Ready to Start Your Career?
November 12, 2019
5 Steps to Modernize Security in the DevSecOps Era 2020
November 12, 2019
November 12, 2019
The practices of DevOps, Continuous Delivery, and Agile have become commonplace among the development and operations teams in most organizations. Even though application security is still young, vulnerabilities like XSS, SQLi, and remote code execution are current problems. Since HTTP is the common language of cloud, microservices, and serverless, these problems might be getting worse. This is the modern era of computing, and we recommend taking these five steps to ensure application security is up to speed.
1. Cover the BasicsDefense starts with covering the basics. The OWASP Top Ten is an excellent place to start because it is a regularly released report that indicates the top ten application security problems currently affecting the web in aggregate. It is a broad consensus document created 15 years ago to bring awareness to the most critical application security issues.Even though the OWASP Top Ten Top Ten has been around a long time, it is mostly unchanged from its original release. Covering the OWASP Top Ten is still essential even in the face of modern development practices and architectures. This is because application security If you aren’t defending against the OWASP Top Ten, you’re are missing necessary defense that can’t be solved using the latest container orchestration strategy or rapid development cycles.
2. Defend Against Bots and ScrapersSome products specialize in keeping out bots and scrapers. Other products, like honeypots, specialize in enticing them in a way to learn from them or move them away from critical assets. Not all bots are web-based; however, most application security defenses need to have some method to deal with bots or scrapers coming in over the web.
3. Detect App Abuse and MisuseApplication abuse and misuse issues are a more interesting territory. Certain parts of your application are more relevant to your business than others. When your application functions are under attack, it takes more than a casual inspection for XSS.For example:
- Do we care if someone attempts XSS on our site? Maybe.
- Do we care if the number of password resets has spiked in the last hour? Probably.
- Do we care if those are two events that are correlated? Definitely.
4. Get Real-Time Operational SecurityWeb Application Firewall (WAF) data has gone un-visualized for the whole of the WAF’s existence. Even with the rise of OWASP and the prominence of application security over the last decade, security telemetry hasn’t made it back to the developers who wrote the application in a way that they can consume. Let alone should a developer or operations engineer ever have direct access to this data. Some of the significant WAF vendors provide high-level metrics; however, the whole of their offerings mostly look like log management software. Traditionally, WAFs give you a list of thousands of “events,” instead of any visualization or graphs of attacks. In the modern era of DevOps, this won’t work because sharing data across the organization is fundamental to breaking down silos and increasing delivery speed.
5. Integrate Across Groups and TeamsIn a modern development context, everyone gathers and collaborates openly. Development, operations, and security teams find themselves working together and sharing chat and ticketing systems. These systems encourage alerting, system automation, and event logging to live where the teams are gathered. Moving security information into these integrated team systems is key.When under attack, messages appear in your chat systems showing what defensive measures were taken. This alerts everyone of current status and allows developers and operations to take part in security. The goal is to bring the team together and surface security information to the people who create and deliver the application or service without getting in the way.
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry