Micro Focus is now part of OpenText. Learn more >

You are here

You are here

3 methods to provide security while scaling AppDev

public://pictures/satya.jpeg
Satyavathi Divadari Chief Cyber Security Architect, CyberRes
public://pictures/sujatha_yakasiri.jpg
Sujatha Yakasiri Sr Computer Scientist - Information Security, EdgeVerve
Unlocked padlock securing a latch on a yellow door
 

Cloud technology continues to be embraced by companies of all types and sizes, but it remains essential to consider security. In the past couple of years, 79% of companies have experienced at least one cloud data breach, according to IDC. Even more alarmingly, it says, 43% have reported 10 or more breaches in that time.

Here are three methods that help improve security while scaling up application development at hyper scale: DevSecOps for cloud, API security, and securing the software supply chain.

Implement DevSecOps for cloud

While 75% of organizations deliver changes more than once per month, according to a Micro Focus survey—an increase of 14% over the past five years—security testing lags behind. In the everything-as-code era, security testing must be continuous and automated to improve quality and performance.

The goal is to accelerate security testing to match the pace of DevOps, with flexible, secure, and developer-friendly security automation. And here, there are several things you can do.

Aim for flexible, cloud-native security integration

DevSecOps focuses heavily on automating application deployment and infrastructure operations to produce harder, more secure, and more resilient applications. It's important to choose the right set of security tools that could easily be integrated into various cloud services' native CI/CD pipelines—such as Amazon Web Services' CodeStar, Microsoft Azure DevOps, and Google Cloud Platform DevOps. This will help organizations find security vulnerabilities early in the software lifecycle and help them keep pace with high-velocity delivery.

Automate to reduce risks and improve compliance 

A wide variety of security testing can be integrated into the CI/CD pipeline as automation. This includes SAST (static application security testing), IAST (interactive application security testing), DAST (dynamic application security testing), SCA (software composition analysis), infrastructure configuration scanning, and monitoring. Manual testing can be added as needed to supplement.

Test templates of Infrastructure as code

Master images for virtual machines, containers, and infrastructure stacks allow for automated deployments and immutable infrastructure. Assessing these IaC images for secure configuration helps find gaps and weaknesses prior to production, and thus saves cost and reduces risk.

Work on developer convenience and training

To speed up the security testing process and give immediate feedback to developers, IDE security plug-ins and pre-commit hooks work immensely well. Developer training for security also enhances the quality of code production.

Focus on API security

APIs are being used more to improve business processes by sharing and analyzing data across various applications with speed, agility, and consistency. 

But APIs also pose risks. According to the 2019 Application Security Risk Report by Micro Focus Fortify, API abuses have roughly doubled over the past four years. Some 35% of web applications analyzed and 52% of mobile applications were found to have API security problems.

Practitioners must secure applications' backdoors to address increased exposure. Here are some things to beware of, and some actions to take.

Don't make your API documentation too public

Attackers target the weakest link of distributed architectures and supplier integrations. APIs can get used as a first attack vector to pivot to other networks, servers, workloads, applications, and other APIs. When each API comes with detailed public documentation, hackers can use that to expose multiple sources of potential sensitive data and services connected to business applications on mobile, SaaS, or web platforms. 

Watch for automated attacks on your custom APIs 

Attackers often create automated API attacks to abuse the unique business logic that organizations build into their APIs. Attackers collect data at scale and in large volumes by using the same data analytics tools that practitioners use to aggregate and correlate data to extract meaningful patterns.

Attackers can use your data to perpetuate fraud, social engineer individuals, target users with phishing attacks, or perform brute-force hacks. Two automated attack patterns that all industries face are credential stuffing and scraping.

Integrate API testing into your CI/ CD pipeline

A specific focus within shift-left API security practices is securing the build pipeline with a range of security-testing tools. These include dependency analyzers, static analyzers, dynamic analyzers, schema validators, fuzzers, and vulnerability scanners. The type of security tooling that is needed varies based on what artifacts are moving through the pipeline, what must be built, and where must it be delivered.

Perform deep testing with authentication or authorization

SAST and DAST can uncover weaknesses and exploitable conditions in your custom API code. But the code that is your business logic rarely follows well-defined patterns, and SAST or DAST signatures can be built accordingly. It is important go deep in testing authentication or authorization beyond cursory checks such as detecting weak forms of authentication like basic and digest access, or the testing tool may only analyze how credentials are input, passed, or stored.

Mind your software supply chain

Supply chain–related attacks grew significantly in 2021. There was a 650% increase in software supply chain attacks, aimed at exploiting weaknesses in upstream open source ecosystems, according to Sonatype's 2021 State of the Software Supply Chain report.

From the massive Equifax breach to the SolarWinds Orion hack and Apache Log4j / Log4shell hack, these are real wakeup calls to mind your supply chain security risks

Proactively find dependencies and open-source vulnerabilities

Developers tend to use open-source software to meet sky-high business demands. Enterprises should use security tools that offer transparency into the composition of software and that supply 360-degree risk assessment of components and libraries to reduce unintentional insider threats through developers' use of unsafe open-source software.

Proactively identifying and mitigating software risks before they become widely known ensures a more resilient software supply chain. Build software assessments and risk mitigation processes that include software composition analysis, SAST, and DAST.

Continuously check and respond rapidly to incidents

Threat actors will continue to seek attack vectors into software supply chains. Rapid response to zero-day open-source incidents results in positive customer experiences. Greater transparency into software helps consumers respond faster to incidents.

Ensure the integrity of your software artifacts throughout the software supply chain by generating a software bill of materials (SBOM) that holds an inventory of all the software components.  Visibility into software dependencies provides faster identification, early evaluation of risks, and improved mitigation time.

Don't wait to be hacked

Application security continues to evolve, from shifting left to shifting everywhere, as we move further into the cloud era. Enterprises can provide business acceleration and hyper-scale transformation securely and seamlessly by integrating security into CI/CD platforms, testing API exposure through shift-left methods, and ensuring transparent visibility of the software in your supply chain.

Listen to a panel of experts talk more about this issue at the Cloud Security Alliance's on-demand webinar "Critical App Sec Capabilities that Accelerate Cloud Transformation." The panelists are Suvabrata Sinha, global CISO at NXP Technologies; Martin Knobloch, global AppSec strategist at CyberRes and a board director at the Open Web Application Security Project (OWASP); and Sujatha Yakasiri, director of research at CSA Bangalore and senior computer scientist for information security at EdgeVerve. 

Keep learning

Read more articles about: SecurityApplication Security