DevSecOps A GUIDE FOR BUYERS
2
SD Times
February 2022
www.sdtimes.com
or a long time, security teams have been able to mostly rely on the safety of a security perimeter, but with things like IoT, embedded development, and now remote and hybrid work, this notion of a defensible perimeter is totally gone. Having all of these connected devices that don’t live under one network expands the attack surface that security teams need to worry about. This is especially true when you’re talking about remote or hybrid work, explained Ev Kontsevoy, CEO of Teleport, which is a company that provides tooling that enables users to remotely access computing resources. Kontsevoy explained the perimeters in terms of internet and application security are breaking apart completely, in two major ways. One is the type of perimeter that exists around your data center, where your equipment like servers or computers actually live, and the second type of perimeter is the office itself, which is where all the employees who work there sit and need access to data and applications. This is where technology like firewalls come in, Kontsevoy explained. “That’s the traditional approach that now makes no sense whatsoever,” said Kontsevoy. “And the reason why it doesn’t make sense is because computers themselves are not in the same data center anymore. So we’re now doing computing globally.” Kontsevoy used the example of Tesla. What is Tesla’s perimeter? Tesla deploys code to each of its charging stations, data centers, and cars. “Tesla deploys into planet Earth … Most organizations, they’re moving into the same direction. So computing itself is now becoming more and more global. So the notion of a perimeter makes no sense in a data center,” said Kontsevoy. Conversely, no one is sitting in an office anymore. “Now, we have engineers, contractors, auditors, and interns, all sitting in different parts of the world, using computers that might not necessarily be company computers,” said Kontsevoy. “They can borrow an iPad from their partner to do a production deployment, for example. For
F
What perimeter? Defending your connected devices in traditional ways ‘makes no sense’ BY JENNA SARGENT that reason, traditional security and access solutions are just no longer applicable.” According to Jeff Williams, chief technology officer at application security company Contrast Security, this idea of a perimeter had been dismantled long before COVID. In fact, he says people had a misguided sense of security in a perimeter that didn’t actually exist. “Once any one computer inside the
perimeter gets compromised then there’s what’s called the soft, chewy center where there’s nothing inside to prevent an attacker from moving around and doing whatever they want,” said Williams. “So the best strategy for a long time — since way before COVID — has been to really sort of consider your internal infrastructure as the same as your external infrastructure and lock it down.” According to Williams, development
www.sdtimes.com
machines are traditionally not very locked down and developers generally have the privileges to download any tools they need. “They’re running, honestly, thousands of pieces of software that come from anywhere on their machines, all the libraries that they use run locally, all the tools that they use run locally, typically with privilege, and any of that code could potentially compromise the security of that company’s applications. So it’s something that DevSecOps programs really need to focus on,” said Williams.” Williams also believes the current speed at which DevOps teams want to move isn’t really compatible with the old way of doing security. For example, scanning tools, which have been around for over a decade, aren’t very accurate, don’t run very quickly, and don’t really work well with modern applications because they don’t work on things like APIs or serverless. In order to move fast, companies will need to abandon these older tools and move on to the new ones, if they haven’t already. Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP) are two newer technologies that work fast and are part of developers’ normal pipelines. “As the developers write their code, they can get instant accurate feedback on what they’re writing,” said Williams. “And that allows them to make those fixes very quickly and inexpensively, so that the software that comes at the end of the pipeline is secure, even if they’re moving at very high speed.”
Lack of automation and integration becomes even more problematic The act of actually working remotely doesn’t seem to make it harder for DevSecOps teams to work together. According to software supply chain security company Sonatype’s CTO Brian Fox, certainly, companies need to get tools that will make collaboration easier in a distributed setting, but he believes the core of DevSecOps remains the same. However, when a company goes remote, one of the first things that happens is the touch points that could cover up a lack of automation no longer
exist, Sandy Carielli, principal analyst at Forrester explained. “You don’t have those situations where you can walk to the next cube over and get a sign off from someone on the security or legal team … So as you started to have more people forced to go remote, the importance of having better integration of security tools into the CI/CD pipeline had better automation and better handoffs so that everything was integrated, and you could have sign offs in tool stage gates, all of that becomes a lot more important,” she said. According to Carielli, implementing tools that enable automation and integration between different security tools is a high priority.
Asynchronous DevSecOps A new thing that has sprung up for remote teams is the notion of asynchronous communication, where individuals are not necessarily communicating in real time with their coworkers. They might send someone a message and then have to wait a little bit for a response. DevSecOps is also becoming a bit asynchronous, according to Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud, which provides security automation. “I think three years ago, we may have not even had the tooling, but now we can just ping each other on Slack,” said Eisenkot. You know, ask the developer, ‘Hey, did you intentionally commit this password? Or this access key into your code repository? Was that intentional?’ And the response can come in in a conversational manner and come in at any hour of the day. So I think the position for security has changed pretty drastically with how well connected we are and how we’re much better at async communication.” Now there’s a much stronger emphasis on when you should be available and when you’re expected to be responsive.
Remote-first mindset tooling helps developers think about security The tooling that companies have had to invest in to stay successful when remote has also had benefits for security, according to Eisenkot.
February 2022
SD Times
Buyers Guide Employers and managers have been much more deliberate about the type of tooling they put on developers’ machines, allowing for more control of the linting and securing tooling they have locally, Eisenkot explained. “Not only are we kind of protecting them with remote endpoint detection, but we can also now force them to use or enforce the usage of security tooling directly on the employees endpoint, which is something that I think was expedited by the fact that we’re no longer in the office and everybody had to now apply to the same type of corporate policy on their on their work computers,” said Eisenkot.
Embedding security into development tooling is now easier than ever In addition to the fact that remote tooling is making it easier to enforce security, there’s also something to be said about the fact that it’s getting easier and easier to embed controls into the development pipeline. As an example, Eisenkot explained that both its source control management and shipping pipelines are more accessible than they used to be and are controlled remotely using publicly accessible APIs. He believes development organizations should now find it much easier to incorporate things like secret scanning, open source package scanning, image scanning, and code scanning directly into the developer’s initial commit review process. “Some of these in the past were just not accessible. So the fact that this tooling was much cheaper, most of it is actually open source, but much more accessible through those public APIs. I think that’s where I would start by scanning either directly on developers’ individual workstations, that would be through extensions and IDs, and then implement stronger and stricter controls on source control management,” said Eisenkot. The fact that it’s easier than ever to place security controls on developers’ continued on page 5 >
3
Full Page Ads_SDT056.qxp_Layout 1 1/31/22 5:07 PM Page 24
Because software supply chain security should feel like a no-brainer.
Continuously monitor open source risk at every stage of the development life cycle within the pipeline and development tools you’re already using.
Lifecycle is made for developers. You make hundreds of decisions every day to harden your supply chain. You expect interruptions. They’re part of your work. The problem is when they get in the way of your work. We tell you what you need to know to build safely and efficiently — and we tell you when you need to know it. Then we quietly continue our work, and allow you to do the same.
With Nexus Lifecycle, devs can: Control open source risk without switching tools. Inform your decisions with the best intelligence database out there. Get instant feedback in Source Code Management. Automatically generate a Software Bill of Materials. Enforce open source policies without sacrificing speed.
See for yourself: www.sonatype.com/SDTimes
www.sdtimes.com
< continued from page 3
machines is extra important these days, since supply chain attacks are becoming more and more common. According to Sonatype’s Fox, attackers no longer want to get their malware into a shipped product, they want to get it into part of the development infrastructure. “And once you understand that, you can’t look at perimeter defense in terms of application security the same way anymore because it moves all the way left into development,” said Fox.
Security as coaches to developers rather than ultimate authority Another interesting thing that’s been happening in DevSecOps is that the role of security is changing. In the past security was more like a bottleneck, something that stood in the way of developers writing and pushing out code fast, but now they’re more like coaches that are empowering the developers to build code and do security themselves, said Contrast Security’s Williams. It used to be that the Sec part of DevSecOps was like the central authority, or the judge. If they determined code wasn’t secure, it got sent back to the development team to fix. “DevSecOps, when you do it right, is bringing development and security together so that they can have a common goal. They can work and they can sort of agree on what the definition of done is. And then they can work together on achieving that goal together,” said Williams. When DevSecOps is done wrong, it’s more like trying to fit a square peg into a round hole, Williams said. Companies try to take their existing tools, like scanners that take a long time to run, and put them into their already existing DevOps pipelines, and it just doesn’t work. “Usually, it doesn’t produce very good results. It’s trying to take your existing scanners that take a long time to run and don’t have very good results, and just kind of wedge them in or maybe automate them a little bit. But it’s not really DevSecOps; it’s really just trying to shove traditional security into a deficit DevOps pipeline,” said Williams.
February 2022
SD Times
Executive Order on improving Cybersecurity in the U.S. Last spring, President Biden signed an executive order related to improving cybersecurity. As part of this order, the government will solicit input from the private sector, academia, and others to “develop new standards, tools, best practices, and other guidelines to enhance software supply chain security,” according to the National Institute of Standards and Technology (NIST). These guidelines will include criteria for evaluating software security, criteria for evaluating security practices of developers and software suppliers, and tools and methods for demonstrating that products are following secure practices. “They’ve demanded that organizations be more transparent,” said Contrast Security’s Williams. “They put out minimum testing guidelines, and NIST is implementing these standards. They’re even investigating the idea of having software labels, so that when you go to your bank, or you buy software from somewhere, you’ll see a label that says, hey, here’s the details about security that you need to know. Kind of like everything else in this world has labels, like Energy Star and your car and your drugs and your Cheerios box has a label and your movies and your records. Everything has labels because they work. They fix economic problems in the market. And that’s going to happen to software over the next few years, which I think is exciting. It’ll make it much better for consumers to know that the software they’re using is trustworthy.” z
According to Williams, there are three key processes that companies need to have in place in order to have a successful DevSecOps organization. First, they need a process around code hygiene to make sure that the code the developers are writing is actually secure. Second, they need a process around the software supply chain in order to make sure that the libraries and frameworks that are being used are secure. Third, they need a process to detect and respond to attacks in production. “If development and security can come together on those three processes and say ‘hey, let’s figure out how we can work together on those things. Let’s get some tools that are a little more compatible with the way that we build software,’ that will help get them moving quickly in development,” said Williams. “And then in the production environment get some monitoring, that’s a little more up to date than just something like a WAF, which is a kind of firewall that you have to keep tailoring and tuning all the time.”
Traditional challenges to DevSecOps remain According to Sonatype’s Fox, the main challenge companies are facing when it
comes to DevSecOps is understanding the components in their software. Log4j is a great example of this, since if you look at the download statistics from Maven Central, around 40% of the downloads are still of the vulnerable version. “And that can’t be explained,” said Fox. “A lot of times, you can explain why people are not upgrading or doing things because well, the vulnerability doesn’t apply to them. Maybe they have mitigation controls in place, maybe they didn’t know about it otherwise, and so they didn’t know they needed to upgrade. For the most part, none of those things apply to the Log4j situation. And yet, we still see companies continuing to consume the vulnerable versions. The only explanation for that is they don’t even know they’re using it.” This proves that many companies are still struggling with the basics of understanding what components are in their software. According to Fox, automation is important in providing this understanding. “You need a set of tools, a platform that can help you precisely understand what’s inside your software and can procontinued on page 10 >
5
6
SD Times
February 2022
www.sdtimes.com
How does your solution help organizations to do DevSecOps? Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud As hybrid work environments and cloud infrastructure environments become the norm, organizations’ attack surfaces are only getting larger and more complex. With less cohesive visibility into the multitude of tools and frameworks used across software supply chains, it’s hard for organizations to keep up with security risks and best practices. To mitigate those risks brought about by cloud complexity and remote work, many organizations are embracing DevSecOps. For engineering, Bridgecrew makes it easier to prevent infrastructure misconfigurations and vulnerabilities from progressing into build pipelines and production environments by surfacing feedback in developer tools. Via command lines and integrated development environments (IDE), Bridgecrew provides fixes as code so developers can adhere to secure coding practices. For DevOps, Bridgecrew enables speed and agility by automating security guardrails throughout the development lifecycle. Bridgecrew also comes equipped with the tools DevOps need to keep their software supply chain secure — from the individual components to the version control systems (VCS) and continuous integration (CI) pipelines that deliver them. Lastly, for security and compliance, Bridgecrew provides unified visibility into the security posture of all cloud resources and real-time notifications and ticketing to enable cross-functional collaboration. Jeff Williams, chief technology officer at Contrast Security Contrast is a platform of products that tries to enable teams to do their own security. So in a remote kind of environment, it’s really important to empower the developers to have the ability to test their software locally, as part of every time they change the code, they’ll get instant results. And our philosophy is sort of, they shouldn’t have to change anything about the way that they build, or test or deploy their code, they should just do their normal process. And the security tooling should be the thing that does the work, and then alerts them if there’s ever a problem. But we don’t want the developers to have to take extra steps. Because what ends up happening is they get frustrated with those extra steps. If there’s false positives, they have to go do extra work for no reason to investigate
those things. So we want to just empower them to just deal with the things that actually matter, make those changes themselves and check and clean code. And we want to do that really early in the development process. So that’s the role that Contrast plays — we’re just in the background doing our job. And if anything goes outside the guardrails a little bit, we help steer the developers back on track. Now, the security team can participate. They serve as managing the policy, they watch the metrics, they can go help projects that aren’t doing very well. But by monitoring all of their applications continuously, it gives you a very different viewpoint than if you’re just running tools, running scanners, kind of serially, one by one through your entire application portfolio. Ev Kontsevoy, CEO of Teleport Hybrid is the new normal. Hybrid work arrangements have put pressure on the corporate network, and employees at different levels of seniority need to be able to connect to corporate infrastructure from anywhere. Additionally, that infrastructure is increasingly complex. A typical customer environment is itself hybrid with Linux and Windows servers, Kubernetes clusters, databases, and internal applications like CI/CD systems and version control systems like GitLab. In this environment, protecting modern applications requires the consolidation of all aspects of infrastructure access into a platform built for a hybrid world. That platform is the Teleport Access Plane, the easiest, most secure way to access all an organization’s infrastructure. The open-source Teleport Access Plane consolidates the four essential infrastructure access capabilities every security-conscious organization needs: connectivity, authentication, authorization, and audit. By consolidating all aspects of infrastructure access into a single platform, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance, and improves productivity. The Teleport Access Plane replaces VPNs, shared credentials, and legacy privileged access management technologies, improving security and engineering productivity. With Teleport, organizations can easily shift to remote work and increase their use of hybrid cloud environments without impacting security or productivity. Teleport enables teams to securely connect to your global infrastructure regardless of network boundaries and provides identity-based access for humans, machines, and services, including finegrained access controls. z
Full Page Ads_SDT056.qxp_Layout 1 2/1/22 3:08 PM Page 27
Get Secure Code Mov ng In a world of outdated security tools that are slowing developers down, Contrast breaks through with a unified platform for DevSecOps to get secure code moving through the entire SDLC. Secure your code and hit every release deadline with 10x faster scan times and 45x faster fix rates. BOOK A DEMO AT www.contrastsecurity.com/request-demo
Full Page Ads_SDT056.qxp_Layout 1 1/28/22 11:18 AM Page 28
www.sdtimes.com
February 2022
SD Times
A guide to DevSecOps tools n
FEATURED PROVIDERS n
n Bridgecrew by Prisma Cloud automates security from code to cloud. By embedding earlier in the DevOps lifecycle, Bridgecrew enables developers to write secure code without slowing them down. In addition to its DevSecOps tools and integrations, Bridgecrew’s platform gives security teams instant visibility into their security posture across their entire software supply chain. Join Brex, Databricks, and Robinhood in bridging the gap between security and engineering by trying Bridgecrew's all-in-one DevSecOps platform for free. n Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. The Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides howto-fix guidance for easy and fast vulnerability remediation. Security and development teams can then collaborate and innovate faster while accelerating digital transformation initiatives. n Sonatype: Sonatype’s software supply chain platform allows engineering teams to manage software quality and governance using a single control plane. It solves the problem of how to balance speed, quality, intelligence, and security at scale, equipping engineering teams with the tools they need to continually code smarter, fix faster, and be secure. By using Sonatype, developers can discover and fix security vulnerabilities and code quality issues at the most convenient time during software creation. n Teleport is the easiest, most secure way to access all your infrastructure. The opensource Teleport Access Plane consolidates connectivity, authentication, authorization, and audit into a single platform. By consolidating all aspects of infrastructure access, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance and improves engineering productivity. Get started at goteleport.com. n Aqua Security secures the entire software development lifecycle, including image scanning for known vulnerabilities during the build process, image assurance to enforce policies for production code as it is deployed, and run-time controls for visibility into application activity, allowing organizations to mitigate threats and block attacks in real-time. n Checkmarx provides application security at the speed of DevOps, enabling organizations to deliver secure software faster. It easily integrates with developers’ existing work environments, allowing them to stay in their comfort zone while still addressing secure coding practices. n Chef Automate is a continuous delivery platform that allows developers, operations, and security engineers to collaborate effortlessly on delivering application and infrastructure changes at the speed of business. Chef Automate provides actionable insights into the state of your compliance,
configurations, with an auditable history of every change that’s been applied to your environments. n CloudPassage has been a leading innovator in cloud security automation and compliance monitoring for high-performance application development and deployment environments. Its on-demand security solution, Halo, is a workload security automation platform that provides visibility and protection in any combination of data centers, private/public clouds, and containers. n CodeAI is smart automated secure coding application for DevOps that fixes security vulnerabilities in computer source code to prevent hacking. It’s unique user-centric interface provides developers with a list of solutions to review instead of a list of problems to resolve. Teams that use CodeAI will experience a 30-50% increase in overall development velocity.
n CyberArk Conjur is a secrets management solution that secures and manages secrets used by machine identities (including applications, microservices, applications, CI/CD tools and APIs) and users throughout the DevOps pipeline to mitigate risk without impacting velocity. Conjur is the only platform-independent secrets management solution specifically architected for containerized environments. n IBM provides a set of industry-leading solutions that work with your existing environment. Change is delivered from dev to production with the IBM UrbanCode continuous delivery suite. Changes are tested with Rational Test Workbench, and security tested with IBM AppScan or Application Security on Cloud. IBM helps you build your production safety net with application management, Netcool Operations Insight and IBM QRadar for security intelligence and events. n Imperva WAF protects against the most critical web application security risks: SQL injection, cross-site scripting, illegal resource access, remote file inclusion, and other OWASP Top 10 and Automated Top 20 threats. Imperva security researchers continually monitor the threat landscape and update Imperva WAF with the latest threat data. n JFrog Xray is a continuous security and universal artifact analysis tool, providing multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. Deep recursive scanning provides insight into your components graph and shows the impact that any issue has on all your software artifacts. n Liquidbase is a database company that allows organizations to deliver error-free application experiences faster. The company’s solutions make database code deployment as simple as application release automation, while still eliminating risks that cause application downtime and data security vulnerabilities. n NoSprawl is security for DevOps. As DevOps matures and finds broader adoption in enterprises, the scope of DevOps continued on page 10 >
9
10
SD Times
February 2022
www.sdtimes.com
< continued from page 5
vide policy controls over that, because what is good in one piece of software might be terrible in another piece of software,” said Fox. “If you think about license implications, something that’s distributed can trigger copyright clauses and certain types of licenses. Similar things happen with security vulnerabilities. Something run in a bunker doesn’t have the same connectivity as a consumer app, so policy controls to then have an opinion about whether the components that have been discovered are okay in their given context is important. Being able to provide visibility and feedback to the developer so they can make the right choices up front is even more important.” According to Bridgecrew by Prisma Cloud’s Eisenkot, if you look back on the big supply chain-related security incidents over the last six to eight month, it’s apparent that companies have not properly configured the correct code ownership or code review process in their source control management. He explained that those two things would make any source code much more secure, even in small development organizations.
Developer education is key Eisenkot emphasized that developer education and outreach is still one of the most crucial points of DevSecOps at the end of the day. Yes, it’s important to implement controls and checkpoints in the tooling, but he also believes the tooling should be thought-provoking in a way that it will empower developers to go out and educate themselves on security best practices. “Eventually, lots of tooling can point to a vulnerable package or a potentially exploitable query parameter,” said Eisenkot. “But not every tool will be able to provide actionable advice, whether that’s a documentation page or an automatically generated piece of code that will save the developer the time needed to now learn the basic fundamentals of SQL injection as an example.” z
A guide to DevSecOps tools < continued from page 9 must be expanded to include all the teams and stakeholders that contribute to application delivery including security. NoSprawl integrates with software development platforms to check for security vulnerabilities throughout the entire software development lifecycle to deliver verified secure software before it gets into production. n Parasoft: Harden your software with a comprehensive security testing solution, with support for important standards like CERT-C, CWE, and MISRA. To help you understand and prioritize risk, Parasoft’s static analysis violation metadata includes likelihood of exploit, difficulty to exploit/remediate, and inherent risk, so you can focus on what’s most important in your C and C++ code. n Qualys is a leading provider of information security and compliance cloud solutions, with over 10,300 customers globally. It provides enterprises with greater agility, better business outcomes, and substantial cost savings for digital transformation efforts. The Qualys Cloud Platform and apps integrated with it help businesses simplify security operations and automates the auditing, compliance, and protection for IT systems and web applications. n Redgate SQL Provision supports database DevSecOps, keeping compliance central to the process. It enables multiple clones of masked databases to be created in seconds, allowing them to be used safely within the development and test process. Each clone takes up just a few MB of storage and sensitive data can be pseudonymized or replaced with realistic data, ensuring protection and compliance. n Perforce helps thousands of global enterprise customers tackle the hardest and most complex issues in building, connecting, and securing applications. Our Klocwork static code analysis tool helps DevSecOps professionals, from developers to test automation engineers to compliance leaders, create more secure code with on-the-fly security analysis at the desktop and integrated into large-scale continuous integration workflows. n Signal Sciences secures the most important applications, APIs, and microser-
vices of the world’s leading companies. Our next-gen WAF and RASP help you increase security and maintain site reliability without sacrificing velocity, all at the lowest total cost of ownership. Signal Sciences gets developers and operations involved by providing relevant data, helping them triage issues faster with less effort. n Sumo Logic is the leading secure, cloudnative, multi-tenant machine data analytics platform that delivers real-time, continuous intelligence across the entire application lifecycle and stack. Sumo Logic simplifies DevSecOps implementation at the code level, enabling customers to build infrastructure to scale securely and quickly. This approach is required to maintain speed, agility and innovation while simultaneously meeting security regulations while staying alert for malicious cyber threats. n Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. n Veracode creates software that fuels modern transformation for companies across the globe. DevSecOps enables the build, test, security and rollout of software quickly and efficiently, providing software that’s more resistant to hacker attacks. Veracode offers a unified platform that enables organizations to implement DevSecOps and address security applications from inception through production. n WhiteHat Security The WhiteHat Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business. Its software security solutions work across departments to provide fast turnaround times for Agile environments, nearzero false positives and precise remediation plans while reducing wasted time verifying vulnerabilities, threats and costs for faster deployment. z
Full Page Ads_SDT056.qxp_Layout 1 1/28/22 3:49 PM Page 31