Continuous Security. Improve Web Application Security by using Continuous Security Scans

Similar documents
PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Agile Accessibility. Presenters: Ensuring accessibility throughout the Agile development process

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Toward an Automated Future

How to Secure Your Cloud with...a Cloud?

Why Converged Infrastructure?

Weaving Security into Every Application

Integrated Access Management Solutions. Access Televentures

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

A Strategic Approach to Web Application Security

Resolving Security s Biggest Productivity Killer

Vulnerability Management

The SD-WAN security guide

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

What is database continuous integration?

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Get more out of technology starting day one. ProDeploy Enterprise Suite

A Practical Guide to Efficient Security Response

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

Device Discovery for Vulnerability Assessment: Automating the Handoff

SDI, Containers and DevOps - Cloud Adoption Trends Driving IT Transformation

Express Monitoring 2019

Why Enterprises Need to Optimize Their Data Centers

Tripwire State of Container Security Report

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

Security-as-a-Service: The Future of Security Management

2018 Report The State of Securing Cloud Workloads

Trustwave Managed Security Testing

8 Must Have. Features for Risk-Based Vulnerability Management and More

Tips for Effective Patch Management. A Wanstor Guide

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

THALES DATA THREAT REPORT

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Optimisation drives digital transformation

CLOUD WORKLOAD SECURITY

A SEISMIC SHIFT IN APPLICATION SECURITY HOW TO INTEGRATE AND AUTOMATE SECURITY IN THE DEVOPS LIFECYCLE

Evolution For Enterprises In A Cloud World

Automated, Real-Time Risk Analysis & Remediation

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

Best Practices in Securing a Multicloud World

AWS Reference Design Document

White Paper. Incorporating Usability Experts with Your Software Development Lifecycle: Benefits and ROI Situated Research All Rights Reserved

Why Converged Infrastructure?

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

VMware Cloud Operations Management Technology Consulting Services

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

SECURING DOCKER: What You Need to Know

Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Sample Exam. Advanced Test Automation - Engineer

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Vulnerability Management. June Risk Advisory

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

CYBERSECURITY RESILIENCE

McAfee Product Security Practices

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Cybersecurity. Securely enabling transformation and change

The security challenge in a mobile world

Survey Results: Virtual Insecurity

deep (i) the most advanced solution for managed security services

Asset Management conference 2016

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

TECHNICAL WHITE PAPER. Secure messaging in Office 365: Four key considerations

THE CONTRAST ASSESS COST ADVANTAGE

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Customer Success with Windows as a Service. John Cable Windows Servicing and Delivery

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Professional Services for Cloud Management Solutions

Bring Your Own Device (BYOD)

Scanning-Less Scanning. Installation Guide

RED HAT INSIGHTS. Security & Proactive Response with Insights

Importance of User Deprovisioning from Services

A company built on security

An Introduction to the Waratek Application Security Platform

Healthcare IT Optimization: 6 Mistakes to Avoid Along the Way

HP BladeSystem Matrix

Accelerating the Business Value of Virtualization

Preparing your network for the next wave of innovation

FROM VSTS TO AZURE DEVOPS

Cisco ONE for Access Wireless

USE CASE. Collect CLOSED CASE FEEDBACK. Salesforce Workflow. Clicktools Deployment TWO DEPLOYMENT APPROACHES. The basic activity flow goes like this:

Innovate or die!? Modern IT Workplace Security. Alex Verboon Cyber Security Consultant

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION

Instructor-led Training Course Catalog

RiskSense Attack Surface Validation for IoT Systems

Information Infrastructure and Security. The value of smart manufacturing begins with a secure and reliable infrastructure

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Transcription:

Continuous Security Improve Web Application Security by using Continuous Security Scans 1

