phases ranging from planning and development till customer presentation, the value of testing radically increases. Continuous security guarantees that all software versions are already tested in the development phase. Contrary to manual security tests which are often only conducted for major releases, this allows for testing all versions that will be published. This way of testing enables early error detection in the development lifecycle, leading to time and costs savings while increasing the level of security of the developed product. 1. Security Challenges of Agile Software Development In todays business world, there are several security challenges companies face when switching to or using agile software development. In the following chapter the main challenges will be outlined. Importance of time to market Broad range of security tools Lack of security expertise Reliance solely on frameworks 1.1 Functionality & time to market more important than security One of the main reasons for implementing Continuous Integration / Continuous Deployment is to become more responsive to customers needs, shorten software development cycles and hence create more value. This speed however comes at a cost. Usually the increased pressure of developing more and more features leads to negligence in the area of security testing. Our research 4 shows that security is often not seen as a business-critical topic. Security tests are only conducted if a customer explicitly requests them or the potential risk when releasing the next major versions of a software seems to require one. Meaning that V1.0 must undergo a (manual) penetration test (pentest) and the next version being tested for vulnerabilities is V2.0. All minor releases in between these two versions, do not undergo an additional pentest and their level of security is solely based on the skills of the software engineers. This is due to two reasons: (1) security testing and remediation 2

3 of results takes time; (2) security testing, especially manual tests are very expensive. In order to meet business targets and stay in budget, the focus of developers lies on creating features and not making the software more secure. 1.2 Broad range of security tools only covering single vulnerabilities A second challenge for todays software engineers is the sheer amount of different tools that are available on the market. For almost every security vulnerability, there is a specialized test that is superb and very deep, but only covers one vulnerability. For example SQLMap is a great tool to find SQLinjection vulnerabilities, but that is only one of the attack vectors, hackers use. If a developer is using several of these scanners he faces another problem. Each scanner must be configured individually and adjusted to the needs of the company. The scanners rely on different programming languages and often bring further prerequisites such as system libraries, so it takes the developer a lot of time to set up the internal security scans. When there are several different security tools, the engineers need to decide which one to use. As they often have no specific education in security, evaluating the tools is complicated. In addition, output formats differ from tool to tool, so that a vulnerability management solution also comes into play and needs to be configured and set up. If the developer wants to conduct a security scan, he must then start each scanner individually and consolidate & standardize the findings by hand. Additionally he has to ensure that each scanner is always up to date to detect the newest vulnerabilities. 1.3 Expertise in security is not easy to get for smaller companies Another issue mainly the management faces, is the shortage of skilled software developers. Especially for small and medium sized companies, it is very hard to attract the needed experts in the field of security, which is another reason why security testing often is not performed to the required extend. Even when developers see the desperate need for security products, they lack the skills to operate the broad range of security tools and interpret the results. These skills need to be learned, which often fails with regards to the available time. 1.4 Manager rely on programmers to write secure code. Programmers rely on frameworks to produce secure code. The last challenge results from the above indicated. Managers do not have the time and expertise to check and evaluate the security of the developed software, so they must rely on their software engineers to write a secure application. The developers however face the managements pressure to deliver feature after feature, while relying on their used frameworks to write secure code. This creates the illusion of a secure software, while there is no reliable process that continuously checks the security state of the software. 2. Examples of Usable Security It can be deduced that security needs to be embedded into existing systems and structures such that the users are not obstructed by the security layer. A real-world example for this is the revolving door, which only allows one person at a time to pass through. Therefore the building security personal can get a clear picture of this aspect of building security, while the doors are not being perceived as a security measures by their users. It is one of the prerequisites for security measures to be successfully implemented in modern development practices, to conduct tests unnoticed, without making it visible, hence making security usable. When WhatsApp introduced end-to-end chat encryption5 over night without the users realizing, the security of millions of peoples communication increased. As a widely accepted way of communication, there was no delay or no additional installations needed to enable the security feature, so that users could go on with their daily business. Implementing usable security like this in the software development allows to keep deadlines (software releases are not delayed due to security issues), enhances interdepartmental relations as conflicts between the software development department and 3

