É hora de mudar a segurança cibernética para a esquerda

It's time to shift cybersecurity left

There are too many sophisticated threats and threat actors in the world today for cybersecurity to remain the purview of IT.

Imagem em destaque

As the complexity of IT operations continues to increase, the need to move cybersecurity into the development and CI/CD pipeline is quickly becoming a priority for many IT organizations.

Of course, the idea of ​​shifting security to the left is not new. It was first introduced as early as the 1970s (long before the first line of malware code was written). It's also what gave rise to the idea of ​​DevSecOps and the earlier concept of security by design. But this approach to software development is still relatively new and has only been adopted by about a third of development organizations today.

While security by design primarily focuses on ensuring secure code, with DevSecOps a predetermined set of security services are implemented when an application or workload is deployed. This includes things like network security, multi-factor authentication, access rights, and so on.

To ensure that production applications are as secure as possible in the future, both approaches will likely have to be adopted en masse by developers and IT organizations.

Adoption is slow for several reasons

Developers have traditionally relied on security and IT operations teams to protect the code they create. But there are a lot of things going on today that make that difficult. Sophisticated, hyper-targeted cyberattacks, hybrid and containerized computing environments, and a porous, hard-to-define network edge make it impossible to treat cybersecurity as an afterthought.

The rapid adoption of microservices architectures and serverless computing in the cloud has created an environment where understanding network architectures and application dependencies becomes exponentially more difficult every year. The pressure on developers to produce code, generate updates, and create new features and functionality also increases every year as organizations turn to digital technologies.

High expectations, coupled with widespread adoption of Agile and DevOps, mean developers are relying on platform and infrastructure-as-a-service providers and infrastructure-as-code deployment to move more code into production faster than ever before. Developers also rely on more complex toolsets to do their work.

Adding more fuel to the fire is a lack of cybersecurity knowledge among many developers and a critical shortage of qualified cybersecurity professionals on the IT side. The worrying rise of ransomware as the most used malware in the 2020s means that cyberattacks are becoming more expensive, both in terms of economics and reputation.

IT needs greater visibility

From an IT perspective, a lack of visibility into how code is developed and where it is being deployed (including in development environments far from production servers) creates blind spots that can make it difficult to know where to start when recovering from an attack. of cybersecurity.

While there are runbooks specifically designed to help incident response teams figure out what's going on, the speed at which new features and functionality are introduced into production means that documentation isn't always up to date or even available.

Another good reason to start shifting cybersecurity to the left is that developer environments are increasingly seen as good targets for cybercriminals to infiltrate the organization. Developers use a lot of open source code and complex, automated toolchains that, when misconfigured or misused, can open the door for attackers to gain a foothold within the organization.

Developers can also forget and leave test environments running long after they have served their purpose. The 2020 Solarwinds Supply Chain Hack is a good example of what can happen when hackers obtain source code before launch.

Once the development environment is compromised, it will be much easier for attackers to do things like embed ransomware into the organization's backups. When IT tries to recover from a ransomware attack, it discovers that necessary data has been corrupted or restarts the attack from malware stored in backups.

3 steps to shift left

Many organizations still perform security testing shortly before software is released into production. The continuous vulnerability testing introduced earlier in the SDLC results in software with fewer bugs and security holes. By moving this process into the CI/CD pipeline, two things happen: there is greater assurance that the organization's security standards will be followed, and it engages developers earlier in the SDLC.

The first step is to perform automated static application security testing every time the code is compiled. Most organizations that perform CI/CD will already have the tools and frameworks in place to make this happen. Ensure that scan results are loaded into a database of vulnerable components made available through a CI engine dashboard in a form traceable back to the original build. This will help with compliance, reporting and research purposes, while also giving you an ongoing assessment of your application.

Next, be sure to perform software composition analysis studies to understand all application and third-party dependencies at build time.

Finally, it is a best practice to do dynamic application security testing.

If you are not already practicing these practices, it can be expensive to start. But they will keep your organization out of the headlines. This is worth every penny.

Source: BairesDev

Conteúdo relacionado

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.