The world of software development has changed. Nowadays around 65% of software projects use agile development 1. Through Continuous Integration (CI) and Continuous Deployment (CD), companies can react faster to market trends and publish new versions of their software much more frequently than before. These developments also lead to new challenges in the area of software security testing, as the security tests also have to adopt to the shorter development lifecycles and become more agile. 65% of software developers use agile development techniques Agile software development needs agile security testing Continuous security guarantees secure software in each sprint New ways of development also need a new way of testing. The days in which a software project took one year from initiation to deployment with a manual security check at the end before deployment are over. With development cycles shortened to weekly deployments, manual security tests cannot keep up the pace anymore. Hence tests need to be automated and integrated into the daily workflow of developers. The Open Web Application Security Project (OWASP) calls these form of tests continuous security (testing) 2. Quality management and quality problems have been thoroughly researched. The rule of ten3 states, that an error detected in a certain stage of product development costs ten times the money to resolve it than if the error was found one stage earlier. Compared to an error found in the planning stage, an error found in the production phase can cause costs that are up to 1000 times higher. These numbers are similar for security errors (i.e. vulnerabilities) in software products. In agile software development where a twoweek development sprint contains all the phases ranging from planning and development till customer presentation, the value of testing radically increases. Continuous security guarantees that all software versions are already tested in the development phase. Contrary to manual security tests which are often only conducted for major releases, this allows for testing all versions that will be published. This way of testing enables early error detection in the development lifecycle, leading to time and costs savings while increasing the level of security of the developed product. 1. Security Challenges of Agile Software Development In todays business world, there are several security challenges companies face when switching to or using agile software development. In the following chapter the main challenges will be outlined. Importance of time to market Broad range of security tools Lack of security expertise Reliance solely on frameworks 1.1 Functionality & time to market more important than security One of the main reasons for implementing Continuous Integration / Continuous Deployment is to become more responsive to customers needs, shorten software development cycles and hence create more value. This speed however comes at a cost. Usually the increased pressure of developing more and more features leads to negligence in the area of security testing. Our research 4 shows that security is often not seen as a business-critical topic. Security tests are only conducted if a customer explicitly requests them or the potential risk when releasing the next major versions of a software seems to require one. Meaning that V1.0 must undergo a (manual) penetration test (pentest) and the next version being tested for vulnerabilities is V2.0. All minor releases in between these two versions, do not undergo an additional pentest and their level of security is solely based on the skills of the software engineers. This is due to two reasons: (1) security testing and remediation 2

of results takes time; (2) security testing, especially manual tests are very expensive. In order to meet business targets and stay in budget, the focus of developers lies on creating features and not making the software more secure. 1.2 Broad range of security tools only covering single vulnerabilities A second challenge for todays software engineers is the sheer amount of different tools that are available on the market. For almost every security vulnerability, there is a specialized test that is superb and very deep, but only covers one vulnerability. For example SQLMap is a great tool to find SQLinjection vulnerabilities, but that is only one of the attack vectors, hackers use. If a developer is using several of these scanners he faces another problem. Each scanner must be configured individually and adjusted to the needs of the company. The scanners rely on different programming languages and often bring further prerequisites such as system libraries, so it takes the developer a lot of time to set up the internal security scans. When there are several different security tools, the engineers need to decide which one to use. As they often have no specific education in security, evaluating the tools is complicated. In addition, output formats differ from tool to tool, so that a vulnerability management solution also comes into play and needs to be configured and set up. If the developer wants to conduct a security scan, he must then start each scanner individually and consolidate & standardize the findings by hand. Additionally he has to ensure that each scanner is always up to date to detect the newest vulnerabilities. 1.3 Expertise in security is not easy to get for smaller companies Another issue mainly the management faces, is the shortage of skilled software developers. Especially for small and medium sized companies, it is very hard to attract the needed experts in the field of security, which is another reason why security testing often is not performed to the required extend. Even when developers see the desperate need for security products, they lack the skills to operate the broad range of security tools and interpret the results. These skills need to be learned, which often fails with regards to the available time. 1.4 Manager rely on programmers to write secure code. Programmers rely on frameworks to produce secure code. The last challenge results from the above indicated. Managers do not have the time and expertise to check and evaluate the security of the developed software, so they must rely on their software engineers to write a secure application. The developers however face the managements pressure to deliver feature after feature, while relying on their used frameworks to write secure code. This creates the illusion of a secure software, while there is no reliable process that continuously checks the security state of the software. 2. Examples of Usable Security It can be deduced that security needs to be embedded into existing systems and structures such that the users are not obstructed by the security layer. A real-world example for this is the revolving door, which only allows one person at a time to pass through. Therefore the building security personal can get a clear picture of this aspect of building security, while the doors are not being perceived as a security measures by their users. It is one of the prerequisites for security measures to be successfully implemented in modern development practices, to conduct tests unnoticed, without making it visible, hence making security usable. When WhatsApp introduced end-to-end chat encryption5 over night without the users realizing, the security of millions of peoples communication increased. As a widely accepted way of communication, there was no delay or no additional installations needed to enable the security feature, so that users could go on with their daily business. Implementing usable security like this in the software development allows to keep deadlines (software releases are not delayed due to security issues), enhances interdepartmental relations as conflicts between the software development department and 3

