Principles of secure testing and how to do it
Security testing is no longer under sole ownership of the security team. New tools have made it easy to bring testing into the DevOps model, where developers can review and test code as they build out the app or software. However, developers aren’t always on board with conducting security tests themselves: Nearly half of security professionals surveyed in GitLab’s 2019 Global Developer Report (49%) said they struggle to get developers to make remediation of vulnerabilities a priority. Like the developers and operations professionals, 50% of security teams surveyed also believe testing is what most slows down development. AppDev leaders can improve their teams' security practices by building team buy-in and adopting tools that make it easy for developers to follow the five principles outlined below.
Security should be with you every step of the way
We’ve reached a day and age where security can’t be an afterthought or bolt-on activity: Everyone is responsible for ensuring their work does not put the customer or business at risk. Security isn't just a box to check either, it’s a way of operating that should stay with you through development, deployment, and updates. Developers can adopt security as their own by following these five principles:
1. Evangelize your security efforts
While developers are taking more responsibility for security, an overall question of ownership still remains. Everyone should be responsible for security, but all too often that “everyone” comes to mean “no one”. Dev team leaders should advocate for security and the proper time to address it. Without the proper advocacy, resources won't be allocated and security can become high- risk technical debt. By shifting security left in the software development process, developers can allocate resources early on while they are still plentiful. Make it easy for your developers to adopt strong security practices by creating team-wide guidelines, educating developers on best practices and common challenges, and standardizing your expectations through both team and individual security metrics.
2. Test early, test often
DevSecOps is an important next step in your DevOps initiatives. Security teams are three times as likely to discover bugs before code is merged, so test as you code and begin fixing vulnerabilities as early as possible. By incorporating tools that help with dependency scanning, dynamic application security testing (DAST), and static application security testing (SAST), developers can get feedback as code is written and committed. These tools can give developers information about the security of their code early in the development process, making it faster and cheaper to remediate compared to making fixes later on. In a mature DevOps model, teams are 90% more likely to test between 91% and 100% of all code than organizations with early-stage DevOps. Testing should continue throughout the DevOps lifecycle, so that developers are able to change code before it’s integrated into the broader codebase. Frequent testing will ultimately take less time and fewer resources, speed time to deployment, and reduce friction between IT and security.
3. Always verify your changes with a second set of eyes
Writing and updating code should always be a joint effort. A second set of eyes will spot potential issues that the author wasn’t able to see, and will reduce the risk of deploying code that still has vulnerabilities. A randomized buddy system comes in handy here, to ensure that code reviews aren’t being handed to the same person time after time, and allows different team members to look at work that may be different from their own activities. Don't be afraid to use tooling to help implement code reveiws and approvals. Configure your tooling to require approvers within your merge request process. Culture is an important element when it comes to code review: Your team of developers must care about the integrity of the product or project as a whole, and not just the speed or quality of their own code development.
4. Keep a master log of every code deployment, dependency, and update
Transparency is key to ensuring quality code. Creating a complete history of your code will be helpful in reviews and incident response, and allows the security team or developers to identify exactly when and where a vulnerability occurred. Teams should also minimize any manual build or deployment processes to ensure that their applications have full traceability and logging. With a majority of application code being open source, dependencies have become a major attack surface. What’s more, bugs in open source code generally fly under the radar (no pun intended), undetected by developers until it’s too late. Understanding, patching, and updating dependencies is critical, as catastrophic breaches (such as WannaCry) can and have occurred due to a missed update or patch. Security scans using updated vulnerability databases should be run on a regular basis to maintain app security – even on code that has previously been scanned.
5. Diversify your security portfolio
Employ many different types of testing to cover your bases. A single type of testing, like SAST, DAST, pre-release scanning, pen testing, or dependency scanning is helpful, but won’t provide a complete view of your application environment. Forrester's annual application security report notes that security teams are adjusting their practices to help developers respond to vulnerabilities at the speed of development. Some teams now conduct software composition analysis ahead of production, and have moved static application security testing (SAST) to early development (something your team can achieve with GitLab). Others are using bug bounty programs to crowdsource vulnerability discovery, which is particularly helpful for uncovering problems that don’t fall into known security flaw patterns.
Work to achieve a DevSecOps model
Nearly 70% of developers are expected to write secure code, but only 25% of developers believe they have “good” security practices. DevOps is a great place to start: It’s clear from our data that a more mature DevOps model encourages innovation and collaboration, and enables teams to test more code faster. As more teams continue to shift their security practices left, DevSecOps will become an advantageous reality for developers and security professionals alike.
Cover photo by Patrick Tomasso on Unsplash