A Practical Approach to Shifting Security Left
February 23, 2021

Walter Capitani
GrammaTech

There are two important considerations when adding security to an existing DevOps pipeline. The first is security in code, which means, when code is developed, the security of the code itself should be continuously reviewed and assessed. The second is security as code, in other words, security requirements need to be part of the process from the beginning. Let's look at both of these concepts in a bit more detail.

Security in Code

Many teams start their path to security off by adopting coding guidelines or standards such as MISRA, OWASP, or the CERT guidelines, which is a great start, it improves code security from the get-go. However, just following a coding standard by itself does not necessarily avoid complex security vulnerabilities. According to a recent study by Microsoft, 70% of today's security vulnerabilities are caused by memory access errors.

Memory vulnerabilities here could be caused by a simple miscalculation, which led to a buffer-overrun-write, or a more complex path where a variable is tainted through input from the outside that is used without being sanitized. To find these problems in the code, more sophisticated analysis is needed such as dataflow analysis and abstract execution provided by advanced static application security testing (SAST) tools.

Equally important is understanding the security implications of the software components your products depend on such as open source, internal reused code and commercial software. Without this, your best efforts will be for naught if vulnerabilities exist in third-party code included in your application.

Software composition analysis (SCA) tools provide a continuous software bill of materials (SBOM) that itemizes all the software libraries in your dependencies and associated known vulnerabilities. This SBOM is established early on in development and is updated continuously as dependencies evolve both from updates and newly discovered vulnerabilities.

Security as Code

An interesting approach that has come out of DevSecOps practice is the concept of treating security in the same ways as code is; guided by requirements, which leads to implementation of security controls, then to validation through testing, and of course, documentation. It's one of the key ways to integrate security into DevOps and a good way to build security into the development culture and have software teams communicate using a familiar language.

Certainly, security implementations that end up as actual code with associated tests can be automated in the same fashion as other code. Automation tools apply here as would any tool that works with requirements, tests, documentation, etc.

Each iteration through a continuous process requires a review which includes the backlog of security issues but also important data on changes needed to security controls and requirements. This feedback into the process is a key and important part of making DevSecOps success — repeat, review and refine.

Integrating SAST and SCA to Shift Left Security

Automation is one of the main tenets of DevOps. Nothing should be dependent on manual steps as they can be easily overlooked, either by accident or by malicious intent. SCA tools can be used immediately to establish a baseline SBOM for the application. Without first understanding the vulnerabilities and risks associated with your software stack, other measures will be in vain.

It's equally important to keep this SBOM up-to-date with each iteration since the threat landscape can change over time as does the composition of the dependencies. Tools that can analyze third-party binaries even if source isn't available, can limit exposures.

SAST is used as soon as code is available in a project and automates the coding compliance and automatic detection of defects and vulnerabilities. In fact, as soon as it's been typed in by a developer — the sooner the better. SAST tools that integrate with popular IDEs can provide immediate feedback in the developer's environment, before it gets committed to the source repository.

SAST comes in all types of shapes and sizes, some focus on coding standards, some, more advanced tools, step beyond the coding standards and explore data flow, control flow and abstract execution techniques to find defects in the source code that arise from programming or logic mistakes. The latter help achieve security in code and assist in creating security as code — by covering coding standards, security control enforcement and vulnerability detection.

Continuous integration and deployment processes rely on automation to realize their promised benefits. Without efficient progress through the cycle, the continuous nature of the processes amplifies inefficiencies. All new code has vulnerabilities, the challenge teams face is to remove these as early as possible with as little effort as possible. SCA ensures the software stack is secure while SAST improves custom code security and quality early in the process and helps developers do this as easily as possible, ideally, integrated into their development environment.

Summary

SAST and SCA tools are an important part of shifting security left because they are used immediately at the early stages of a project. They are also instrumental in helping enforce security controls and coding standards required for the application meanwhile detecting new, possibly complex, security vulnerabilities as they arise. SCA tools ensure the software stack is accounted for with a software bill of materials that show both contents and existing security vulnerabilities in your software dependencies. Over time, these tools are part of the regular part of the team's workflow providing better code but critical data on general progress.

The move to integrating security into an existing DevOps pipeline starts with introducing best practices early in the development lifecycle. SCA and SAST tools are ideal for facilitating this transition. In addition, the feedback to developers and management is crucial in both improving security, and improving the DevOps process in general.

Walter Capitani is Director of Technical Product Management for GrammaTech
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.