How to secure software in a DevOps world

Source:-helpnetsecurity.com

The COVID-19 pandemic and its impact on the world has made a growing number of people realize how many of our everyday activities depend on software.

We increasingly work, educate ourselves, play, communicate with others, consume entertainment, go shopping and do many other things in the digital world, and we depend on software and online services/apps to make that possible. Software is now everywhere and embedded within just about everything we touch.

The pandemic has also significantly accelerated companies’ digital transformation efforts and the proliferation of new software, and has stressed two undeniable facts:

Software security is more necessary than ever before
Automated application testing solutions that support developer workflows are the only way to achieve software security at such an intense pace and scale
Problems to solve when aiming for sofware security
When we talk about software security, we talk about proactively making an effort to create software that is nearly impenetrable to cyberattacks. We talk about working with that goal in mind during each phase of the software development lifecycle (SDLC) and finding and fixing security vulnerabilities before they have a chance of becoming a problem.

At a surface level, it sounds like a no-brainer, but there are a number of challenges organizations face when it comes to putting the idea in practice in the form of a true DevSecOps program.

Many traditional software security approaches are also falling short, either due to a lack of SDLC and developer workflow integration, a failure to cover all stages of the SDLC holistically, a disregard of developer needs, or a lack of testing automation.

Embedding security into DevOps

Slowly but surely, DevOps has become the software delivery methodology of choice for many organizations.

By aligning all the people/departments involved in software development and delivery and empowering them to work in tandem, organizations that choose the DevOps culture and implement it well are able to deliver high quality software faster. And those that choose to embed security into DevOps (DevSecOps), make the whole proposition less risky for everybody involved, including the customer.

But how to do it so that everybody involved is enthusiastically on board and satisfied? The answer is: make security testing intrinsic with the software development and delivery processes by integrating it into existing pipelines, make it automated, and embed AppSec training and awareness on top of all developer operations to ensure continuous education.

With its Software Security Platform, which merges static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST) and in-context developer awareness and training (aka “Codebashing”), Checkmarx has all those requirements covered.

secure software DevOps

In fact, the company’s platform has recently been named by Gartner as the “best fit” for DevOps, and the company as a 2020 Gartner Magic Quadrant Leader for Application Security Testing for the third year in a row.

To them, that’s no surprise, as they are constantly working to be on the bleeding edge of software security by constantly innovating their fleet of AST solutions.

Matt Rose, Checkmarx’s Global Director of Application Security Strategy, says that they’ve seen a lot of changes in the industry throughout the years, but that their product was really designed ahead of its time and fits “unbelievably well” with the modern DevOps processes.

Not one of the aforementioned facts has gone unnoticed by private-equity firm Hellman & Friedman, which, in the midst of the COVID-19 pandemic, finalized a $1.15 billion acquisition of Checkmarx – the largest AppSec vendor acquisition to date.

The acquisition cements the company’s place in the industry as somebody that is not going away, Rose noted, and the investment will allow them to continue the forward momentum and prepare for the future in terms of providing the best application security testing platform in the world.

Developer-focused security and automation
There are a few recent additions to Checkmarx’s Software Security Platform that solve industry challenges:

How to identify vulnerable open source components in applications and quickly remediate vulnerabilities, and
How to simplify the automation of application security testing to reduce the friction and latency between developer and security teams.
The former comes in the form of a new SaaS-based software composition analysis (SCA) solution (CxSCA) that can be used as part of the platform or independently of it. Featuring a unique “exploitable path” capability, CxSCA leverages Checkmarx’s leading source analysis technologies to identify vulnerable open source components that are in the execution path of the vulnerability, allowing AppSec teams and developers to focus their remediation efforts on the greatest risks. This dramatically reduces time spent from the point of vulnerability detection to triage and increases developers’ productivity.

The latter is solved by Checkmarx’s unique automation capabilities via an orchestration module (CxFlow) for the platform. With this, Checkmarx enables automated scanning earlier in the code management process by integrating directly into source code management systems (think GitHub, GitLab, BitBucket, Azure DevOps), as well as providing extensive integrations with leading CI/CD tools. With developer and AppSec teams being asked to build and deploy software – that is secure – faster than ever before, the ability to automate testing within developers’ work environment is critical.

“A common way of thinking is that CI orchestration is the best place to automate application security testing capabilities. However, multiple implementation barriers – ranging from lengthy set up times to inflexible CI processes – usually accompany this approach,” Rose noted.

“With Checkmarx, we can automate the testing of the software earlier by focusing on the source code management systems. In doing so, when a developer pushes code into the source code management system when they’re done, we listen when that push or pull request is made and then automate the scanning all the way through tickets being created. Developers really benefit from this as it simplifies AST automation within DevOps, without interrupting their workflow.”

Looking ahead, Checkmarx continues to advance its offering to address the needed security for software and development trends like cloud native, microservices and containers. “DevOps is still evolving, a lot of the tooling is still evolving, and our capabilities will evolve with them,” Rose said.

Securing the application prior to release
There’s no doubt about it (and customers demand it): application security testing technologies must be automated to be effective in the modern software development arena, and Checkmarx is setting the standard. Their customers back this claim, with reviews on Gartner Peer Insights including:

“The Checkmarx products are invaluable to our organization. They are a key element of our AppSec strategy and implementation.”
“If your company’s developer workforce is not used to incorporating security standards into their builds, the Checkmarx stack of tools will do wonders for you in terms of integrating into your existing pipelines and providing the education via Codebashing that your developers will need.”
Other important requirements for effective AppSec testing tools include the ability to be fitted into developers’ toolchains, to cover all phases of SDLC (from coding through check-in and CI), to provide rapid feedback, and to be flexible, i.e., to allow for many different ways of implementing the technology based on the way an organization is developing software and to offer different deployment options.

Checkmarx offers all that to help organizations achieve the ultimate goal: flagging potential security vulnerabilities and risk early on, when remediation is considerably easier.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.