Cloud SecurityThreat Detection & Defense

Shift Left to Reduce Vulnerabilities

Written By: Scott Fanning, Senior Director, Product Management Cloud Security at CrowdStrike

With the growing spectre of cyber attacks and threats overlooking the economic downturn, cyber attacks have been on the rise globally. Asia was the most targeted region in 2021, with 1 in 4 attacks directed at it and 60% of cybersecurity incidents borne by the financial services and manufacturing sector. Critically, server access attacks and ransomware were the top two forms of attacks last year, accounting for 20% and 11%, respectively, of all incidents.

Naturally, organisations have alluded this to Asian organisations’ ability to identify such attacks quickly before they escalate to more critical forms of attacks, which brings us to the current state of defensive cyber measures. Nowadays there are a host of cyber defenses which could effectively impair and slow down an organisation’s overall defenses, but this can be avoided. Simple hygiene factors and a shift in paradigm could be the simple solution every one, especially in Asia, is looking for. Enter DevOps.

Speedy delivery of applications is not the enemy of security, although it can seem that way. As businesses continue to adopt cloud services and infrastructure, forgetting to keep security top of mind is not an option — especially since the continuous integration/continuous delivery (CI/CD) pipeline represents an attractive target for threat actors.

It is not enough to only scan applications for security flaws after they are live. A shift-left approach to security should start at the exact moment that DevOps teams begin developing the application and provisioning infrastructure so that vulnerabilities can be addressed before they become bigger and more expensive to fix. This is the core tenet of DevSecOps.

By shifting security left, organizations can identify misconfigurations and other security risks before they impact users. Given the role that cloud computing plays in enabling DevOps, protecting cloud environments and workloads will only take on a larger role in defending the CI/CD pipeline, your applications and, ultimately, your customers.

So, how may DevOps teams shift left efficiently and effectively?

1. Get the security team and developers on the same board: Shift left is a cultural change. In addition to putting the proper processes and tools in place, organizations must rethink the way they operate to bring software-testing processes, tools and expertise earlier in the CI/CD pipeline. DevSecOps isn’t simply about pushing security responsibilities onto developers, but about changing roles and expectations, combined with the right tools, to achieve a balance in secure development. While this collaboration is taking place, explore opportunities for skills transfer such as security training. Developers aren’t security experts, but they have a critical role in the production of secure applications and should know the basics of secure coding and testing. As the demand for software grows, developers should consider security training tailored to their specific role and needs. Proper training and support can give you the background information needed to produce code that is both functional and secure. Security should be a priority from the start — not an afterthought tacked on to the end of the software development life cycle (SDLC).

2.  Automated testing for continuous delivery: Shifting left requires testing early and often. With automated code testing, developers are alerted to security issues as they are working so they can correct issues long before software goes to production. Automated tools that scan for vulnerabilities reduce the chances of human error that may occur in a manual test and expand coverage to check more of the software. The code is scanned incrementally so testers aren’t left with a lot to review at the end of the SDLC.

A shift-left strategy will involve bringing one or more tools into the CI/CD pipeline to look for known vulnerabilities and identify other issues. There are many tools to choose from — commonly used tools include Static Application System Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Secret Detection and Software Composition Analysis (SCA). You should first assess the tools you have before deciding which new tools to bring into your processes.

3.  Bring penetration testing (pentesting) into the process: While automated testing is a must-have in DevSecOps, automation alone may still leave potential issues undetected. A manual security evaluation, such as a penetration test, checks the security of an application by simulating cyberattacks against it. This additional testing minimizes the risk and may catch issues that an automated test wouldn’t. Before you commit to protection, bring in a security engineer to review the software and conduct a penetration test to ensure all potential issues are mitigated. It’s better to cover all your bases and do the extra testing than learn about a vulnerability after an attacker exploits it.

4.  Keep software up to date: Working with up-to-date software is a core tenet of cybersecurity. Developers must be careful to keep all their software — operating system, application framework and third-party libraries — updated to the latest versions to ensure all security patches are current. Whether they come from a vendor or the open source community, downloading software updates is among the most important steps you can take toward stronger application security.

When it comes to software security, there is no silver bullet to ensure your code is secure and stays secure. By adopting these practices, you can increase the likelihood that software flaws are found and patched before code is deployed.
 

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *