How to ensure the safety of development, saving time and nerves
The transition to the digital segment of banks, retail, medicine and other vital sectors of production and services has provoked numerous security threats. Today, malicious activity continues to increase throughout the world, and the protection of user and corporate data from theft and intentional damage is increasingly being discussed by professionals.
How business and IT correctly integrate security into the development process, what tools for this are best used, how it all falls on the actual implementation practice. We share the approaches of Rostelecom, M.Video-Eldorado, DD Planet, AGIMA.
As the company grows and the number of developers grows, it becomes more difficult to check the product for vulnerabilities “manually” It is necessary to use SAST - means of static testing of application security (Static Application Security Testing). In Solar appScreener information security is based on an internal product. Product analyzes source codes. At present, 26 programming languages ​​are supported, the sources of which can be analyzed for vulnerability, and supports all popular formats and project management systems.
')
Even a simple vulnerability cannot be found using primitive algorithms. Today, the market presents a mass of SAST-solutions, both paid and free. The most popular of them are AppScan from IBM Security, Synopsys, Veracode, Application Inspector, Micro Focus, Appercut, Checkmarks.
From the choice of tool depends on the effectiveness of the development process. The main advantages of paid solutions:
Free tools and web interfaces are often inferior to paid ones, because they contain simpler algorithms, and the rule bases are less complete. Their main task is to search for errors in the code. The specialization and functionality of such solutions are usually very narrow.
After the SAST solution is selected, you need to integrate it into the development process. The integration capabilities can be as follows: embedding the tool in the repository, development environments, CI / CD servers, task tracking systems. A good tool is able to successfully integrate into all the listed classes of systems.
Note : The open SAST API includes JSON API and CLI and provides ample opportunities for additional integration and automation.
To choose a tool that best meets the goals and objectives of the developer, you need to conduct their functional comparison and comparison of quality.
Functional comparison is carried out by several parameters: analyze the convenience of the interface and ease of integration with its own tools. At the same time, it is important to carry out the verification on its codes.
The next stage is a quality comparison: they analyze vulnerabilities and false positives for their own code.
The earlier the vulnerability is found, the cheaper it is for the developer and the customer. This means that the product should be periodically checked for vulnerabilities in the development process and additionally carry out control checks before release.
Speed ​​and resources : it is usually expected that the tool will work quickly; run on every change; show on the fly who and when introduced vulnerability. In fact, SAST analyzes the code for at least 8 hours, it is difficult to run for each change; difficult to identify the author of the vulnerability; false positives occur. So, the question arises: how to configure DevSecOps.
It is very important here:
Another problem is false positives and multiple vulnerability information in the report. In this case, the developer recommends: filtering in static analyzers by vulnerabilities and by files. You can exclude libraries, analyze criticality, add exceptions according to certain parameters. Such work is enough to be done only once, so that further information on false positives does not fall into the reports. It is also important to make sure that no new vulnerabilities appear and gradually disassemble the already existing base of vulnerabilities in the background.
When working on integrating SAST into the development process, it is important to implement the processes gradually without blocking the release. The sequence of the process may be as follows:
It is better to start with the most critical systems: it is important to eliminate new vulnerabilities, to design, implement regulations and technical solutions.
The regulation must necessarily indicate:
This approach allows the implementation of SAST in the development process for one calendar year. It is important to consider all changes and risks.
Final recommendations:
The basic idea behind the concept of secure programming comes down to helping a business; speed up processes; minimize the risk of problems associated with product vulnerabilities.
The classic approach to security can be visualized as follows:
His main problem - is associated with the high cost of improvements that are necessary for security. In addition, it is important to provide data encryption protocols, encryption transfer protocol for the integration buses, and so on.
As for ecommerce sites, they are attacked by intruders more often than many others. The goals of such attacks are an attempt to obtain a certain financial benefit (to deceive the program and purchase an expensive product for free), or to acquire personal data of customers. Unfortunately, while some problems can not be closed using the classic vulnerability scanners. For example, if the application has a fingerprint authorization scanner, not a single static analysis will show the incorrect operation of such functionality in the application. This increases the risk of incidents involving intruders in user accounts of the application. At the same time, the closer to the release the retailer's application is, the more expensive it will be to fix vulnerabilities and bugs.
The scheme for applying security testing tools to the ecommerce site code may look like this:
It clearly shows which team was engaged in the implementation of a particular application functionality. If an error or vulnerability is detected, the functionality will be sent to refine this particular team. As a result, the time spent on fixing bugs and problems is reduced, because direct developers know their code better.
Next, the final testing is launched, during which the entire amount of the final product code is analyzed and the residual bugs are “cleaned up”.
The main driver for retail is sales - whether it be offline stores, internet, marketing, customer databases. Everything is aimed at getting as close as possible to the user. In addition, modern retail seeks to sell its products using omnichanalnost; launches various marketing campaigns and programs. All this is interesting not only to consumers, but also to attackers. This is where an additional safety assessment appears - potential damage. The analysis is designed to identify the bugs on the site, logical errors and classic security problems from which real consumers subsequently suffer.
It is also important to understand that potential damage begins with the testing phase. It so happens that the environment in which it is produced is deeply integrated with the product, so the changes that are made during the test phase can cause incidents and problems. To avoid this, it is important to develop a process card and take appropriate measures even before the start of development.
If an external contractor is involved in the development, it is important to assess whether it is able to fulfill the necessary safety requirements. To do this, it is necessary to make regular assessments of the competence of developers and the level of the executing company from the point of view of Internet security. In the contract it is necessary to provide points for certification of developers; fix who is responsible for the mistakes that led to the damage. It is important to regularly train development teams and provide comprehensive protection of intellectual property.
It is also very important to provide access control, organize a trusted environment, set up monitoring tools and prevent data leaks. We will also have to form detailed requirements and policies for safe programming, to fix all versions of Open Source and external libraries.
At the design stage, it makes sense to use a scenario approach, build a threat model and conduct a risk analysis at several stages. When a new task comes to the developers, it is important to understand which business processes it will affect and evaluate initiatives in terms of possible fraud scenarios at the levels of business requirements. Each risk is considered within the framework of three probabilities: an optimistic estimate, an average and a pessimistic one. Bots are sent to the website or application. Every tenth of them is malicious. Based on three scenarios, the potential damage to business is calculated.
There are various static and dynamic analyzers that allow you to identify problems and fix them in time. The task of the IT department is to verify that the code chain works correctly in terms of technical requirements. The task of the security department is to check the code for security vulnerabilities.
The search for security vulnerabilities in business logic comes down to the following aspects:
Not all security problems can be found at the code and design level. The task of the security department is to build and establish an effective process for managing vulnerabilities and incidents. To do this, you need to constantly analyze user behavior, profile them, monitor behavior. If it deviates from the usual patterns of business, you need to consider it as an incident and immediately respond.
Analyzing user behavior helps:
It is important to constantly collect and analyze data to identify new abnormal cases.
Secure programming in DD Planet is based on several principles. The first of these is reliability. The performance of the product must be predictable, correct and reliable. Even if the source data is entered incorrectly (accidentally or intentionally as part of an attack on the product).
The second is security. Ability to protect against external threats, attacks and preservation of health after their reflection and removal.
The third is privacy. Ensuring safe and correct work with personal data. This is critical when developing corporate and user applications.
For example, the Zhivu.RF service, which is developed and supported by DD Planet, is a private social network for neighbors and contains a lot of personal data. The user profile is confirmed with the help of state services, and the affiliation to a specific address (neighborhood) is confirmed by the USRR statement from the Federal Register of State Register. This imposes on the developer serious obligations related to the protection of personal information.
All personal data we store in ISPDN (Personal Data Information System). They are contained in an isolated virtual network with a secure IT infrastructure. Intrusion detection, security analysis and vulnerability scan server, and backup server are integrated into the virtual network.
To identify vulnerabilities apply the "manual approach" and rely on expert analysis. This principle does not imply the use of any automated means: the research is conducted by an experienced specialist, and when identifying vulnerabilities, it focuses on its own knowledge. It is clear that this technique entails large time costs and implies the presence of highly qualified specialists in the company. However, it is considered to be the most effective in terms of accuracy and comprehensiveness of data during the verification.
In client development, it is important to make releases on time, and the application should be free of bugs and guarantee users safety. Following this principle, during the testing of products we use the principle of evaluating tasks by priority - Severity. That is, we rank all the tasks to eliminate bugs depending on the degree of negative impact on the product of the defect.
The priority in eliminating bugs in DD Planet is as follows:
Such a sequence helps us quickly get rid of bugs, concentrating on key aspects for the user.
Product release occurs in several stages. First, it is published on a test environment to identify bugs. Then there is a bug fixing of priorities with the level of Severity 1 and 2. After that we make a release to production. For some time after the release, part of the team deals with eliminating bugs with priority 3 and 4. After a few days, another update occurs in prod after the remaining problems are fixed.
To ensure maximum product safety:
Do not trust user input: any data from the client (user) should be checked on the server. This will prevent the passage of scripts or malicious hexadecimal codes.User data is often passed as parameters to call another code on the server and, if not checked, can seriously compromise the security of the system. That is why it is so important to strictly check all input data for correctness.
The security of the digital architecture of any product is a critical attribute for both business and users. This is an additional indicator of quality and reliability that must be maintained at all stages of the production and operation of the application.
Starting development, it is important to determine what data we protect, in any organization there are a lot of them. The accumulated data is localized in different systems, they are difficult to control. The information that needs to be protected usually includes:
The consequences of data theft entail a large financial loss for an organization, a decrease in its reputation, a loss of key customers and partners, a breakdown of transactions and projects.
Remedies for market vulnerabilities are still very few. Business needs a working application with effective functionality that can bring financial returns. But no matter how perfect the application, it may have artifacts related to the vulnerability. They do not manifest themselves until a certain point — until a competitor or an outside hacker is required. These vulnerabilities can be exploited with a mercenary purpose in order to make an attempt to penetrate a website or application into an organization and gain access to valuable data. As a result, business will suffer severely.
Unfortunately, security analysis is still a rarity for customized development. The reason for the uniqueness of projects. They are all too different, and each has its own needs. This affects the cost of analysis. Given the low margins of the business, it is not always possible to start the process on stream in customized development. And yet, the process is better not to neglect.
From the very beginning of the development of a mobile or web application, it makes sense to enter the analysis of the product code for security. There are a lot of aspects here:
Only WAF (firewall) cannot be relied upon for protection: the rule may fail, an incorrect configuration or outdated signatures may be used. Only a set of measures: the use of vulnerability-scanner, pen-test, WAF and DDos Protection ensures the security of application data.
Further, when the application is in the pre-sale stage, it makes sense to use specialized scanners, code analyzers and conduct a pen-test. This will allow finding vulnerabilities that could not be identified by analyzing the code in the development process.
Information security audit should be carried out at the stage of entering a new project into development. At the same time, it is important to analyze the technical debt of the product - look at the bugs and vulnerabilities. After that, you need to make a roadmap to eliminate vulnerabilities. Sometimes everything can be eliminated at the first stage. If there are many problems, they will have to be fought in the process of further development. First, eliminate critical, and then - less dangerous.
There are several approaches to code analysis:
The ideal option is to integrate security analysis into the daily review of the code. This approach is especially relevant for projects that the same developer has been developing for a long time.
The second method is a security audit at the test points. It is suitable if the product has rare releases.
It makes sense to start a situational or one-time revision if the project has just been developed or is simple enough.
The combined approach of the three versions listed above allows you to: reduce the number of potential vulnerabilities in the release, minimize the technical debt of the product, shorten the time to launch the application into the product, use the experience gained to analyze the security of third-party applications.
The result of security analysis in the early stages of development is reducing the company's reputational risks, reducing the cost of fixing vulnerabilities, reducing the number of independent application checks. The application previously goes to the prod.
Today, the search for vulnerabilities in software products, mobile and web applications is becoming an important activity of all leading software companies. Some people consider expert analysis of vulnerabilities reliable and trust testing to internal specialists. Others use pen tests, vulnerability scanners and code analyzers. Still others integrate SAST tools into the development process. At the same time, before starting work, it is recommended to build threat models and analyze potential risks associated with theft and distortion of critical data.
Do not rely only on firewall and free remedies. The most reliable thing is to use an integrated approach, regularly and carefully check the code for bugs and vulnerabilities.
How business and IT correctly integrate security into the development process, what tools for this are best used, how it all falls on the actual implementation practice. We share the approaches of Rostelecom, M.Video-Eldorado, DD Planet, AGIMA.
Yaroslav Alexandrov, head of development at Solar appScreener at Rostelecom, describes how to integrate SAST into development
As the company grows and the number of developers grows, it becomes more difficult to check the product for vulnerabilities “manually” It is necessary to use SAST - means of static testing of application security (Static Application Security Testing). In Solar appScreener information security is based on an internal product. Product analyzes source codes. At present, 26 programming languages ​​are supported, the sources of which can be analyzed for vulnerability, and supports all popular formats and project management systems.
')
How to choose SAST?
Even a simple vulnerability cannot be found using primitive algorithms. Today, the market presents a mass of SAST-solutions, both paid and free. The most popular of them are AppScan from IBM Security, Synopsys, Veracode, Application Inspector, Micro Focus, Appercut, Checkmarks.
From the choice of tool depends on the effectiveness of the development process. The main advantages of paid solutions:
- Focus on security: specific algorithms and large rule bases.
- Support for many programming languages.
- Convenient interface.
- Availability of plugins and API.
- Availability of technical support tool.
Free tools and web interfaces are often inferior to paid ones, because they contain simpler algorithms, and the rule bases are less complete. Their main task is to search for errors in the code. The specialization and functionality of such solutions are usually very narrow.
After the SAST solution is selected, you need to integrate it into the development process. The integration capabilities can be as follows: embedding the tool in the repository, development environments, CI / CD servers, task tracking systems. A good tool is able to successfully integrate into all the listed classes of systems.
Note : The open SAST API includes JSON API and CLI and provides ample opportunities for additional integration and automation.
To choose a tool that best meets the goals and objectives of the developer, you need to conduct their functional comparison and comparison of quality.
Functional comparison is carried out by several parameters: analyze the convenience of the interface and ease of integration with its own tools. At the same time, it is important to carry out the verification on its codes.
The next stage is a quality comparison: they analyze vulnerabilities and false positives for their own code.
Nuances and subtleties of code analysis
The earlier the vulnerability is found, the cheaper it is for the developer and the customer. This means that the product should be periodically checked for vulnerabilities in the development process and additionally carry out control checks before release.
Speed ​​and resources : it is usually expected that the tool will work quickly; run on every change; show on the fly who and when introduced vulnerability. In fact, SAST analyzes the code for at least 8 hours, it is difficult to run for each change; difficult to identify the author of the vulnerability; false positives occur. So, the question arises: how to configure DevSecOps.
It is very important here:
- Calculate time and resources on analyzing your code.
- Determine the trigger triggers scan results.
- Keep in mind that the power will need to be periodically recalculated.
- It is better to use incremental analysis, but this should be done with caution, because vulnerabilities can be lost.
For example, you can run testing with SAST when a developer submits a task for review. You can also run a scan and at the end of the day.
Another problem is false positives and multiple vulnerability information in the report. In this case, the developer recommends: filtering in static analyzers by vulnerabilities and by files. You can exclude libraries, analyze criticality, add exceptions according to certain parameters. Such work is enough to be done only once, so that further information on false positives does not fall into the reports. It is also important to make sure that no new vulnerabilities appear and gradually disassemble the already existing base of vulnerabilities in the background.
When working on integrating SAST into the development process, it is important to implement the processes gradually without blocking the release. The sequence of the process may be as follows:
- Tool selection.
- Description of the process (the creation of regulations).
- Description of technical solutions.
- Implementation work on the implementation.
- Trial operation.
It is better to start with the most critical systems: it is important to eliminate new vulnerabilities, to design, implement regulations and technical solutions.
The regulation must necessarily indicate:
- Code checking steps for vulnerabilities.
- Responsible for running a scan.
- Roles and results.
- How the communication process will be adjusted.
- Service Level Agreement.
- Responsible for controlling the process.
- The order of adding new systems to the process.
This approach allows the implementation of SAST in the development process for one calendar year. It is important to consider all changes and risks.
Final recommendations:
- Use SAST at every stage of development.
- Adapt the integration to your code and your process.
- Start by eliminating new vulnerabilities.
- Gradually eliminate old vulnerabilities.
- Create a process based on SAST.
- Implement gradually, starting without affecting the releases.
Vladimir Sadovsky, head of the M.Video-Eldorado information security incident monitoring and response team, on how to build a secure programming process
The basic idea behind the concept of secure programming comes down to helping a business; speed up processes; minimize the risk of problems associated with product vulnerabilities.
The classic approach to security can be visualized as follows:
His main problem - is associated with the high cost of improvements that are necessary for security. In addition, it is important to provide data encryption protocols, encryption transfer protocol for the integration buses, and so on.
As for ecommerce sites, they are attacked by intruders more often than many others. The goals of such attacks are an attempt to obtain a certain financial benefit (to deceive the program and purchase an expensive product for free), or to acquire personal data of customers. Unfortunately, while some problems can not be closed using the classic vulnerability scanners. For example, if the application has a fingerprint authorization scanner, not a single static analysis will show the incorrect operation of such functionality in the application. This increases the risk of incidents involving intruders in user accounts of the application. At the same time, the closer to the release the retailer's application is, the more expensive it will be to fix vulnerabilities and bugs.
The scheme for applying security testing tools to the ecommerce site code may look like this:
It clearly shows which team was engaged in the implementation of a particular application functionality. If an error or vulnerability is detected, the functionality will be sent to refine this particular team. As a result, the time spent on fixing bugs and problems is reduced, because direct developers know their code better.
Next, the final testing is launched, during which the entire amount of the final product code is analyzed and the residual bugs are “cleaned up”.
Security Threats in Retail
The main driver for retail is sales - whether it be offline stores, internet, marketing, customer databases. Everything is aimed at getting as close as possible to the user. In addition, modern retail seeks to sell its products using omnichanalnost; launches various marketing campaigns and programs. All this is interesting not only to consumers, but also to attackers. This is where an additional safety assessment appears - potential damage. The analysis is designed to identify the bugs on the site, logical errors and classic security problems from which real consumers subsequently suffer.
It is also important to understand that potential damage begins with the testing phase. It so happens that the environment in which it is produced is deeply integrated with the product, so the changes that are made during the test phase can cause incidents and problems. To avoid this, it is important to develop a process card and take appropriate measures even before the start of development.
If an external contractor is involved in the development, it is important to assess whether it is able to fulfill the necessary safety requirements. To do this, it is necessary to make regular assessments of the competence of developers and the level of the executing company from the point of view of Internet security. In the contract it is necessary to provide points for certification of developers; fix who is responsible for the mistakes that led to the damage. It is important to regularly train development teams and provide comprehensive protection of intellectual property.
It is also very important to provide access control, organize a trusted environment, set up monitoring tools and prevent data leaks. We will also have to form detailed requirements and policies for safe programming, to fix all versions of Open Source and external libraries.
At the design stage, it makes sense to use a scenario approach, build a threat model and conduct a risk analysis at several stages. When a new task comes to the developers, it is important to understand which business processes it will affect and evaluate initiatives in terms of possible fraud scenarios at the levels of business requirements. Each risk is considered within the framework of three probabilities: an optimistic estimate, an average and a pessimistic one. Bots are sent to the website or application. Every tenth of them is malicious. Based on three scenarios, the potential damage to business is calculated.
There are various static and dynamic analyzers that allow you to identify problems and fix them in time. The task of the IT department is to verify that the code chain works correctly in terms of technical requirements. The task of the security department is to check the code for security vulnerabilities.
The search for security vulnerabilities in business logic comes down to the following aspects:
- Implementing AutoTest security when testing applications.
- Creating costume rules for a static analyzer with reference to critical business processes and integrations.
- Manual analysis of parts of the modified code, in the context of the functional, which is highly critical based on risks.
- The process of finding bookmarks in the code, a periodic audit of external libraries.
Not all security problems can be found at the code and design level. The task of the security department is to build and establish an effective process for managing vulnerabilities and incidents. To do this, you need to constantly analyze user behavior, profile them, monitor behavior. If it deviates from the usual patterns of business, you need to consider it as an incident and immediately respond.
Analyzing user behavior helps:
- Working with Big Data and building models of anomalous behavior and deviations from the norm.
- The process of monitoring and auditing JS-scripts. Modern sites do not work without JS scripts. Often they are loaded from external resources. Therefore, it is important to understand their functionality, and what threat the JS scripts carry for the site.
- Search for vulnerabilities based on analytics services and Google and Yandex metrics.
- Regular testing of the security of the project as a whole.
- Using the Bug Bounty program to identify new vulnerabilities.
- Integration of WAF to protect applications and respond effectively to problems.
It is important to constantly collect and analyze data to identify new abnormal cases.
Dmitry Nikulchev, DD Planet - on how to protect user data web and mobile services
Secure programming in DD Planet is based on several principles. The first of these is reliability. The performance of the product must be predictable, correct and reliable. Even if the source data is entered incorrectly (accidentally or intentionally as part of an attack on the product).
The second is security. Ability to protect against external threats, attacks and preservation of health after their reflection and removal.
The third is privacy. Ensuring safe and correct work with personal data. This is critical when developing corporate and user applications.
For example, the Zhivu.RF service, which is developed and supported by DD Planet, is a private social network for neighbors and contains a lot of personal data. The user profile is confirmed with the help of state services, and the affiliation to a specific address (neighborhood) is confirmed by the USRR statement from the Federal Register of State Register. This imposes on the developer serious obligations related to the protection of personal information.
Storage and processing of user data
All personal data we store in ISPDN (Personal Data Information System). They are contained in an isolated virtual network with a secure IT infrastructure. Intrusion detection, security analysis and vulnerability scan server, and backup server are integrated into the virtual network.
To identify vulnerabilities apply the "manual approach" and rely on expert analysis. This principle does not imply the use of any automated means: the research is conducted by an experienced specialist, and when identifying vulnerabilities, it focuses on its own knowledge. It is clear that this technique entails large time costs and implies the presence of highly qualified specialists in the company. However, it is considered to be the most effective in terms of accuracy and comprehensiveness of data during the verification.
Severity for the perfect product
In client development, it is important to make releases on time, and the application should be free of bugs and guarantee users safety. Following this principle, during the testing of products we use the principle of evaluating tasks by priority - Severity. That is, we rank all the tasks to eliminate bugs depending on the degree of negative impact on the product of the defect.
The priority in eliminating bugs in DD Planet is as follows:
- First of all, we identify and eliminate blockers or errors for which the user is not able to perform the target action. For example, a visitor cannot register on the site or in an application; sign in to your account; access target data or application sections.
- Next, we monitor and eliminate critical bugs - security problems, system hangs, incorrectly working business process, periodic application crashes.
- Then we analyze the problems of the medium-level - we find errors that appear only in certain specific situations.
- The final step is to make minor edits - get rid of minor bugs, work out the comments on the interface, and so on.
Such a sequence helps us quickly get rid of bugs, concentrating on key aspects for the user.
Product release occurs in several stages. First, it is published on a test environment to identify bugs. Then there is a bug fixing of priorities with the level of Severity 1 and 2. After that we make a release to production. For some time after the release, part of the team deals with eliminating bugs with priority 3 and 4. After a few days, another update occurs in prod after the remaining problems are fixed.
To ensure maximum product safety:
- Use parameterized queries to the Database.
- Get rid of constructing queries inside the application to avoid sql injections.
- Connect to the Database only under a special account created with the minimum necessary set of rights.
- Maintain security logs regularly.
