Secure software development or DevSecOps

With my most recent assignment, I have had the opportunity to work on various application security-related topics during the past few weeks. If you wish to work in application security, have a look at these tips.

What is the requirement to have an application security engineers team for the company? I have been working with many startup companies and delivering products as fast as possible. Therefore I believe,

It's a known fact that creating a software product is a difficult task. When it’s come to the startup culture, Developers have to create/change the apps quickly to changing markets and delivery. Therefore, priority is given to delivering business-critical functions in a quality manner focusing on user experience but leaving behind security measures. Because of this, applications end up with a growing pile of security issues they need to address later.

When the companies grow, they are moving from a startup culture and establish the areas for smooth product delivery. Therefore, forming an application security team will interact with developers to implement Automated app security platforms and guidence to development teams that can help secure the business as fast and provides your team with a better workflow for security measurs and also keeps the business compliant with security regulations.

There are two kinds of companies, well-structured and start-up. Therefore approaches for the secure development might be different.

Secure Software Development:
Outline security requirements at the beginning of the project, review the design to check if the requirements have been incorporated and perform security testing before go-live. This is mainly followed throug the secure software development life cycle.

If you are working in the industry more that 8–10 years ago, this should familiar because many companies manage their projects using the waterfall method where predefined “security-gates” have to be cleared before the initiative can move forward. The decision can be made at certain checkpoints to not proceed further, accepting the sunk costs.

Secure software development is a set of practices and processes that are followed during the software development life cycle (SDLC) to ensure that the software is secure. These practices include secure coding practices, code reviews, security testing, and vulnerability management.

DevSecOps:

Embedding security into the agile development is well established now and there is more than one way of doing it. That is the When discussing security in start-ups and other companies that adopt agile approaches, a lot of focus on automating security tests, educating developers on secure software development and integrates security practices into the development and operations (DevOps) process.

Although these initiatives have their merits, it’s not the whole story. Security specialists need to have the bigger picture in mind and work with product teams to not only prevent vulnerabilities in code, but influence the overall product strategy, striving toward security.

DevSecOps, on the other hand, is a methodology that integrates security practices into the development and operations (DevOps) process. It aims to shift security left, so that security is considered at every stage of the SDLC, rather than being an afterthought. This includes integrating security tools and practices into the CI/CD pipeline, automating security testing, and involving security teams in the development process.

In summary, secure software development focuses on ensuring the security of the software during the development process, while DevSecOps aims to integrate security into the entire development and operations process.

Here are some best practices for securing the software development life cycle (SDLC):

1. Implement secure coding practices: Train developers on secure coding practices and provide them with resources and tools to help them write secure code.
2. Conduct code reviews: Regularly review code for vulnerabilities and security issues. This can be done through manual code reviews, static code analysis, or both.
3. Perform security testing: Regularly test the security of the software, including testing for vulnerabilities such as cross-site scripting (XSS) and SQL injection.
4. Implement a vulnerability management process: Establish a process for managing and mitigating vulnerabilities that are discovered in the software.
5. Use secure development environments: Set up secure development environments that are isolated from production environments to prevent the accidental exposure of sensitive data.
6. Use version control: Use version control to track changes to the codebase and to make it easier to roll back to a previous version if needed.
7. Implement continuous integration and continuous delivery: Use continuous integration and continuous delivery (CI/CD) practices to automate the build, test, and deployment process, and to reduce the risk of human error.

By following these best practices, you can improve the security of the software development life cycle and reduce the risk of vulnerabilities in your software. It is also important to regularly review and update these practices to ensure that they are effective.

Here are some best practices for implementing DevSecOps:

1. Integrate security into the CI/CD pipeline: Automate security testing and integrate security tools into the CI/CD pipeline to catch vulnerabilities early in the development process.
2. Use automation: Automate security tasks, such as vulnerability scanning and penetration testing, to reduce the risk of human error and to speed up the testing process.
3. Use containerization and orchestration: Use containerization and orchestration technologies, such as Docker and Kubernetes, to manage and deploy applications in a consistent and secure manner.
4. Implement security testing at all stages: Perform security testing at all stages of the development process, including testing for vulnerabilities such as cross-site scripting (XSS) and SQL injection.
5. Use secure coding practices: Train developers on secure coding practices and provide them with resources and tools to help them write secure code.
6. Involve security teams early: Involve security teams early in the development process to ensure that security is considered at every stage.
7. Use security tools: Use security tools, such as static code analysis and runtime application self-protection (RASP), to help identify and mitigate vulnerabilities.

Below diagram illustrating a simplified software development lifecycle to show where security-enhancing practices, input and tests are useful.

image source: https://zinatullin.com/2021/05/07/secure-software-development-lifecycle-and-devsecops/

Conclusion:

In this new digital world, every company is now a tech company because most of the legacy companies moving into the digitlization. Whether it’s an off-the-shelf software or custom-made ones, companies are using applications to help increase the efficiency of their processes. Because of this, investing in tech-related initiatives is a crucial step in a business’s success. Therefore, it does not matter that your using SSDLC or DevSecOps approach that you are using, the matter is how secure is you are. You need to make a wise decision to make your buisness secure and compliance with secrity standards with managing your budget as well (some companies need military level security while some need only basic level security).

If I dicsuss further about the interview process and its outcome. I am not goin to expose the areas that we forcused on candidates, but most of the candidates focused on the limited areas of the application security such as penetration testing and after deployment process but not to forcus on application design phase or its life cycle iterations where most applicants getting failed.

As an application security engineer, you need to focus the following areas:

1. Threat modeling: Identifying and mitigating potential threats to the application. This includes identifying vulnerabilities and understanding how attackers might exploit them.
2. Vulnerability management: Managing and mitigating vulnerabilities in the application. This includes identifying, prioritizing, and fixing vulnerabilities.
3. Secure coding practices: Ensuring that the application is developed using secure coding practices. This includes training developers on secure coding practices and providing them with resources and tools to help them write secure code.
4. Security testing: Testing the application for vulnerabilities, such as cross-site scripting (XSS) and SQL injection. This includes both manual testing and the use of automated tools.
5. Compliance: Ensuring that the application meets relevant security standards and regulations, such as PDPA, PCI DSS and HIPAA.
6. Incident response: Developing and implementing a plan to respond to security incidents, such as data breaches and cyber attacks.

Application security engineers may also be responsible for implementing security controls and safeguards, such as firewalls and access controls, to protect the application and the data it handles.

Fun fact is Nothing is secure on the Internet, we just trying to mitigate the threat to some extended level than it was before.