4 security department can be brought to more constructive levels and empowers software developers. 3. Implementing Security into the Continuous Integration process competency is not security engineering are not hindered by the need to integrate several tools or interpret command line outputs of security scans. A way to tackle the above-mentioned problems is to integrate security testing into the CI/CD process (See Figure 1). In order to successfully incorporate such scans into the daily routines, a number of aspects have to be considered: Security tests complement other forms of testing Integration into CI/CD process is essential for continuous security The security tests must integrate seamlessly into the current development environment, such that the software engineers do not have to leave their trusted environment. A normal CI/CD process includes a build server that triggers certain functionality tests when specified actions occur (e.g. the software is deployed). This can mean that on each push to a repository certain unittests are run. When a pull request is created or merged, some additional tests such as integration tests may run. The results are normally gathered and presented in the build servers user interface and can be pushed to additional communication media such as a slack channel. Having usable security tests means that the security tests are automatically triggered by the build server based on the developers configuration. Automated tests can additionally be triggered in certain time intervals 6, to ensure continuous security. One way of implementation is that all nightly builds are scanned by the automated security scanner. The same way that unit and integration test have become standard tools for modern software engineers, security tests need to be fully integrated into their daily workflow. The security scanner needs to bundle the security scans for the developer and present identified vulnerabilities in a meaningful way. This ensures that developers whose core Figure 1: Security in the Agile Development Environment 4. Automated Security Scans empowering Developers Instead of being an obstacle for developers, properly integrated security scans empower them. They provide immediate feedback. For example after a pull request is created and the code deployed to a testing or staging environment. Therefore, they still know which code they have worked on in the hours or days before and do not need to redive into previous work. Proper tests do not only give feedback on existing vulnerabilities but provide links to resources or guides on how to resolve an issue. This layer of quality control gives developers the security sovereignty of their code back. Instead of creating manual security tests, they can focus on their revenue-generating work such as developing new features. In addition, these tests can free cognitive resources that are bound by pressure coming from superiors. As a software engineers job is only seen as a featureproducer, (non-tech) superiors often see it as a waste of time, if too much work is spent on things like code quality or security. However, in case of a security emergency, 4

5 the immediate responsibility to fix it lies upon the developer who implemented the code, which contains the vulnerabilities. An automated security scan gives the developer a great tool to continuously check the security status of the software, whilst still focusing on their core assignments. Once some kind of automated security is integrated into daily workflows, developers can self-confidently state that their code has passed a security scan on every product version released. A solution that always includes the latest security checks such as a SaaS security scanner makes sure that all newly uncovered vulnerabilities (so called zero-day attacks) are also included in the scan. Continuous Security goes in line with Usable Security Developers can focus on their main tasks without ignoring security issues 6. Conclusion By hooking into the development process similarly to what developers are used to, continuous security suites provide security for software enabling programmers to enhance software with regards to security as early as possible. This lets software developers ship better software to their customers. The time they save by targeting security problems as soon as they arise (and not after weeks or months of productive usage) lets them focus on developing new features. Main points to remember: Agile software development generated the need of continuous security. Continuous Security needs to be Usable Security. The use of continuous security testing frameworks free developers resources to focus on their key assignments. 5. Crashtest Security Suite offering continuous security We, Crashtest Security, discover security vulnerabilities of web applications in real time. Therefore, we developed a cloud based security scanner offered as a SaaS model. We ensure that developers can fully focus on their revenue-generating work while we will discover the vulnerabilities. As software developers ourselves, we know how hard it can be, to deliver software with great user experience, all needed features and all of this in a secure way. Therefore, we are writing a toolchain of security scanners that can be triggered by a web-hook. The reporting is done in a way that enables developers to focus on resolving any security issues and executives to monitor the software security state. Integrations for existing communication channels, such as slack inform the people in charge when needed. If a vulnerability is found, the developer gets notified immediately (See Figure 2 for an detailed explanation of the process). 5

6 Figure 2: How the Crashtest Security Suite provides Continuous Security 6

7 About Crashtest Security Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans. As an innovator within cyber security for web applications, Crashtest Security develops automated vulnerability assessment solutions enhanced with artificial intelligence developed for the needs of the agile developer or DevSecOps. The clear vulnerability insights provide transparency and actionable insights to enable efficient risk mitigation and particularly reducing the risk of getting hacked. Find out more at Continuous_Security_Testing.pdf of-ten/ Survey conducted by the founders at the ICOM 2016, Internet World 2017, CeBIT E.g. daily or weekly 7

8 Crashtest Security GmbH Wilhelm-Hertz-Str.14a Munich +49 (0)