security department can be brought to more constructive levels and empowers software developers. 3. Implementing Security into the Continuous Integration process competency is not security engineering are not hindered by the need to integrate several tools or interpret command line outputs of security scans. A way to tackle the above-mentioned problems is to integrate security testing into the CI/CD process (See Figure 1). In order to successfully incorporate such scans into the daily routines, a number of aspects have to be considered: Security tests complement other forms of testing Integration into CI/CD process is essential for continuous security The security tests must integrate seamlessly into the current development environment, such that the software engineers do not have to leave their trusted environment. A normal CI/CD process includes a build server that triggers certain functionality tests when specified actions occur (e.g. the software is deployed). This can mean that on each push to a repository certain unittests are run. When a pull request is created or merged, some additional tests such as integration tests may run. The results are normally gathered and presented in the build servers user interface and can be pushed to additional communication media such as a slack channel. Having usable security tests means that the security tests are automatically triggered by the build server based on the developers configuration. Automated tests can additionally be triggered in certain time intervals 6, to ensure continuous security. One way of implementation is that all nightly builds are scanned by the automated security scanner. The same way that unit and integration test have become standard tools for modern software engineers, security tests need to be fully integrated into their daily workflow. The security scanner needs to bundle the security scans for the developer and present identified vulnerabilities in a meaningful way. This ensures that developers whose core Figure 1: Security in the Agile Development Environment 4. Automated Security Scans empowering Developers Instead of being an obstacle for developers, properly integrated security scans empower them. They provide immediate feedback. For example after a pull request is created and the code deployed to a testing or staging environment. Therefore, they still know which code they have worked on in the hours or days before and do not need to redive into previous work. Proper tests do not only give feedback on existing vulnerabilities but provide links to resources or guides on how to resolve an issue. This layer of quality control gives developers the security sovereignty of their code back. Instead of creating manual security tests, they can focus on their revenue-generating work such as developing new features. In addition, these tests can free cognitive resources that are bound by pressure coming from superiors. As a software engineers job is only seen as a featureproducer, (non-tech) superiors often see it as a waste of time, if too much work is spent on things like code quality or security. However, in case of a security emergency, 4

the immediate responsibility to fix it lies upon the developer who implemented the code, which contains the vulnerabilities. An automated security scan gives the developer a great tool to continuously check the security status of the software, whilst still focusing on their core assignments. Once some kind of automated security is integrated into daily workflows, developers can self-confidently state that their code has passed a security scan on every product version released. A solution that always includes the latest security checks such as a SaaS security scanner makes sure that all newly uncovered vulnerabilities (so called zero-day attacks) are also included in the scan. Continuous Security goes in line with Usable Security Developers can focus on their main tasks without ignoring security issues 6. Conclusion By hooking into the development process similarly to what developers are used to, continuous security suites provide security for software enabling programmers to enhance software with regards to security as early as possible. This lets software developers ship better software to their customers. The time they save by targeting security problems as soon as they arise (and not after weeks or months of productive usage) lets them focus on developing new features. Main points to remember: Agile software development generated the need of continuous security. Continuous Security needs to be Usable Security. The use of continuous security testing frameworks free developers resources to focus on their key assignments. 5. Crashtest Security Suite offering continuous security We, Crashtest Security, discover security vulnerabilities of web applications in real time. Therefore, we developed a cloud based security scanner offered as a SaaS model. We ensure that developers can fully focus on their revenue-generating work while we will discover the vulnerabilities. As software developers ourselves, we know how hard it can be, to deliver software with great user experience, all needed features and all of this in a secure way. Therefore, we are writing a toolchain of security scanners that can be triggered by a web-hook. The reporting is done in a way that enables developers to focus on resolving any security issues and executives to monitor the software security state. Integrations for existing communication channels, such as slack inform the people in charge when needed. If a vulnerability is found, the developer gets notified immediately (See Figure 2 for an detailed explanation of the process). 5

Figure 2: How the Crashtest Security Suite provides Continuous Security 6

About Crashtest Security Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans. As an innovator within cyber security for web applications, Crashtest Security develops automated vulnerability assessment solutions enhanced with artificial intelligence developed for the needs of the agile developer or DevSecOps. The clear vulnerability insights provide transparency and actionable insights to enable efficient risk mitigation and particularly reducing the risk of getting hacked. Find out more at www.crashtest-security.com. 1 2 3 4 5 6 https://stackoverflow.com/insights/survey/2017 https://www.owasp.org/images/e/e1/owasp- Continuous_Security_Testing.pdf https://www.sixsigmablackbelt.de/fehlerkosten-10er-regel-zehnerregel-rule- of-ten/ Survey conducted by the founders at the ICOM 2016, Internet World 2017, CeBIT 2017 www.whatsapp.com E.g. daily or weekly 7

Crashtest Security GmbH Wilhelm-Hertz-Str.14a 80805 Munich +49 (0)89 215 41 665 www.crashtest-security.com 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback