Ensuring application security in a Continuous Delivery world
Security is a funny thing: It’s something on which you spend a lot of time and effort in the hopes that no one will ever think twice about it. In fact, it’s one of the most important elements of your application because no matter how great a product you have, no one will use it if it’s not secure.
So what exactly does it take to ensure application security in a Continuous Delivery world? Here’s a look at three key areas on which you need to focus, plus some of the top tools to make your efforts a success.
What it is: Operational security is all about how you run your application, including how your DevOps team keeps track of data and locks down any access points. Ultimately, it’s not just about having certain security elements in place, but also making sure they work and get used correctly. Think of it like this: If you have a bank and you never lock the doors, it’s not going to be secure. The act of locking those doors is operational security.
How to handle it: The most common practices for operational security include introducing best practices for handling certain operational protocols, performing regular audits and tests and running periodic scans to make sure everything is configured appropriately and not vulnerable to any sort of attack.
Additionally, several compliance standards exist to govern operational security, such as SOC 2 for trust services, HIPAA for health information and PCI for processing credit card information. Ensuring compliance with these standards is an important part of maintaining operational security.
Tools to use:
There are a variety of tools for scanning Kubernetes configurations to make sure everything is set up properly and to help easily identify any vulnerabilities that might exist. These tools include:
- Kubeaudit: Audits Kubernetes clusters against common security controls
- Kube-bench: Confirms whether Kubernetes is deployed according to security best practices
- Kubesec: Offers a security risk analysis for Kubernetes resources
What it is: Application security comes down to how you write your application. Specifically, it involves making sure that developers write code in a secure way that avoids introducing bugs or creating points of vulnerability. Going back to the bank example, a question of application security would be if your builders even put in locks to begin with.
How to handle it: The central question around application security is whether or not developers write code in a secure manner, including how they introduce areas of defense against known vulnerabilities. For example, if you know that cross-site scripting (XSS) is a common security problem, how can you write code that’s resilient to those attacks?
Overall, how to handle application security is difficult to nail down with any specificity because there are so many differences across organizations based on factors like the style of application and the specific development language and framework used to build that application.
Tools to use:
One of the best places to start for introducing application security is the Open Web Security Application Project (OWASP), which is an online community that produces articles, methodologies, documentation and tools to help with a variety of application security needs.
GitHub also offers a code scanning tool to help identify security issues as developers write new code.
Brakeman is one of many language-specific scanning tools. While Brakeman is specifically built for Ruby, there are others such as Node’s
npm auditor Python’s Bandit that work with a variety of different languages and frameworks.
The last area of security centers around solutions on which your application depends in order to run. We can break this down further into direct application dependencies and operating environment dependencies.
Direct application dependencies
What it is: No one writes software in isolation or from scratch. Rather, it’s very common to have dependencies on other software to outsource some work within the application framework, such as a tool for setting up a web server to receive requests. This area of dependency security deals with code that your team didn’t write and doesn’t operate directly, but that’s critical to getting your application online.
How to handle it: Every development language has some type of package manager that manages the different versions of any applications on which your own software depends. These scanners should regularly check the dependent applications for any known security vulnerabilities and alert you if any updates are available (these can be general updates or specific security patches).
Tools to use:
GitHub Dependabot is a top scanning tool that can identify known issues with dependent applications, or even whether or not the version you have installed is out of date, and then guide you through updates to the latest, most secure version of that application.
Snyk offers dependency scanning as a service with a tool that not only scans for vulnerabilities in dependent applications, but also offers a severity estimate for the issue based on how you use each application. For instance, if it finds a vulnerability in a dependent application but you only run that application on developer laptops and it never touches what’s in production, Snyk might rate that vulnerability as low on the severity scale. However, if it finds a security issue in an application that sits in the core of your product and lives in front of customers, it will likely rate that issue as high severity. Beyond these severity ratings, Snyk also offers a breakdown of the impact and suggestions for fixing the issue.
Operating environment dependencies
What it is: Every application also has dependencies beyond the code of the application itself, for example a dependency on the operating system on which the application runs. At the very least, every application is dependent on the development language used to build it. Beyond that, most applications also have a dependency on the container base image that serves as the foundation for the application.
How to handle it: Unfortunately, operating environment dependencies are usually an afterthought. Most organizations running their applications in a container choose a major provider like Ubuntu, but don’t regularly check for updates to the specific container image in use. However, that image underpins the entire application, so if it’s out of date or insecure, it can cause enormous issues. Overall, this area of security is a huge blind spot that has caused widespread security issues in the past.
As with the other types of security outlined here, the best way to handle operating environment dependencies and avoid that type of issue is to regularly monitor for (and then implement) updates to those dependent environments.
Tools to use:
Snyk also offers container scanning as part of its dependency scanning as a service, looking at all parts of the container image on which your application runs. It will return any issues as part of the severity report described above and outline steps you can take to resolve those issues.
Spaceship offers the next iteration of security in this area, not just scanning operating dependencies for any issues, but also automatically updating them as new updates come through. Importantly, all of this is completely automated, meaning the scanning and updates occur in the background without any user intervention, which is a huge game changer in an area that has traditionally proven to be a major blind spot for organizations of all kinds. Spaceship’s auto-updates provide a zero-hassle solution to this common vulnerability and ensure that your application always runs on the most secure operating system available. (Note: Currently this is the default configuration in Spaceship, but we are also building the option to approve updates for organizations that have more restricted development environments.)
How secure is your application?
Security can make or break your organization, and while you never want your customers to have to think twice about it, it’s something your own team should obsess over. From operational security to application security to dependency security, there’s a lot to consider. Is your team prepared to manage every layer?
Contact us today to learn how Spaceship can help ease the burden for your team and provide peace of mind through always-up-to-date security measures.