Top 3 Ways to Manage Security Vulnerabilities for Efficient DevSecOps

DevSecOps, Vulnerability Correlation, Tooling, Vulnerability Management
Puru Naidu | August 03, 2020
find early, fix early

 


Since moving away from waterfall method, engineering teams now have a mandate to look at security as an intrinsic part of the software itself. A vulnerable application is an incomplete application, making security as important as functionality, performance and other parameters.

When you give your developers the right tools and strategies, you’re actually making your DevOps pipeline more secure and efficient. 

Here are 3 major ways to empower engineering teams with better methods to manage and address security vulnerabilities.

Leverage Continuous Integration (CI)

As the product release date gets closer, the amount of time, money and effort spent in remediating vulnerabilities steadily climbs. It gets even worse during the production stage. According to the Software Defect Reduction Top 10 List, by Barry Bohem, finding and fixing a bug after delivery is 100 times more expensive than during the design phase. 

To minimise this impact, one solution is to shift some aspects of security testing to the left (upstream towards development). Engineering teams with the right skills and tools will be able to include certain security checks as part of their business-as-usual-jobs.

One of the most practical and scalable ways to do this is through your continuous integration services such as Jenkins or TravisCI. For example, most engineering teams use Secure Code Analysis platforms (SAST) to perform security code checks. Plugging in SAST as part of the application’s routine cron-jobs through CI is very valuable in unearthing potential vulnerabilities right within development. This can be extended to run-time security (DAST) platforms as well. 

Tests like these can be run using specific scan policies that focus on critical or segmented parts of the application. For example, lightweight scan policies (smoke/sanity) can be configured to run on nightly builds, while more aggressive scan policies can be scheduled for weekly builds.

Use Security 'Exploits as Code'

According to the WhiteHat Application Security Statistics Report, it takes an average of 174 days to fix DAST vulnerabilities, and 113 days to fix SAST vulnerabilities. During security remediation, a significant amount of a developer’s time is spent on recreating security exploits. 

Critical exploits found via manual pen-testing are usually forwarded to the engineering team via manual PDF reports for a remediation with limited information specifically around the “WHATs” rather than the "HOWs”. When such exploits are written as "exploit automation scripts" (using frameworks like Selenium) engineering teams can recreate scenarios and have a better understanding on the mechanics of the vulnerability. 

These scripts can also be used to validate fixes, thereby creating a regression of sorts for security test cases. You can even run them against every build to validate remediations and stop previously fixed vulnerabilities from resurfacing. This not only makes fixing critical bugs much more efficient but also minimises the back-and-forth interactions between teams.

Automate Vulnerability Logging

Automating the vulnerability logging process is critical to sending the right information at the right time. The time taken for a critical vulnerability to reach the developer through automation—as opposed to manual means—makes a ton of a difference, especially in agile environments. By automatically getting security bugs within the defect-tracking ecosystem, you can drastically reduce unnecessary back-and-forth between teams. 

This process also helps sheds some much-needed light on security bugs in the same seriousness as functional bugs. In addition, the integration of tickets to bug-tracking platforms gives the product management team a higher visibility of the security landscape.

When you implement this, engineers have the necessary information to effectively fix the bugs, while eliminating the unnecessary noise that usually comes with it. Necessary information includes the details such as where and how the bug was found but should be devoid of redundant metadata that DAST/SAST platforms usually give out. 

By eliminating the need for engineers to dig through data to find the right information, you end up saving both time and effort, and increasing efficiency.

If you want to know how Orchestron can help you manage your vulnerabilities, see how one of our clients fixed a major development problem and reduced their vulnerabilities by 97%.