No Second Chances: App Shielding and the Emerging Need for DevSecOps

October 9, 2018 2408 Views Gabriel Torok

App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.

But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.

The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.

End of a Post-Security Era

DevOps’ biggest advantage? Speed. Its biggest drawback? Security. Consider: Recent data pegs the number of Android apps released worldwide each day at just over 6000. The result? It’s the end of the post-security era: App security can’t occur after development because there’s no lull, no opportunity for IT teams to thoroughly assess the risk of new code and make necessary changes — organizations in a mobile-first world need to push one app out the door and make room for the next.

DevSecOps emerged as a response to this shift; given the incredibly short window of time new apps must make a good impression on users and stakeholders alike, security-by-design is now imperative in app evolution. Put simply? You don’t get a second chance at a first impression.

What is DevSecOps?

While DevOps has been part of IT culture for the better part of a decade, DevSecOps is relatively new. Still, it’s gaining ground — 96 percent of organizations surveyed say producing secure code is “desirable” or “highly desirable.”

Put simply, DevSecOps is the combination of development, security and operations in the app development lifecycle. Instead of security being “tacked on” just before applications go live, DevSecOps puts it front and center with development and operations. Ideally, the addition of security to the initial stages of application design helps identify and eliminate code flaws or vulnerabilities that might otherwise be discovered by malicious actors before being fixed. While this means more time investment at the beginning of the development cycle, it reduces the risk of zero-day or open-source vulnerabilities that could force the creation of immediate hotfixes or the removal and redesign of applications from the ground up.

Culture Shift

As noted above, the vast majority of organizations want to adopt a DevSecOps model, but just eight percent have developed best practices that enable this digital transformation. What’s the disconnect? It starts with culture. Developers and security teams may not see eye-to-eye on certain aspects of app development, and continually-evolving stakeholder expectations can make it difficult to effectively implement DevSecOps.

Start with the understanding that there’s no “finish line” here — all apps could be more secure, and no app is ever perfect. DevSecOps reduces the total number of vulnerabilities in addition to time spent identifying and eliminating these vulnerabilities after applications go live. Next, ensure that communication is front-and-center: If devs, infosec and operations pros can’t speak freely about the projects they’re working on and what they need to be successful, DevSecOps will stall out in the first few months.

Also critical? Security processes adapted to existing developer processes wherever possible. While there’s a need for developers to compromise as well, infosec leaning into the Dev side of the equation can help reduce friction and improve time-to-market. Last but not least? Implement strong monitoring controls. Just like any new initiative, metrics are key to success: You need to know where processes are working, where they need improvement and where they’ve come off the rails.

Effective Implementation

You’ve shifted focus and created a DevSecOps team. You’re prepared for the culture shift. So what does DevSecOps look like in practice?

From a basic security perspective, it’s continuous testing for zero-day, open source and known code vulnerabilities (both statically and dynamically) with each iteration of your application. Instead of attempting to round up and mitigate multiple security issues just before deployment, adopting DevSecOps provides the ability to iterate security in tandem with app function and performance evolution.

If your application will eventually run in a low trust or untrusted environment such as on a mobile device, application shielding can be incorporated into your DevSecOps process to harden apps against unwanted inspection, tampering, or reverse-engineering. If your application has unique intellectual property (IP) or accesses sensitive information, you may be at risk of being targeted by hackers — regardless of your basic security profile. By incorporating app shielding into your DevSecOps pipeline, it’s possible to harden and protect high value application that run in untrusted environments.

DevSecOps: Second Position, First Priority

Security is a late addition to DevSecOps but don’t let its position in the term fool you — security-by-design is the first priority of any DevSecOps deployment. By the linking creative, functional and defensive aspects of your app development to create a continuously-iterating and reinforcing process it’s possible to embrace the speed of app deployment without sacrificing security.

Latest Blog Posts

Protecting Utilities and Infrastructure with PreEmptive's .NET Solution, Dotfuscator

Protecting Industrial Internet Applications

Bayshore Network Case Study

Today’s utilities, factories and other infrastructure are exposed to high risk. The software that controls many of these entities is not protected. In the last 20 years, the way industrial environments operate has completely changed. Many industrial systems were designed with permissive set-ups that assume only the “right people” in the “right place” would ever give instructions. Past systems were not built with exposure to the internet in mind, and as a result they relied on this “air gap” to limit access to only authorized personnel within the organization. The rate of innovation within technology and wireless systems has outpaced the rate of development in security features. Control centers have gotten better - high tech displays and more capability, but this has led to an exposure to untrusted environments… and in many cases this threat has not been addressed.

Application security can often be viewed by development teams as a time-consuming barrier to finishing a project. In a world where "time equals money", the rush to ship functional applications can overshadow the need to ensure those applications are secure. It is true --- features are what sell software and fixing bugs retains customers and loyalty. Both actions can be directly linked to revenue and profitability. So, what effect does an investment in application security have on a company's bottom line?

The coronavirus crisis is changing human behavior. From the persistent need for social distancing to the potentially permanent adoption of work-from-home mandates, the “new normal” is uncharted territory.

But the growing priority of public health also has knock-on effects in other fields, such as credit and debit payments. While the United Stated has historically lagged behind other countries such as Canada, the United Kingdom and Australia when it comes to the adoption of contactless card transactions, the demand for physical distance now trumps the functional familiarity of swipe-and-signature or chip-and-PIN interactions.

Facilitating “no contact normalcy”, the PCI Security Standards Council (PCI SSC) includes guidance for both commercial deployments and software applications to help solve potential payment security gaps. Here’s what you need to know.

Localization is often a key ingredient when building Xamarin Forms applications with a global audience. There are different ways to approach app localization, but most of these leverage the built-in tools provided by the .NET Framework. These include RESX files to configure localized strings and an auto-generated resource class which provides strongly-typed access to the string translation at runtime. This mechanism has been available since .NET 1.1, and is used for localization of WinForm, WPF, ASP.NET, and Xamarin applications.

In the months since we released the Dotfuscator 6 beta, we’ve been hard at work finishing the feature set, fixing issues, and putting on the final touches in preparation for the full release. Now, we are happy to announce the full availability of Dotfuscator 6!

No Second Chances: App Shielding and the Emerging Need for DevSecOps

End of a Post-Security Era

What is DevSecOps?

Culture Shift

Effective Implementation

DevSecOps: Second Position, First Priority

Protecting Utilities and Infrastructure with PreEmptive's .NET Solution, Dotfuscator

Mobile Application Protection Increases Profits

No Contact Normal: Solving the Payment Security Gap

Protecting Localized Xamarin Forms Applications

Dotfuscator 6: The Next Era of Dotfuscator

Latest Blog Posts

Protecting Utilities and Infrastructure with PreEmptive's .NET Solution, Dotfuscator

Mobile Application Protection Increases Profits

No Contact Normal: Solving the Payment Security Gap

Protecting JavaScript Code: The Making of JSDefender

Protecting Localized Xamarin Forms Applications

Twitter