No Second Chances: App Shielding and the Emerging Need for DevSecOps
Published on October 9, 2018 by Alexander Goodwin
App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.
But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.
The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.
End of a Post-Security Era
DevOps’ biggest advantage? Speed. Its biggest drawback? Security. Consider: Recent data pegs the number of Android apps released worldwide each day at just over 6000. The result? It’s the end of the post-security era: App security can’t occur after development because there’s no lull, no opportunity for IT teams to thoroughly assess the risk of new code and make necessary changes — organizations in a mobile-first world need to push one app out the door and make room for the next.
DevSecOps emerged as a response to this shift; given the incredibly short window of time new apps must make a good impression on users and stakeholders alike, security-by-design is now imperative in app evolution. Put simply? You don’t get a second chance at a first impression.
What is DevSecOps?
While DevOps has been part of IT culture for the better part of a decade, DevSecOps is relatively new. Still, it’s gaining ground — 96 percent of organizations surveyed say producing secure code is “desirable” or “highly desirable.”
Put simply, DevSecOps is the combination of development, security and operations in the app development lifecycle. Instead of security being “tacked on” just before applications go live, DevSecOps puts it front and center with development and operations. Ideally, the addition of security to the initial stages of application design helps identify and eliminate code flaws or vulnerabilities that might otherwise be discovered by malicious actors before being fixed. While this means more time investment at the beginning of the development cycle, it reduces the risk of zero-day or open-source vulnerabilities that could force the creation of immediate hotfixes or the removal and redesign of applications from the ground up.
As noted above, the vast majority of organizations want to adopt a DevSecOps model, but just eight percent have developed best practices that enable this digital transformation. What’s the disconnect? It starts with culture. Developers and security teams may not see eye-to-eye on certain aspects of app development, and continually-evolving stakeholder expectations can make it difficult to effectively implement DevSecOps.
Start with the understanding that there’s no “finish line” here — all apps could be more secure, and no app is ever perfect. DevSecOps reduces the total number of vulnerabilities in addition to time spent identifying and eliminating these vulnerabilities after applications go live. Next, ensure that communication is front-and-center: If devs, infosec and operations pros can’t speak freely about the projects they’re working on and what they need to be successful, DevSecOps will stall out in the first few months.
Also critical? Security processes adapted to existing developer processes wherever possible. While there’s a need for developers to compromise as well, infosec leaning into the Dev side of the equation can help reduce friction and improve time-to-market. Last but not least? Implement strong monitoring controls. Just like any new initiative, metrics are key to success: You need to know where processes are working, where they need improvement and where they’ve come off the rails.
You’ve shifted focus and created a DevSecOps team. You’re prepared for the culture shift. So what does DevSecOps look like in practice?
From a basic security perspective, it’s continuous testing for zero-day, open source and known code vulnerabilities (both statically and dynamically) with each iteration of your application. Instead of attempting to round up and mitigate multiple security issues just before deployment, adopting DevSecOps provides the ability to iterate security in tandem with app function and performance evolution.
If your application will eventually run in a low trust or untrusted environment such as on a mobile device, application shielding can be incorporated into your DevSecOps process to harden apps against unwanted inspection, tampering, or reverse-engineering. If your application has unique intellectual property (IP) or accesses sensitive information, you may be at risk of being targeted by hackers — regardless of your basic security profile. By incorporating app shielding into your DevSecOps pipeline, it’s possible to harden and protect high value application that run in untrusted environments.
DevSecOps: Second Position, First Priority
Security is a late addition to DevSecOps but don’t let its position in the term fool you — security-by-design is the first priority of any DevSecOps deployment. By the linking creative, functional and defensive aspects of your app development to create a continuously-iterating and reinforcing process it’s possible to embrace the speed of app deployment without sacrificing security.