Managing Cybersecurity: DevSecOps
HWM Singapore|February 2021
Don’t get overwhelmed with trivial defects.

Contributed By

Taylor Armerding, Software Security Expert, Synopsys Software Integrity Group

“If tools aren’t used correctly, at the right time, and in the right way, they can flag an overwhelming number of potential vulnerabilities, many of them insignificant or irrelevant to a particular project. And that can frustrate development teams to the point that they could start ignoring the warnings or even disabling the tools, undermining the security those tools are meant to enhance.”

That, according to Meera Rao, is one of the biggest challenges of embedding security into DevOps and yielding effective DevSecOps.

Rao, senior director for product management (DevOps solutions) at Synopsys, notes the reality that “at every stage in the pipeline or even in your SDLC, you have many security activities to perform, and each and every one of them gives you vulnerabilities. That can lead to defect overload.”

By now, that list of DevSecOps testing tools and other security tasks is fairly standard. At the start, security teams should conduct threat modeling and risk analysis based on what an application is expected to do and what kind of input, if any, it will handle. Obviously, a page on a website that accepts user input including personal and financial data needs more rigorous security than one that simply provides information, such as the locations of company offices.

During the coding and building phases, automated tools like static, dynamic, and interactive analysis can flag bugs and other defects that could be exploited. Fuzz testing can check how the software responds to random, malformed input. Software composition analysis (SCA) can help find open source components that may have security defects and/or licensing conflicts.

And at the end, penetration testing is designed to attack an application the way hackers might, to find any remaining critical weaknesses before that application goes into production.

CONFIGURE DEVSECOPS SECURITY TOOLS

All those tools and techniques are crucial to building security into an application during its development. But if those tools are aren’t configured to flag only defects that are relevant and significant to a specific project, they can end up creating friction that slows development — which is the last thing a development team wants in a DevOps world where speed is a top priority.

STATIC ANALYSIS SECURITY TESTING (SAST) FINDS CERTAIN THINGS, DYNAMIC ANALYSIS SECURITY TESTING (DAST) FINDS DIFFERENT THINGS, AND SCA FINDS DIFFERENT THINGS.

The solution? Vulnerability management. But the frequently conflicting priorities of speed and security present multiple challenges to doing that effectively.

Continue reading your story on the app

Continue reading your story in the magazine

MORE STORIES FROM HWM SINGAPOREView All

THINKING OF JOINING CLUBHOUSE? THE MEMBERSHIP FEE COULD BE YOUR PRIVACY

With leading media and business influencers such as Oprah Winfrey, Kanye West, Drake and Elon Musk enthusing about Clubhouse, the invitation-only ‘drop-in audio’ app has created massive awareness and interest globally, even though it’s still in beta mode. It claims to have 10 million users, up from 2 million in January 2021, and its US$1 billion valuation makes it a tech unicorn ranking alongside the likes of Uber and AirBnb.

4 mins read
HWM Singapore
April 2021

WHAT SHOULD YOU KNOW ABOUT CLOUD SECURITY SOLUTIONS?

First, let’s explain exactly what the cloud is, and how it relates to digital security. Intuitively, some people believe that “cloud” storage means your data is being held in the air somehow, but this isn’t really the case. Instead, most cloud applications store data on physical servers, in datacentres around the globe. Your data is stored remotely, and provided to you upon request.

4 mins read
HWM Singapore
April 2021

Truly Lightweight And Powerful

Dyson Digital Slim

4 mins read
HWM Singapore
April 2021

BREAKING THE GLASS CEILING

How women in tech succeed in a male-dominated industry

4 mins read
HWM Singapore
April 2021

BUILDING FANTASIAN FOR APPLE ARCADE

A chat with Final Fantasy creator Hironobu Sakaguchi about his latest gaming opus.

6 mins read
HWM Singapore
April 2021

This Monitor Does (Almost) Everything LG UltraGear 27GN950

LG’s UltraGear 27GN950 is a 4K gaming monitor that has pulled out all the stops to deliver a premium screen for gaming, content creation, and media consumption. And it has pretty much succeeded.

4 mins read
HWM Singapore
April 2021

A Big Ol' JRPG Throwback

Bravely Default 2

4 mins read
HWM Singapore
April 2021

The ‘Good Enough' Gaming Mouse

HyperX Pulsefire Haste

3 mins read
HWM Singapore
March 2021

The Road Less Travelled

Raji: An Ancient Epic

4 mins read
HWM Singapore
March 2021

Spooky, Not Scary

The Medium

3 mins read
HWM Singapore
March 2021