CNN recently estimated that in the first six months of 2018, the cryptocurrency market lost approximately $731 million to hackers and theft. One of the most famous software breaches—which caused major panic in the market—involved Cointhumb, a cryptocurrency exchange with more than 1 million users. In this breach, hackers stole around $32 million from customers’ wallets. In their official statement, Cointhumb explained that a vulnerability in the wallet application, created by a new code introduced only a couple of weeks prior to the hack, granted easy access to sensitive information such as customers’ tokens and keys. Exploiters used this to access cryptocurrencies addresses and transfer the money out of the crypto addresses.
Another big hack, which led to a $20 million theft, was caused by a missing firewall configuration. In this case, several cryptocurrency vendors generated a “local” instance of the ethereum blockchain using geth, and forgot to block outside access to the node, allowing hackers to simply access and transfer the coins to their blocks.
Cryptocurrency is one of today’s hottest buzzwords, but it’s not the only software industry exposed to hackers, theft, and security weaknesses. Almost every website and application—mobile and desktop—are in danger. Cyber theft, ethical hacking, ransomware, and denial of service software are only some of the threats software need to protect against. During the last ten years, security awareness has risen—and many different agendas, methodologies, and tools have been created to tighten security for the software world. One of these methodologies is DevSecOps.
DevSecOps: The New Hero in Town
For many years, security wasn’t part of the development and release process. In the early 2000s, neither small or enterprise organizations executed any protection validation, as they didn’t understand the added value or potential risk. Over the years, however, as valuable information became more computerized—and protecting it became both more crucial and more difficult—the security agenda was positioned at the center of the software development and production process. In some cases, however, security still does not get the appropriate attention.
Today, many security activities are executed outside the development lifecycle, sometimes only once before a version release. Raising security awareness, feature security review, security testing, and other security activities do not hold enough weight in the release-to-production approval process. This often results in late code and infrastructure adjustments which lead to changes in schedule, postponing release dates, and failing to meet organization goals. The DevSecOps methodology can solve these problems and more. As explained in CSO, “DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.”
Integrating security into the agile lifecycle by running static code analysis on every commit, executing automatic security tests as part of the CI/CD process, and various other methods, helps R&D teams improve multiple aspects of their applications. For example, code is more secure as it’s being written, the application is continuously validated for common security threats, and possible breach points are detected as part of the application deployment.
Production monitoring is also part of the DevSecOps agenda. Monitoring plans and methods are constantly built, executed, tested and perfected on test environments, allowing early detection of network misconfigurations and upgrade of security principles and metrics to fit new hazards and risks.
With DevSecOps, security officers are constantly aware of application protection and can calmly and confidently approve a specific build for release. Most importantly, the security awareness of the organization as a whole increases, and more attention and budget are directed toward the goal of achieving a secure production environment.
Top DevSecOps Tools
Fusing security into the R&D lifecycle might sound simple, but it requires integrating with many tools in the development ecosystem, involving new personas in the CI and CD processes, and creating visibility for new types of information, metrics, and KPIs. Still, there are numerous products that can help make integration and visibility easier, improving the efficiency of the DevSecOps process. The seven tools listed below are the top in the market right now, based on ability to integrate with R&D and DevOps workflows, added value to the DevOps process, and popularity among users.
Continuum Security helps manage and test the security of products. It consists of two modules: IriusRisk and BDD Security. IriusRisk allows R&D teams to create a threat model, break it down into security requirements, and manage the security risks throughout the SDLC. BDD Security addresses security quality needs, providing an open-source test framework solution that allows users to test functional and non-functional security scenarios written in BDD language. It also offers out-of-the-box reporting and easy embedding into the continuous integration process. Continuum Security offers three pricing models: community, SaaS-hosted, and on-premises.
ThreatModeler is a standalone tool with a rich API that provides two-way integrations to almost all tools in the CI/CD toolchain. This means that all of the ThreatModeler modules can benefit from the information created by all stakeholders. ThreatModeler also supplies a set of dashboards which allow everyone to influence application security. ThreatModeler’s Intelligent Threat Engine utilizes functional information from an application’s components to automatically identify each component’s security threats. It does this while gathering associated security requirements, test cases, and code review guidelines—and it identifies problematic code to provide the information needed to build a protection plan. The Automated Threat Intelligence Framework helps keep users up-to-date on the latest real-life security threats with an automatically generated threat tree that provides a hierarchical view of all threats and their relation to the underlying attributes of the application. ThreatModeler offers a 10-day free trial and specific pricing options for every module and company size.
