In the ideal development cycle, software is updated frequently in order to quickly fulfil new requirements with monthly, weekly or sometimes even daily releases. Traditional cyber security concepts fall short here: new releases are delayed or not checked for vulnerabilities at all. In this article, you will learn how you can dovetail your CI/CD pipeline with modern cyber security solutions to continuously, efficiently and effectively arm your applications against cyber attacks.
Limits of traditional test concepts for CI/CD pipelines
The traditional shift-left test approach, in which security tests are carried out as early as possible in the software development process, works with a strictly linear approach: Entwurf, Erstellung, Test, Ausführung. Die CI/CD-Pipeline hat diese Zeitachse in einen kontinuierlichen Zyklus verwandelt, in dem die Entwickler mit jeder neuen Codeversion den Code neu entwerfen, neu aufbauen, testen und bereitstellen. Die Geschwindigkeit nimmt dabei rasant zu: In a global GitLab-Umfrage, 57% of developers said they release their code twice as fast as they used to. 19 % even say that it is released 10 times as quickly.
But changes also harbour risks: the latest version of an application could contain new code with untested security vulnerabilities that cyber attackers can exploit to use the application as a springboard for a cyber attack. According to the Verizon Data Breach Investigations Report, it takes an average of 49 days for companies to close security gaps in their web applications.
Application security when using CI/CD pipelines therefore requires a new approach in which vulnerabilities are continuously detected and rectified. This is not a one-off action, but requires developers to continuously test and improve their applications in order to consistently avoid security vulnerabilities. We recommend a three-part approach:
- Training developers to recognise security vulnerabilities and write more secure code
- Threat modelling to narrow down the most likely risks
- Continuous testing of applications to identify and eliminate vulnerabilities
Train your developers for more application security
In order to make applications ‘secure by design’, it must be ensured that security is interwoven with every single function. This is because the behaviour of attackers has changed: According to the Data Breach Investigations Report, web applications were already the focus of 25% of all cyber attacks in 2022. 86% of these attacks were based on stolen login credentials, which attackers often use against web servers on which sensitive data is stored. In most cases, an attack on a web application is just one step in a larger chain of attacks.
For developers, fixing vulnerabilities in code that has already been released is a time-consuming process. When security vulnerabilities are discovered late in the software development cycle, rewriting basic components often means rewriting all the code based on them. There are three possible options for developers to avoid this situation:
- Implementation of a DevSecOps methodology
- Threat modelling with a cyber security consultant
- Learn to think like attackers to proactively write secure code
DevSecOps makes security a standard and necessary part of the software development process. Code reviews can be automated using a variety of open source scripts and tools to uncover vulnerabilities. Implementing a DevSecOps methodology encourages collaboration between developers and security teams so that developers can quickly identify and fix vulnerabilities in their code. This leads to more secure applications without delays in development.
Threat Modelling identifies potential vulnerabilities in applications. The aim is to predict the types of attack that hackers are most likely to use so that protective measures can be taken proactively. Usually, the security requirements for the application are defined first and then an application diagram is created to visualise the system components, data flows and security boundaries. The next step is to identify potential security vulnerabilities that could be exploited by attackers before remedial action is taken. Depending on the point in the software development cycle at which it is introduced, threat modelling can influence the design of your application and minimise potential risks.
In addition, developers can learn to think like an attacker to write code that is secure by design. Sources like the OWASP Top 10 list the vulnerabilities in web applications that attackers most often target. If developers understand how attackers recognise and exploit vulnerabilities, they can write application code that is secure to the core.
Although security is an increasingly important part of their daily work, developers are not trained to recognise security vulnerabilities and write secure code by default. That's why we recommend regular training sessions with experienced experts to keep your developers up to date with best practices, tools and techniques for secure application development. They play an important role in reducing the risk of cyber-attacks for your organisation.
Penetration tests deliver time-based results
Although the use of penetration tests to identify security vulnerabilities in applications is effective, it often takes place late in the software development cycle, when the elimination of vulnerabilities in the code is difficult and time-consuming.
They provide a snapshot of the vulnerabilities at a single point in time. As soon as new code is made available, the results are no longer up-to-date or are incomplete if new vulnerabilities occur as a result of new releases.
In addition, penetration tests are difficult to transfer to large application portfolios and are too expensive to be carried out again and again with frequent new code releases.
Continuous tests for application security in CI/CD pipelines
Claranet Continuous Security Testing offers a solution to this problem. The new concept combines automated scans that run around the clock with targeted manual penetration tests so that you can recognise and eliminate vulnerabilities as soon as they arise. Firstly, all results are checked and analysed. Then, experienced penetration testers perform further manual tests to uncover complex vulnerabilities that cannot be detected by automated scanners.
Continuous Security Testing provides developers and security teams with fast but detailed feedback on vulnerabilities in applications, web assets, APIs and external infrastructure. This allows developers and security teams to identify and fix vulnerabilities before the code reaches the production environment, even with a fast CI/CD pipeline. Frequent testing with short vulnerability logs makes vulnerability management and application security manageable. In addition, the service includes free re-tests of the affected applications to ensure that the corrections made by the developers were successful.
With Continuous Security Testing, companies can:
- recognise and close security gaps more quickly,
- minimise time windows for potential attacks,
- and effectively and efficiently reduce the risk of cyber attacks.
Integrated approach to application security ‘by design’
The importance of application security is constantly increasing. The more developers integrate security into their daily business and realise their key role in preventing cyber attacks, the faster the resilience of companies against cyber attacks will improve. Security will then become a matter of course instead of a chore. For the time being, however, the need for specialised developer training remains.
But it is also important at team and management level to persistently and iteratively pursue application security and the necessary changes in the software development cycle. In this way, you can close a gap that is increasingly being exploited by cyber criminals and improve the security level of your organisation.
If you would like to find out more about how developer training, threat modelling and continuous security testing can improve the security of your web applications, please contact us.