Sunday, July 21, 2024

Securing Software Development  – Communications of the ACM

Computer scienceSecuring Software Development  – Communications of the ACM

Safe development is a critical necessity for any company that creates software, whether for its own use or others. DevSecOps principles focus on automating information security processes and introducing security measures early in software development. DevSecOps is extremely important these days as, according to recent surveys, more than 99% of tech professionals report that, on average, applications in production contain more than four vulnerabilities.

A study conducted by the Ponemon Institute and Rezilion reveals that 78% of those surveyed take over three weeks to address high-risk vulnerabilities in their systems. Furthermore, 30% say managing these vulnerabilities effectively takes them more than five weeks. Application vulnerabilities are now a major entry point for ransomware attacks, and 76% of CIOs reported experiencing at least one ransomware attack in the past 24 months.

But where do these vulnerabilities originate from? Firstly, they often arise from development practices, such as using unsafe programming structures or third-party components, frequently open-source frameworks and libraries. Developers might also insert shortcuts to accelerate the development process. Secondly, time constraints can lead to cursory code reviews that focus more on functionality than on thorough, safety-inclusive quality analysis. Lastly, the widespread use of outdated (legacy) software, known for its vulnerabilities and often difficult or impossible to update, contributes to this issue.

Main Stages of Secure Software Development

Using DevSecOps helps ensure the right level of security throughout both the development phase and the entire lifespan of the software. This method also concentrates on identifying and managing risks. By implementing safe development processes, there is typically an 80% reduction in vulnerabilities. Let’s explore the most important stages of this process, illustrated through the Security Development Lifecycle (SDL) approach, widely adopted by many large corporations globally.

Everyone involved in software development, including all employees, contractors, and other relevant personnel, receives training in cybersecurity basics and undergoes regular instruction in secure development practices and the application of AI in software testing.

The development of each software product starts with clearly defining its security and privacy requirements. These requirements are shaped by various factors such as the type of data the product will process, known security threats, established best practices, regulatory and industry standards, and lessons learned from past incidents. Since software development is an ongoing process, the security and privacy requirements evolve throughout the product’s lifecycle, adapting to changes in functionality and the ever-shifting threat landscape.

At this stage, threat models are developed to help identify and categorize threats based on existing and potential risks. This process begins by outlining the different components of a product and how they interact in different functional scenarios, such as authentication. Data flow diagrams are used to visually represent the interactions of data flows, data types, protocols, etc. It is important to keep threat models up-to-date throughout the product’s lifecycle, adapting them as the software evolves.

Implementation starts with developers coding according to the plan established in earlier phases. It is good to equip developers with secure development tools to incorporate all privacy, security, and functionality requirements into their software. Such tools may include secure development environments, compilers, and integrated security checks.

Before the code is released, it undergoes thorough checks and approvals. Manual reviews are done by individuals separate from the code developers, ensuring a vital separation of duties to prevent any single person from both writing and releasing code. The step also includes a series of automated checks within the commit pipeline, covering aspects like static and dynamic code analysis, binary analysis, credential and secret scanning, encryption scanning, configuration validation, and open-source software compliance.

Prior to launching software into products, a thorough review is conducted to verify if the security features implemented align with the initial specifications set during the design phase. Additionally, a contingency plan is developed to address potential security system breaches. Rather than deploying builds to all users simultaneously, they are incrementally rolled out to progressively larger groups.

Following their release, all software and services undergo comprehensive logging and monitoring to pinpoint potential security issues.

Main DevSecOps Tools

Let’s explore the tools essential for DevSecOps, integrating security principles into every stage of the software development process.

  • Static Application Security Testing (SAST)

Static analysis is performed in a “white box” setting, enabling the detection of vulnerabilities without the need to run the actual code. This approach is most effective in the early phases of development, as it scrutinizes the source code directly, offering the chance to integrate the analyzer into the development pipeline for incremental scanning. However, it is not without its drawbacks, such as a high rate of false positives.

Implementing a static code analyzer aligns well with the Shift Left concept, which emphasizes introducing checks as early as possible in the product development lifecycle rather than towards the end. This early integration significantly impacts the cost of fixing detected defects. For example, while fixing vulnerabilities identified during the development phase might cost X dollars, addressing these issues at the project release stage could escalate to 10X dollars, and fixing them once the system is fully operational could soar to 100X dollars.

  • Dynamic Application Security Testing (DAST)

Dynamic code analysis operates in a “black box” scenario, where the tool does not have access to the source code and conducts tests while the program is running. DAST can mimic external attacks using common methods to find vulnerabilities in the application. DAST tools are not limited by programming languages and typically result in fewer false positives. However, their drawbacks include the potential to overlook vulnerabilities and miss certain functionalities because DAST does not fully cover the analyzed code.

  • Interactive Application Security Testing (IAST)

IAST combines elements of both SAST and DAST to offer a more integrated and interactive way of detecting vulnerabilities.

