Taylor Armerding, Software Security Expert, Synopsys Software Integrity Group
“If tools aren’t used correctly, at the right time, and in the right way, they can flag an overwhelming number of potential vulnerabilities, many of them insignificant or irrelevant to a particular project. And that can frustrate development teams to the point that they could start ignoring the warnings or even disabling the tools, undermining the security those tools are meant to enhance.”
That, according to Meera Rao, is one of the biggest challenges of embedding security into DevOps and yielding effective DevSecOps.
Rao, senior director for product management (DevOps solutions) at Synopsys, notes the reality that “at every stage in the pipeline or even in your SDLC, you have many security activities to perform, and each and every one of them gives you vulnerabilities. That can lead to defect overload.”
By now, that list of DevSecOps testing tools and other security tasks is fairly standard. At the start, security teams should conduct threat modeling and risk analysis based on what an application is expected to do and what kind of input, if any, it will handle. Obviously, a page on a website that accepts user input including personal and financial data needs more rigorous security than one that simply provides information, such as the locations of company offices.
During the coding and building phases, automated tools like static, dynamic, and interactive analysis can flag bugs and other defects that could be exploited. Fuzz testing can check how the software responds to random, malformed input. Software composition analysis (SCA) can help find open source components that may have security defects and/or licensing conflicts.
And at the end, penetration testing is designed to attack an application the way hackers might, to find any remaining critical weaknesses before that application goes into production.
CONFIGURE DEVSECOPS SECURITY TOOLS
All those tools and techniques are crucial to building security into an application during its development. But if those tools are aren’t configured to flag only defects that are relevant and significant to a specific project, they can end up creating friction that slows development — which is the last thing a development team wants in a DevOps world where speed is a top priority.
STATIC ANALYSIS SECURITY TESTING (SAST) FINDS CERTAIN THINGS, DYNAMIC ANALYSIS SECURITY TESTING (DAST) FINDS DIFFERENT THINGS, AND SCA FINDS DIFFERENT THINGS.
The solution? Vulnerability management. But the frequently conflicting priorities of speed and security present multiple challenges to doing that effectively.
Continue reading your story on the app
Continue reading your story in the magazine
THINKING OF JOINING CLUBHOUSE? THE MEMBERSHIP FEE COULD BE YOUR PRIVACY
With leading media and business influencers such as Oprah Winfrey, Kanye West, Drake and Elon Musk enthusing about Clubhouse, the invitation-only ‘drop-in audio’ app has created massive awareness and interest globally, even though it’s still in beta mode. It claims to have 10 million users, up from 2 million in January 2021, and its US$1 billion valuation makes it a tech unicorn ranking alongside the likes of Uber and AirBnb.
WHAT SHOULD YOU KNOW ABOUT CLOUD SECURITY SOLUTIONS?
First, let’s explain exactly what the cloud is, and how it relates to digital security. Intuitively, some people believe that “cloud” storage means your data is being held in the air somehow, but this isn’t really the case. Instead, most cloud applications store data on physical servers, in datacentres around the globe. Your data is stored remotely, and provided to you upon request.
Truly Lightweight And Powerful
Dyson Digital Slim
BREAKING THE GLASS CEILING
How women in tech succeed in a male-dominated industry
BUILDING FANTASIAN FOR APPLE ARCADE
A chat with Final Fantasy creator Hironobu Sakaguchi about his latest gaming opus.
This Monitor Does (Almost) Everything LG UltraGear 27GN950
LG’s UltraGear 27GN950 is a 4K gaming monitor that has pulled out all the stops to deliver a premium screen for gaming, content creation, and media consumption. And it has pretty much succeeded.
A Big Ol' JRPG Throwback
Bravely Default 2
The ‘Good Enough' Gaming Mouse
HyperX Pulsefire Haste
The Road Less Travelled
Raji: An Ancient Epic
Spooky, Not Scary