/mar 9, 2021

Putting the Sec in DevSecOps

By Meaghan Mcbee

Whether a seasoned professional or a fresh computer science grad, every developer has his or her stressful moments of trying to dig through scanning results to mitigate or remediate a vulnerability. Since you work at the speed of “I need this yesterday,” it’s a hassle to slow down and fix flaws or even stop to rewrite code entirely.

Effective AppSec today is about executing essential application security (AppSec) tests as you’re writing code. When AppSec is embedded as part of the development process, you’re able to assess security on every code commit with fast and effective results that make your job – writing more secure code – much easier. 

DevSecOps meets security

With a cyberattack happening every 39 seconds, and 76 percent of applications with at least one security flaw on first scan, AppSec is now a must-have for all organizations creating the apps that power the world. This is even more critical as organizations undergo technology shifts and must bolster their digital fingerprints to keep up with the competition.  

Security testing early in development makes you more efficient as a developer because it improves the quality of your code from the start, meaning you’re not bogged down by bugs and dangerous vulnerabilities later on. It cuts down on risk, saving valuable time that you can then use to create more innovative applications.

With security testing built into your existing workflows, you take on the critical role of improving the security and quality of your code as you develop apps. Once you begin integrating security as part of your coding process to find and fix flaws faster, your team is on the path to an effective DevSecOps engine that produces higher quality code.  

Securing the future: Integrating security into development

If security is now an essential element of your job as a developer, then security testing needs to be automated and integrated for ultimate efficiency, and you need the right tools to help you keep up with the ever-evolving threat landscape. It isn’t enough to simply check boxes once scans are complete. If you want to make sure that you’re set up for e success in the future, you and your team need:

  • Good developer training tools like Veracode Security Labs, which offers real-world education you can use while coding. When security training is decentralized and you’re empowered to make decisions that impact the health of your code, your know-how needs to be top-notch. By studying common vulnerabilities with hands-on learning and understanding which flaws are more predominant in certain languages, you’re better prepared when you sit down to write software. For example, we know from State of Software Security v11 (SOSS) that issues with information leakage, CRLF injection, cryptographic bugs, and code quality are the most common flaws found, and they impact popular languages like .NET, Java, PHP, and Python. Boost your knowledge on which flaws cause issues in common languages and you’ll be better prepared to write code that prevents them in the future.
  • Efficient communication and collaboration with security through training on existing DevOps processes, by learning workflows of security team members, and by ensuring that both teams are operating with the same goals in mind. You should also consider starting or joining a Security Champions program at your organization and become the go-to developer or developer manager for bridging the gap between security and development. In turn, these efforts will help others on your team internalize just how critical security measures are and will even accelerate the delivery of secure code.
  • Coverage for the entire codebase, including third-party code that developers rely on to speed up the coding process. While open source code is often vital to improving the speed of production, neglecting it leaves a big chunk of your codebase exposed to threat actors. We know that 70 percent of applications have a security flaw in an open source library on first scan, and dangerous cross-site scripting is the most common as it’s found in 30 percent of libraries. Interconnected dependencies are often the problem; 47 percent of flawed libraries are transitive, meaning they’re simply along for the ride. By staying on top of your open source code with scanning tools like Software Composition Analysis and reviewing library version updates, you’ll have an easier time discovering, tracking, and remediating flaws in open source code.
  • Automation wherever possible to speed up the development process with integrated, fast scanning and clear feedback. In a recent ESG survey, nearly half (40 percent) of respondents said that they believe development managers or individual developers are responsible for AppSec testing. Automation is critical as it not only helps scale security efforts, but also it is beneficial for implementing repeatable security policies and setting benchmarks to gauge progress in flaw remediation. Integrations from Veracode plug in seamlessly to your existing development pipeline, security, and risk-tracking systems, too, which means your workflow isn’t disrupted when it’s time to run a scan. Solutions that scan right in the IDE and pipeline, looking for flaws while you’re coding and highlighting them with clear feedback, help you learn as you work. That means you’re sharpening skills in real-time and applying them directly to your code for a greater impact on your organization’s security.

With these efforts and solutions working in tandem to meet the security needs of your software development process, AppSec is working for you—not against you.

Putting DevSecOps to work

To learn more about common application risks, read the full SOSS v11 report here.

Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.