No Second Chances: App Shielding and the Emerging Need for DevSecOps

October 9, 2018 2852 Views Gabriel Torok

App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.

But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.

The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.

End of a Post-Security Era

DevOps’ biggest advantage? Speed. Its biggest drawback? Security. Consider: Recent data pegs the number of Android apps released worldwide each day at just over 6000. The result? It’s the end of the post-security era: App security can’t occur after development because there’s no lull, no opportunity for IT teams to thoroughly assess the risk of new code and make necessary changes — organizations in a mobile-first world need to push one app out the door and make room for the next.

DevSecOps emerged as a response to this shift; given the incredibly short window of time new apps must make a good impression on users and stakeholders alike, security-by-design is now imperative in app evolution. Put simply? You don’t get a second chance at a first impression.

What is DevSecOps?

While DevOps has been part of IT culture for the better part of a decade, DevSecOps is relatively new. Still, it’s gaining ground — 96 percent of organizations surveyed say producing secure code is “desirable” or “highly desirable.”

Put simply, DevSecOps is the combination of development, security and operations in the app development lifecycle. Instead of security being “tacked on” just before applications go live, DevSecOps puts it front and center with development and operations. Ideally, the addition of security to the initial stages of application design helps identify and eliminate code flaws or vulnerabilities that might otherwise be discovered by malicious actors before being fixed. While this means more time investment at the beginning of the development cycle, it reduces the risk of zero-day or open-source vulnerabilities that could force the creation of immediate hotfixes or the removal and redesign of applications from the ground up.

Culture Shift

As noted above, the vast majority of organizations want to adopt a DevSecOps model, but just eight percent have developed best practices that enable this digital transformation. What’s the disconnect? It starts with culture. Developers and security teams may not see eye-to-eye on certain aspects of app development, and continually-evolving stakeholder expectations can make it difficult to effectively implement DevSecOps.

Start with the understanding that there’s no “finish line” here — all apps could be more secure, and no app is ever perfect. DevSecOps reduces the total number of vulnerabilities in addition to time spent identifying and eliminating these vulnerabilities after applications go live. Next, ensure that communication is front-and-center: If devs, infosec and operations pros can’t speak freely about the projects they’re working on and what they need to be successful, DevSecOps will stall out in the first few months.

Also critical? Security processes adapted to existing developer processes wherever possible. While there’s a need for developers to compromise as well, infosec leaning into the Dev side of the equation can help reduce friction and improve time-to-market. Last but not least? Implement strong monitoring controls. Just like any new initiative, metrics are key to success: You need to know where processes are working, where they need improvement and where they’ve come off the rails.

Effective Implementation

You’ve shifted focus and created a DevSecOps team. You’re prepared for the culture shift. So what does DevSecOps look like in practice?

From a basic security perspective, it’s continuous testing for zero-day, open source and known code vulnerabilities (both statically and dynamically) with each iteration of your application. Instead of attempting to round up and mitigate multiple security issues just before deployment, adopting DevSecOps provides the ability to iterate security in tandem with app function and performance evolution.

If your application will eventually run in a low trust or untrusted environment such as on a mobile device, application shielding can be incorporated into your DevSecOps process to harden apps against unwanted inspection, tampering, or reverse-engineering. If your application has unique intellectual property (IP) or accesses sensitive information, you may be at risk of being targeted by hackers — regardless of your basic security profile. By incorporating app shielding into your DevSecOps pipeline, it’s possible to harden and protect high value application that run in untrusted environments.

DevSecOps: Second Position, First Priority

Security is a late addition to DevSecOps but don’t let its position in the term fool you — security-by-design is the first priority of any DevSecOps deployment. By the linking creative, functional and defensive aspects of your app development to create a continuously-iterating and reinforcing process it’s possible to embrace the speed of app deployment without sacrificing security.

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

No Second Chances: App Shielding and the Emerging Need for DevSecOps

End of a Post-Security Era

What is DevSecOps?

Culture Shift

Effective Implementation

DevSecOps: Second Position, First Priority

Protecting Java applications that use Jackson for JSON

Protecting C# applications that use AutoMapper

Inventa, Wireless Technology Company, Protects their Android Application with DashO

Surgical Theater Protects their Medical Applications with Dotfuscator

Integrating DashO into a Maven Build

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

Protecting C# applications that use AutoMapper

Inventa, Wireless Technology Company, Protects their Android Application with DashO

Surgical Theater Protects their Medical Applications with Dotfuscator

GlobalMed Finds Success by Switching to JSDefender

Twitter