Ready to Start Your Career?

5 Steps to Modernize Security in the DevSecOps Era 2020

featured's profile image

By: featured

November 12, 2019

The practices of DevOps, Continuous Delivery, and Agile have become commonplace among the development and operations teams in most organizations. Even though application security is still young, vulnerabilities like XSS, SQLi, and remote code execution are current problems. Since HTTP is the common language of cloud, microservices, and serverless, these problems might be getting worse. This is the modern era of computing, and we recommend taking these five steps to ensure application security is up to speed.

Begin FREE OWASP Course >>

1. Cover the Basics

Defense starts with covering the basics. The OWASP Top Ten is an excellent place to start because it is a regularly released report that indicates the top ten application security problems currently affecting the web in aggregate. It is a broad consensus document created 15 years ago to bring awareness to the most critical application security issues.Even though the OWASP Top Ten Top Ten has been around a long time, it is mostly unchanged from its original release. Covering the OWASP Top Ten is still essential even in the face of modern development practices and architectures. This is because application security If you aren’t defending against the OWASP Top Ten, you’re are missing necessary defense that can’t be solved using the latest container orchestration strategy or rapid development cycles.

2. Defend Against Bots and Scrapers

Some products specialize in keeping out bots and scrapers. Other products, like honeypots, specialize in enticing them in a way to learn from them or move them away from critical assets. Not all bots are web-based; however, most application security defenses need to have some method to deal with bots or scrapers coming in over the web.

3. Detect App Abuse and Misuse

Application abuse and misuse issues are a more interesting territory. Certain parts of your application are more relevant to your business than others. When your application functions are under attack, it takes more than a casual inspection for XSS.For example:
  • Do we care if someone attempts XSS on our site? Maybe.
  • Do we care if the number of password resets has spiked in the last hour? Probably.
  • Do we care if those are two events that are correlated? Definitely.
When dealing with application abuse and misuse, it’s critical to be able to correlate disparate data sets. Instrumenting critical application flows in the application code itself or using a solution like Signal Sciences is a good step to prevent application abuse and misuse.

4. Get Real-Time Operational Security

Web Application Firewall (WAF) data has gone un-visualized for the whole of the WAF’s existence. Even with the rise of OWASP and the prominence of application security over the last decade, security telemetry hasn’t made it back to the developers who wrote the application in a way that they can consume. Let alone should a developer or operations engineer ever have direct access to this data. Some of the significant WAF vendors provide high-level metrics; however, the whole of their offerings mostly look like log management software. Traditionally, WAFs give you a list of thousands of “events,” instead of any visualization or graphs of attacks. In the modern era of DevOps, this won’t work because sharing data across the organization is fundamental to breaking down silos and increasing delivery speed.

5. Integrate Across Groups and Teams

In a modern development context, everyone gathers and collaborates openly. Development, operations, and security teams find themselves working together and sharing chat and ticketing systems. These systems encourage alerting, system automation, and event logging to live where the teams are gathered. Moving security information into these integrated team systems is key.When under attack, messages appear in your chat systems showing what defensive measures were taken. This alerts everyone of current status and allows developers and operations to take part in security. The goal is to bring the team together and surface security information to the people who create and deliver the application or service without getting in the way.  The pace and change of DevOps and cloud environments require an approach that fits with DevSecOps practices. Wp hacked help1 protects your most critical Wordpress websites and microservices. Our unique hybrid of NextGen WAF and RASP is purposefully built by practitioners to handle the challenges.References:1.
Schedule Demo