Originally posted on LinkedIn by DataEndure Cloud and Data Science Practice Manager, Scott Stephenson.
More and more organizations are engaging in software development. The reasons for doing so are diverse: providing a service interface for a legacy system, creating operations scripts to automate IT tasks, or even building entire SaaS services, software tools, or products. Organizations that may have never considered software development now find they need to engage in data collection and transformation to remain competitive in their marketspace. While this trend creates new opportunities for automation, integration, efficiencies and revenue streams, it also increases the need for the software to be properly secured.
There have always been tools to help mitigate security risk on production platforms. Historically, developers have relied on individual and team efforts to find security flaws in the code they produce. Today, however, there is a more systemic method to cover the entire development cycle from the coding process to deployment through production. Employed together, they can serve to secure this vital aspect of your operations.
1. Use tools to scan open source libraries to ensure they are safe to use
A common practice to speed up development efforts is selecting previously developed libraries to provide the building blocks in the development effort. Inspecting the reputation of those libraries can help prevent using libraries that have known security flaws (whether those flaws be intentional or unintentional). Tools that provide this capability are referred to as Origin Analysis/Software Composition Analysis (SCA) tools.
2. Scan produced code to ensure common software security vulnerabilities are identified and mitigated
Some solutions integrate with your chosen development suite (IDE) to help you find common violations while the code is being developed. Other solutions integrate with your build process or CI/CD pipeline in order to flag security issues in the building code and prevent those flaws from being deployed into test or production environments. This type of code scanning is called Static Application Security Testing (SAST).
3. Secure the Dev, Test, and Production Environments
As with the rest of your company assets, Dev, Test and Production environments need to have security best practices applied to them. Even if they are temporary test environments, utilize anti-virus, intrusion detection, vulnerability scanning and database security tools to ensure that this attack vector is secure. Delving into the recommended tools to secure your environment is a broader topic than this Tech Tip, but there are comprehensive services available that can provide both the suite of tools and the expertise to manage them.
4. Test to validate that all the security efforts are successfully blocking attempts to compromise
While scanning your code as you write and build it is one important layer to preventing security vulnerabilities in your development, ensuring that the security is implemented properly with testing is also important. Services such as Application Security Testing as a Service (ASTaaS) can regularly scan for common exploits and alert you when there is an issue, and Dynamic Application Security Testing (DAST) tools can be managed directly by your team to run tests on your API to flag issues, simulating calls to your API to determine if common exploits would be successful.
The best services and solutions in this space will be prescriptive, not just flagging the issue, but providing a recommended path to remediate the issue. In addition, DAST tools also work to secure APIs and applications that you have purchased (and don’t have source code to scan) but need to secure.
5. Watch the API and Applications for bad actors
Finally, the application or API needs to be monitored on an ongoing basis for potentially malicious behavior. There are a series of tools that can identify API traffic as malicious. They are either placed in the path of API execution so that every call is inspected or installed sidecar so that it flags potentially malicious behavior, but not directly block the call from proceeding.
If this sounds like a lot, start with SCA and SAST tools for your internal development, and consider DAST tools and AST services for deployed or purchased applications. As you determine how to best invest in and further develop these capabilities, experienced advisors like DataEndure can help you develop a program to secure this vital segment of your operations.