Directly From a Security Analyst As a custom software developer, Shift3 has made extensive strides in process and practice to make sure that the software we build for our clients is secure. We take every precaution to build a solid security framework from the earliest points in the build, so it’s weaved into the basic structure and architecture of every build we embark upon. In this blog post, we’d like to give the stage to Jackie Callaway, Shift3 Security Analyst, to put a spotlight on one of the most important components of our developmental dialogue: Security. Here, she’ll discuss the benefits of investing the time, energy, and funding to incorporate secure DevOps into your product development, as well as general development practices. Rise of the Web App Web applications have become part of our daily lives, taking the development world by storm with the advent of Software-as-a-Service, and for good reason. Web apps have become a crucial part of branding and communication, reduce software piracy via web-based subscriptions, and allow businesses to reduce costs as the build and maintenance process is so much more streamlined. They’ve critically changed the way we showcase and access content and services on the internet by providing a highly scalable solution for remote deployment to users. As popular as they are, Web Applications have an under-appreciated dark side: they can be an enormous security risk. The Unfortunate Reality of Careless Nerds While no one is safe on the treacherous landscape that is the internet, Careless Nerds have left businesses and users at significant risk. The tech community and academia both have a bad habit of drilling developers with the mantra “if it works, leave it alone.” Security can be an afterthought, a painful process that never truly gets the attention it deserves due to a lack of knowledge and understanding of the scope of the problem. For all the neglect, one could argue I’m little more than an egregious nag who slows your sprint process down. Given this damaging but extremely common mindset along with the increased sophistication of malicious actors and tooling available to them, it’s no wonder that web exploits are on the rise. The consequences of a data breach are dire. Everything from losing revenue and credibility to legal fees to bankruptcy, and that’s not all. Sixty percent of small businesses do not survive their first cyber attack and a vulnerable application is a significant vector to valuable internal resources. Why, then, do we continue to teach developers this inherently flawed mindset? We can—and should—do better. Understanding Security Concepts: The Building Blocks There are six key security concepts, with a bonus seventh, that must be grasped before one can begin implementing secure DevOps (or development operations). The first three serve as our Foundation. Confidentiality: Is the resource sufficiently protected against unauthorized access?Integrity: Is the resource accurate, complete, and unaltered?Availability: Can an authorized user readily access the resource when necessary? If we take these concepts and think about them in terms of how they relate to the user, we get the next three building blocks. Authentication: Is the user who they claim to be?Authorization: Is the user even permitted to access the requested resource?Non-repudiation: Through authentication and authorization, it cannot be denied that said user performed the action. And finally our bonus building block, and indeed a mental roadblock for many organizations and developers: Utility. Ensuring that the resource is protected sufficiently while still being available in a way that is useful. It is in utility we find the source of “if it works, leave it alone.” These core concepts are inherently intertwined, and security cannot exist without them. Empowering the Nerds It can be intimidating to begin implementing security measures, or perhaps as a business owner you simply don’t want to deal with the overhead costs. We’ll put the spray bottle away for now and take a beat to discuss some simple ways you can stop being a Careless Nerd and start being an Empowered Nerd. The first step can be defined as empowerment through education. When organizations and educators invest in meaningful training on even basic cybersecurity concepts, they empower developers to ask critical questions about their own coding practices. Even starting the development process with, “How should this work? How shouldn’t this work?” goes a long way to building secure products by design. Educating seasoned developers means creating better mentors for the greener, aspiring nerds, who can then go on to continually learn and improve the cycle of functional security. The second step, and likely our favorite, is empowerment through automation. A good developer is a lazy person who understands that humans are flawed, unpredictable, and prone to error. Computers, being programmed to behave in specific ways, do not suffer quite so much of our folly. Automation reduces error, improves non-repudiation through logging and monitoring, and reduces overhead thereby allowing more focus to go into design and build. Automation simplifies DevSecOps (or development, security and operations). Empowerment through Agile. Agile methodologies are becoming more commonly recommended in SecOps. Old security frameworks and poor implementation of review and testing can have significant, costly impacts on delivery cycles. By integrating the flexibility of rapid release of small pieces, it is easier to find and correct vulnerable code when discovered and provide clients with improved data protection and quality. Next, we must be certain to regularly audit compliance with industry standards, especially when dealing with internally developed platforms. Internal platforms can be a fantastic asset to ensuring secure software development, however tech is ever evolving and security is no different. Industry standards are continually updating to suit both the technologies available and the most current threats, therefore it is in the best interest of organizations and individuals to not only stay up to date on the latest releases from organizations like OWASP and NIST, but to check adherence to these standards in each development sprint. Finally, empowerment through continuous testing and analysis. Static code review tools are widely available to automate and streamline this process—VisualCodeGrepper, Risp, and Brakeman to name a few—but it is of the utmost importance to perform regular, manual analysis as well. Penetration tests and more passive vulnerability analysis before and after release is one of the most effective ways to ensure secure by design and secure through life applications. You may notice that each of these steps can only build upon each other. Starting the Conversation increases awareness and education investment, which leads to asking critical questions and developing better processes, and so on. Benefits and Responsibilities Traditionally viewed as an inconvenience and an afterthought—and a hindrance to deadlines and productivity—security is ultimately an extremely important asset to application development and business infrastructure. As we slowly enter an era of more widespread awareness of the threat actors who prowl the web in search of their next victims, it is more important than ever that users know they can trust their data with the products you provide. Solid security implementations lead to more trust and good will among the public, which translates into more business, notoriety, and revenue. Businesses with a history of prioritizing information and data security are more likely to thrive among consumers while simultaneously avoiding the hefty costs associated with an attack. Benefits aside: as developers, vendors, security professionals, and end users, security is all of our responsibility. It is not a weight any one person or group can bear alone, as the threat surface is too vast and our bad actors are too sophisticated. Enhancing application security protects our users, our colleagues, and ourselves from the intense harm done by a data breach or attack. The benefits of investing the time, energy, and funding to incorporate secure DevOps into your practices, and indeed the entirety of DevOps culture, far outweigh the costs. It also isn’t half as intimidating as it may sound; small, basic changes in practice will set your nerds on the right path. What Role Will Security Play in Your Development Lifecycle? It’s never too early to incorporate DevSecOps into your technology build. If you’re embarking on a tech build and are unsure about its security, schedule a call with us using this link. Whether you’re just scribbling out your technology vision or are on the brink of production, it’s never the wrong time to talk about technology security. You bring your vision and Shift3 will do the rest. This post was written by “Security Jackie” Callaway, Security Analyst for Shift3 Technologies. You’ll find her yelling at Ryeker Herndon for using ‘Password123!’ as his password. Seriously, follow the damn instructions, Ryeker.