Oneofthebiggestcybersecurityrisks involvesvulnerabilities in theapplicationlayer. After all, thebestfirewallis useless ifthe web applicationitselfis vulnerable. Manycompanieshave worked to mitigate these risks by investing in theirAppSecprograms. Accordingtoa recentwhitepaperwrittenbyESG(commissionedbySynopsys), 71% ofcompaniessurveyednowuseAppSectoolsformorethan half oftheirsoftwareprojects. Notably, overtwo-thirdsofcompaniesalreadyuse 11 ormoreautomatedapplicationsecuritytesting (AST) tools, such as SAST, DAST, IAST, fuzztestingandcontainerscanningsolutions.
This is due, at least in part, tothefactthattoolmanufacturershavenowmadetheirproducts โDevOps-readyโ andsupportsuitableintegrations with CI/CD pipelines. This makesittemptingtosimplyletAppSecscannersrun in thepipelines, but that can introduce otherproblems.
Problems with AppSec in CI/CD Pipelines
Too many results: Developers canbeinundatedwithfindings, yetonly a smallpercentagearelikelytopose such a high riskthattheyneedtobefixedimmediately. But theprioritizationguidelinesareoftenformulated in separate documentsandareambiguous.
Development pipelinesareslowed down:Buildpipelinesoftenrun at frequent intervals;everysecondtoeveryminute. Scans withAppSectoolsmaytakeseveralminutesorevenhours.
Manual AppSecactivitiesareleft out: Not all AppSecactivitiescanbeautomated, such asarchitectureriskanalyses, threatmodelsandpenetrationtests. Nevertheless, theseare an essential partoftheAppSecstrategy.
Intelligent pipelines(i.e., intelligent, purpose-optimizedautomationandorchestrationofthevariousAppSectoolsandactivities)are ideal forovercomingthischallenge. Combinedwiththeconsolidationofscanresults, a newcategoryofsolutionshasemergedhere, which Gartnerdubbed application security orchestration and correlation,or ASOC forshort, in 2019.
How Pipelines Become Intelligent
The โintelligenceโ lies in decidingwhichtoolsneedtorunat whattime andwhattodo based on theresults. So insteadofscanningtheentirecodebasewithAppSectools at everycommit, itdynamicallydecideswhichscannerneedstorunandtowhatextent. This decisioncantakeintoaccountvariousparameters such asthescopeoftheactualcodechange, theriskprofileoftheapplicationorthedevelopmentstageofthesoftware.
The riskprofileoftheapplicationshouldalso beconsidered. Web applicationsthatareaccessiblefromthe internet andprocess sensitive dataposea greatersecurityriskthanan internal toolforgeneratingdocumentation. Such riskprofilesusuallyemergefrompriorarchitecturalriskanalysesandthreatmodels.
Furthermore, thescopeofAppSectestingshouldbeappropriatetothedevelopmentstageoftheapplication. Individual commitsof a featurebranchshouldbecheckedmainlybystaticcodeanalysisforpasswordsandAPI tokenscontained in thecodeandcompliancewithcodingguidelines, such as SEI CERT, tosupport rapid development. Lateron, duringthemergerequestintothemainbranch, moreextensive scansshouldbeadded, includingdeeperdataflowanalyses, whichthendetectcross-site scriptingor SQL injection attacks. A longerruntimecanbeacceptedheresincesuch mergerequestsusually havetobeapprovedaccordingtothe dual controlprinciple.
Code Security Policies
The coreofintelligent pipelines lies in individual guidelines or policies. These definewhenspecificAppSecactivities areexecuted. Additionally, thesepoliciesdescribehowtoproceedwiththecombinedresults(e.g.,whetherthecodemaybeintegratedintothemasterbranchorthe web applicationmaygo live).
The policiesaredescribed in a configurationfile; this is policyโas-code. Just aswithotheras-code methods, thisenablesorimprovesuniqueness, reproducibilityandautomation. Simple policiescanbecreatedaccordingtotheโIf this, then thatโ principle. Forexample, a softwarecompositionanalysis (SCA)scancanbetriggeredwheneithertheprojectfilechanges (package.json, go.mod, pom.xml, etc.) ornewfilesordirectoriesareadded, but not whenonlyexistingsourcecodefilesarechanged.
Conclusion
Whetherwithorwithoutorchestrationtools,anyonewhowantstomaketheirsoftwaremoresecuremust inevitablyconsiderwhichAppSecactivitiesmake sense at whattime. In otherwords: Therightscan at theright time. Furthermore, itshouldbedeterminedhowtoproceedwiththeresultsbeforeorderingorevenautomating a scan. To do this, youneedtounderstandwhatthegreatestrisksare and howtoprotectthesoftware from those risks.
Intelligent pipelineshelptoimplementand, above all, automateanAppSecstrategy. A correspondingstrategyis a prerequisite. But even(orespecially) without a clearstrategy, itmakes sense tolook at thearchitectureof an intelligent pipeline,asthisbothencouragescollaborationbetweendevelopment, AppSecandDevOpsteamsandraisestherightquestionsthatleadto a successfulAppSecstrategy.