Do not trust user input: any data from the client (user) should be checked on the server. This will prevent the passage of scripts or malicious hexadecimal codes.User data is often passed as parameters to call another code on the server and, if not checked, can seriously compromise the security of the system. That is why it is so important to strictly check all input data for correctness.
Andrei Ryzhkin and Alexey Klinov from AGIMA - on how to establish control over the security of mobile applications
The security of the digital architecture of any product is a critical attribute for both business and users. This is an additional indicator of quality and reliability that must be maintained at all stages of the production and operation of the application.
Starting development, it is important to determine what data we protect, in any organization there are a lot of them. The accumulated data is localized in different systems, they are difficult to control. The information that needs to be protected usually includes:
- Personal data of employees and customers.
- Data access to the bank client.
- Information about the company's customers.
- Production drawings.
- Project documentation.
The consequences of data theft entail a large financial loss for an organization, a decrease in its reputation, a loss of key customers and partners, a breakdown of transactions and projects.
Remedies for market vulnerabilities are still very few. Business needs a working application with effective functionality that can bring financial returns. But no matter how perfect the application, it may have artifacts related to the vulnerability. They do not manifest themselves until a certain point — until a competitor or an outside hacker is required. These vulnerabilities can be exploited with a mercenary purpose in order to make an attempt to penetrate a website or application into an organization and gain access to valuable data. As a result, business will suffer severely.
Unfortunately, security analysis is still a rarity for customized development. The reason for the uniqueness of projects. They are all too different, and each has its own needs. This affects the cost of analysis. Given the low margins of the business, it is not always possible to start the process on stream in customized development. And yet, the process is better not to neglect.
How to prevent theft of data from the application?
From the very beginning of the development of a mobile or web application, it makes sense to enter the analysis of the product code for security. There are a lot of aspects here:
Only WAF (firewall) cannot be relied upon for protection: the rule may fail, an incorrect configuration or outdated signatures may be used. Only a set of measures: the use of vulnerability-scanner, pen-test, WAF and DDos Protection ensures the security of application data.
Further, when the application is in the pre-sale stage, it makes sense to use specialized scanners, code analyzers and conduct a pen-test. This will allow finding vulnerabilities that could not be identified by analyzing the code in the development process.
How to organize the testing process for vulnerabilities?
Information security audit should be carried out at the stage of entering a new project into development. At the same time, it is important to analyze the technical debt of the product - look at the bugs and vulnerabilities. After that, you need to make a roadmap to eliminate vulnerabilities. Sometimes everything can be eliminated at the first stage. If there are many problems, they will have to be fought in the process of further development. First, eliminate critical, and then - less dangerous.
There are several approaches to code analysis:
- Full integration in the development process of CI / CD.
- Security audit at control points.
- Situational or one-time security audit.
- Security criteria and risk assessment.
The ideal option is to integrate security analysis into the daily review of the code. This approach is especially relevant for projects that the same developer has been developing for a long time.
The second method is a security audit at the test points. It is suitable if the product has rare releases.
It makes sense to start a situational or one-time revision if the project has just been developed or is simple enough.
The combined approach of the three versions listed above allows you to: reduce the number of potential vulnerabilities in the release, minimize the technical debt of the product, shorten the time to launch the application into the product, use the experience gained to analyze the security of third-party applications.
The result of security analysis in the early stages of development is reducing the company's reputational risks, reducing the cost of fixing vulnerabilities, reducing the number of independent application checks. The application previously goes to the prod.
Instead of conclusion
Today, the search for vulnerabilities in software products, mobile and web applications is becoming an important activity of all leading software companies. Some people consider expert analysis of vulnerabilities reliable and trust testing to internal specialists. Others use pen tests, vulnerability scanners and code analyzers. Still others integrate SAST tools into the development process. At the same time, before starting work, it is recommended to build threat models and analyze potential risks associated with theft and distortion of critical data.
Do not rely only on firewall and free remedies. The most reliable thing is to use an integrated approach, regularly and carefully check the code for bugs and vulnerabilities.
Source: https://habr.com/ru/post/460669/
All Articles