The advent of new digital technologies has led to a significant transformation in the software development methodology in the past few years. The greater focus towards delivering customer-centric solutions has led to the adoption of new technologies & services with greater momentum. In this transformational landscape, the traditional application security practices have become outdated and require an application security program which integrates with the modern technologies and keeps pace with the development. The number of CVE reported is increasing year on year basis. For instance, in 2016, 6447 CVE’s were reported, in 2017, 14714 and in 2018, 15400 have been reported, which means as enterprises are adopting modern technologies, and frameworks for software development, the attack surface has become wider and the risk of leaving the application vulnerable is higher. Implementing a modern application security program requires robust governance, early detection of vulnerabilities, timely remediation and continuous monitoring and prevention. Below are few key market trends across the product software development and the security implications :
1. Assembly of Modern Applications implies greater attack surface to secure
The application architectures have evolved from a single monolithic entity to service-oriented applications and finally to now api centric and microservices based applications like single page applications where these small entities called api’s are capable of being developed on multi-platforms, multi technologies and gradually be integrated with the product application. This has proved to be advantageous for enterprises as it helps the development team to focus on the independent functionality and release features quickly breaking the requirement to release the complete application in one shot. This perhaps has been the most crucial and pivotal trend which has led to an explosion of many new technologies, services, and processes and thus the need to understand associated security implications. Securing individual entity and the complete integration becomes a challenging task which requires careful orchestration efforts like identity federation, access delegation and standardization of security practices, from all stakeholder.
In addition, adoption of open source frameworks, libraries, and dependencies, has increased exponentially. Failure to identify vulnerable open source software and 3rd party components is an area which application team tends to overlook and ignore s/w updates containing security patches and thus leave the application vulnerable to attacks. Simultaneously new attack vectors such as insecure direct object reference, server-side request forgery SSRF, ajax based cross-site request forgery CSRF, insecure CORS configurations, insecure de-serialization, sensitive data such as secrets, PII, exposure etc have made the need to take granular look at application development practices seriously and ensure secure practices are embedded in development lifecycle.
2. Scaled Infrastructure implies the need to secure infra and software supply chain
The infrastructure required to power and support the product application has seen significant changes in recent years. Server technology has changed from on-premises physical servers to virtualized public/private/hybrid cloud-based servers, which has reduced the operation costs, increased scalability and the availability of the services. Furthermore, container-based technology (such as docker, vagrant, kubernetes, mesos) and serverless deployments (called Function-As-A-Service like Lambda functions) have gained traction and revolutionized the way the organizations looked at their infrastructure and software supply chain. Implementation of controls such as nextgen firewalls, hardening of traditional networks has made attackers to now target the software supply chain to sneak into the organization's infrastructure.
Securing software supply chain requires security embedded at each segment of the chain i.e. build, ship and deploy. Additionally, YAML based configuration management frameworks such as Ansible, Chef , Puppet, Terraform which provision infrastructure as code provide options to quickly provision and re-provision infra in event of any suspicious activity. From incident response point of view, these technologies possess significant challenge as artifacts are long gone before the investigation begins, as container-based technology provides immutable infra which can be quickly destroyed and newly deployed on the occurrence of any modifications.
3. Mandatory compliance with regulations and security standards implies the need for compliance-driven development
Enterprises are experiencing constant pressure from regulatory bodies and various compliance standards such as HIPAA, NIST, FIPS, EU-GDPR, PCI-DSS etc to implement the necessary and accepted a level of security controls in the software development lifecycle and the privacy of data collected or processed is ensured. Currently, either of the two development methodologies is being followed - Behaviour Driven Development BDD or Acceptance Test Driven Development ATDD . However, the need for the hour is to adopt Compliance Driven Development CDD. CDD demands, embedding data privacy as an element right from the design phase of the application development. Based on the classification of the application and the applicable standards, a mapping of security controls should be done to the features and functionality of the application. This would ensure various applicable sections of standards are taken into consideration at planning phase and that specific test cases are verified before application features are rolled out. This helps fast track audit processes required in application verification stages or as a part of incident response investigations.
4. Agile transformation implies the need for automating security practices
The modern application development has evolved from a classical waterfall model approach to agile and DevOps based development. This has led to frequent delivery of features. Software updates rollout landscape has changed from few releases per year to multiple releases in a day. This demands frequent and continuous security evaluation of the software, however, traditional appsec practices take few days of effort to complete the security assessments, thereby leaving the daily releases vulnerable and susceptible to attacks in agile development. Security practices need to be adopted early-on in the development lifecycle i.e. shift left instead of considering security as the last phase of software release. To match the speed of agile the security folks need to sync with the developers and the operations folks and hence adopt DevSecOps practices collaboratively.
Automating security checks in the CICD pipeline is quintessential to keep the pace of security with features release. Threat Modelling, the most neglected part, should be performed along side each feature plan and integrate specific security test cases to the QA test cases or as a part of regression testing, so as to achieve targeted security assessments. Integrating SAST scan with the version control helps to ensure that no vulnerable code is committed to the branch. With microservice based development, classical DAST tools fail to identify vulnerabilities, hence modern approach such as leveraging QA test cases for DAST scanning should be adopted to provide context and valid parameters to the DAST tool to fuzz. Also, dependency checks should be a part of CI process so that no vulnerable 3rd party components sneaks in. Few of the manual most pent assessment checks such as Nmap scan, TLS/SSL scan, directory, and password brute-force etc can be automated to find low hanging vulnerabilities and thereby help pentester to focus on major vulnerabilities.
Thus to conclude, the technology powering the software development is constantly evolving and silently opening new attack surfaces for enterprises to secure. Organizations need to embrace this change and constantly work towards modernization of their application security practices across complete ecosystem I.e its source code, infrastructures like servers, databases, cloud, and supply chain.
Authored By - Rohit Goel
TCS Cyber Security Practice