Both IAST and DAST analyze live applications to find vulnerabilities. DAST tests the application’s interfaces like an attacker (from an external viewpoint), identifying vulnerabilities through response analysis. However, IAST also operates from within, blending insights from the application’s internal code and data flows with observations of its dynamic behavior during execution. This unique position allows IAST to uncover a wider array of issues, merging the depth of code analysis (similar to SAST) with the practical examination of running applications (similar to DAST). Consequently, IAST achieves greater accuracy and fewer false positives, pinpointing vulnerabilities that emerge only through the application’s operational context.

  • Software Composition Analysis (SCA)

SCA scrutinizes open-source components and libraries within a software project. SCA identifies known vulnerabilities, licensing issues, and outdated dependencies by examining the codebase against comprehensive databases of known security threats and compliance data. By integrating SCA into the DevSecOps pipeline, teams ensure that both proprietary and open-source code adhere to security standards and compliance requirements.

Other Tools and Technologies

The tools mentioned above constitute the minimum set required to ensure the release of secure apps. To maximize your security efforts, it is also good to use additional technologies and tools that can support and enhance the secure development process. Here are some of them:

  • Infrastructure-as-Code (IaC) Scanning

With the rise of cloud computing and Infrastructure as Code, scanning these configurations for compliance and security issues becomes critical during the development process.

  • Container Security Scanning

Analyzing container images for vulnerabilities and configuration issues.

Ensuring that secrets, such as passwords, tokens, and keys, are securely managed and accessed is vital to protect access to applications, databases, and services during development.

  • Access and Identity Management (IAM)

Though not exclusive to the development phase, setting up proper IAM controls ensures that only authorized individuals can access development environments and resources. It can be supplemented with Privileged Access Management (PAM) solutions.

Actually, there are many more strategies for ensuring the release of safe apps. For example, using a Web Application Firewall (WAF) helps protect web applications by filtering and monitoring traffic between the web application and the internet. Network Detection and Response (NDR) tools can detect and respond to network threats, while Virtual Private Networks (VPNs) create secure Internet connections. It is impossible to list all the options in this brief article. Choosing the right security measures depends on your available resources, including budget, expertise, and technical capabilities.

Tool Integration and Workflow Optimization

One of the main goals of DevSecOps is to make security a seamless part of the development process, ensuring that security measures do not hinder but enhance development efficiency. Here are some expert tips for achieving this:

DevSecOps is as much about cultural transformation as it is about tools and processes. Before diving into technical integrations, ensure your team’s mindset aligns with DevSecOps principles. Underestimating the cultural aspects, such as resistance to change, fear of increased workload, or misunderstanding the value of security, can impede adoption. You can address these challenges by highlighting the benefits of DevSecOps, celebrating successes, and promoting a culture of learning and continuous improvement.

Developers should be familiar with the nuances of the security tools in use and how to interpret their outputs. Regular training and resources should be provided, empowering developers with the knowledge to address security issues, thereby fostering a proactive security culture.

DevSecOps hinges on breaking down silos between development, operations, and security teams. Encourage regular meetings, joint projects, and shared goals to build cohesive teams focused on secure development practices.

Choose security tools that align with your needs and integrate smoothly with existing development and operations infrastructure. Favor those offering robust APIs, CLI support, and compatibility with your CI/CD pipeline, as these features are crucial for seamless integration. 

While the array of available security tools is vast, avoid deploying them simultaneously. This approach can lead to an overwhelming number of alerts and many false positives, cluttering your workflow. Instead, start with a strategic selection of high-impact tools and adjust settings to minimize unnecessary noise.

Prioritize automation in your security strategy: automate the execution of security scans like SAST, DAST, and IAST within your CI/CD pipeline. This automation ensures consistent security checks at every code development and deployment stage, significantly reducing manual intervention and accelerating the development cycle.

Continuous DevSecOps Improvement

DevSecOps is a journey, not a destination. Regularly review the effectiveness of your tool integrations and workflows. Gather feedback from all stakeholders and define metrics to measure the effectiveness of your DevSecOps practices, such as the number of vulnerabilities identified and remediated, the time taken to fix critical issues, and the frequency of Zero-Day attacks and other security incidents. Use these metrics to demonstrate the value of DevSecOps and be prepared to adjust tools, processes, and training for improvement.


The statistics are alarming: most applications have vulnerabilities, and fixing them can take weeks or even months, clearly showing that traditional methods are inadequate. Facing the ever-changing threat landscape, implementing DevSecOps practices is essential, not just recommended. Adopting the right mix of tools, practices, and a shift-left mindset can significantly lower vulnerability risks.

Alex Vakulov is a cybersecurity researcher with more than 20 years of experience in malware analysis and strong malware removal skills.

Check out our other content

Check out other tags:

Most Popular Articles