Checkmarx is a large organization offering solutions for developers and DevOps engineers that incorporate security code analysis and testing into the development process. The company’s AppSec Accelerator, the first tool used in the development process, is an application security managed service that helps development teams work with a more secure SDLC process. It combines SAST and DAST to achieve high-security coverage of the code; automatically identifies the application’s security requirements, policies, and compliance; and conducts a full installation and service setup. In a few simple steps, developers can use AppSec Accelerator to enable code security scans and get results as part of the development process. CxIAST is the second part of the solution, filling the security gap created in continuous development. CxIAST monitors the application behavior and detects vulnerabilities that can only be found on a running application. It can be easily integrated with any CI/CD tool or environment, and can extend almost every testing framework to supply security insights on top of specific test results.
IMMUNIO is a tool that operates a bit differently. Rather than continuously scanning the application code and testing the application with a black-box approach, it deploys an agent inside the application and tries to focus on possible exploitations. IMMUNIO reports only exploitable vulnerabilities, reducing friction in the development lifecycle. Using the same agent, it hooks into the application framework at key points and automatically prevents attacks, protecting the application at runtime. It also monitors the application, providing real-time views of actual attacks and the attackers performing them, as well as detailed diagnostics about the attack types and sources, attempted exploits, and targeted vulnerabilities. IMMUNIO breaks down it’s pricing into protection and analysis packages, allowing organizations of different sizes to choose the package they want to use.
Aqua Security is a security platform that specializes in containerized applications and their infrastructures. While other tools focus on the application code and testing the application, Aqua Security secures the application’s images, network, access, and orchestrators. It also scans docker images for vulnerabilities, secrets, and malware, and ensures deployed images are protected in runtime. Other features include integrating Kubernetes, securing the cluster from the lowest network level, visualizing network connection, mapping legitimate connections, and automatically creating FW rules based on the Kubernetes’ clusters and deployments. Further, Aqua Security controls scaling rules and prevents running unapproved images based on predefined policies. It also helps secure the network by discovering and visualizing the containers’ topology, which is constantly updated based on actual activity. This allows users to group containers into services, thus establishing communication rules within and between these services. Lastly, Aqua Security supplies a firewall to determine if images were compromised and to block unauthorized network connections to the containers.
Gauntlt is an open-source command-line testing framework that combines several security tools, allowing users to create tests and suites that can be easily admitted into the deploy and testing processes. It enables users to create and execute tests from different tools (curl, sslyze, heartbleed, and more) to attack and penetrate the application. It also uses BDD syntax to allow readable and structured tests and assists with improving collaboration between the teams that are building the application.
CA VeraCode is one of the most extensive security tools built to specifically serve the DevSecOps community, allowing users to build and deliver secured applications. CA Veracode has five modules that cover most needs of security officers and application developers:
- Static Analysis: studies the code during the build and forms a list of potential security risks and remediation advice per risks
- Greenlight: checks the code for possible security flaws
- Software Composition Analysis: helps developers build a list of open-source components for the specifically identified vulnerabilities in the open-source code that was used
- Dynamic Analysis Security Testing: scans and assesses the binaries of third-party providers
- Web Application Scanning: executes a dynamic security analysis to find and fix flaws in a deployed instance of the application
Improving the bottom line
Security is and should be, one of the main concerns of any software organization in the years to come. DevSecOps helps all stakeholders stay on top of an application’s security and protection status, as well as confidently approve or deny a new release for production. There are different tools that can assist with implementing security in the continuous development process, but the right attitude and culture change (if necessary) must come from the teams themselves. Also, management must budget for and legitimize security activities. Once implemented correctly, DevSecOps can significantly improve the efficiency, quality, and of course, security of the whole software, allowing organizations to release new content to production quickly and efficiently.