Bridging the gap between security and developers

Whatever you need, there’s an app for it. In fact, according to Business of Apps, there will be 1.81 million apps in Apple’s App Store by 2024. This growing trend has spread from our pockets to our businesses, with increasing adoption of Software as a Service (SaaS) and cloud computing. The average company has 371 SaaS applications, while IDC found that companies spent $315.5 billion on public cloud services in the first half of 2023.

All this software and all these applications are made by humans, and it is common knowledge that humans make mistakes. Mistakes in software development increase the chance of attacks, leading to security incidents. Multiply these risks by the size of your tech stack and securing your environment seems nearly impossible.

Identify problems early

To alleviate some of the risk and security burden, you can look for the issues earlier in the software development process. This is called a ‘shift-left’ concept because it involves performing security scans and assessments earlier in the software development lifecycle (SDLC). Scanning software in the CI/CD (Continuous Integration/Continuous Deployment) pipeline identifies issues that require attention before they become vulnerable to attackers. Discovering bugs, misconfigurations, or vulnerabilities earlier also allows you to fix them faster and at a lower cost than if those same issues are running in production applications or are part of software deployed to thousands or millions of real-world assets.

Although the concept of shift-left safety has been discussed as a best practice in recent years, it does not appear to be well implemented. Data from the Sysdig 2024 Cloud-Native Security and Usage Report shows that scans on production systems fail more often than scans in the CI/CD build pipeline. The report identified 91% of errors in production scanning policies, while CI/CD scans failed in 71%. CI/CD scans occur before production runtime scans, so any errors captured in the CI/CD build pipeline must be corrected before being scanned at runtime. So why do we see such a high rate of runtime failures if the shift-left concept is the best practice?

Crystal Morin

Cybersecurity Strategist, Sysdig.

Make changes to your processes

First and foremost, improving collaboration between teams, rather than simply addressing security requirements, will almost always prove to be more effective and sustainable. In the eyes of a developer, shift-left requires additional responsibilities for repairs and changes without additional help. For them, a shift to the left may look more like an increase in workload than a change in approach that can reduce safety risks.

To overcome this hurdle and make shift-left processes work, security personnel must understand how their fellow developers actually work in practice. Do the applications they build follow traditional design principles, are they cloud-native applications built to be distributed, immutable, and ephemeral (DIE), or is there a mix of builds in the transition from traditional to cloud native?

By better understanding how complex their environments and application builds are at their core, security teams can help developers navigate what risks exist in their applications and how to prioritize and mitigate the biggest threats before they materialize in production . This includes determining how great the risk is for your organization and environment, and what steps are needed to limit the risk. This process ensures that developers can focus on any changes they need to make where they are needed most, such as exploitable critical vulnerabilities or misconfigurations.

Similarly, security teams and their tools can also flag where wasted components or permissions can be included in standard container images. Developers often use software containers or machine images as standardized templates for deployment. However, if these templates contain outdated components, any use of that template will be flagged as an additional security risk. Updating developer workload templates will reduce the number of security alerts and risks and minimize repetitive work efforts.

Improve security before production

Ideally, software containers are meant to be immutable. This means that a workload does not change at runtime. Container drift, or changes and updates to a container while it is in production, often leads to security alerts, but is common for developers. If developers refrain from making workload changes at runtime (drift checking), security teams can set up more sensitive and reliable detections for container drift, which indicates potentially malicious activity rather than development noise.

Runtime scans are more accurate at highlighting security vulnerabilities active in a production environment. These scans keep security issues closer to the security team instead of passing security issues to developers. Problems in production environments can have a negative impact on business operations.

Long-term safety gains

In our daily lives and our organizations we all depend on software and applications. This software must be kept safe. We can improve its security by moving left and sticking to the secure-by-design mantra. Software and applications that are built securely are less likely to be attacked and cause fewer errors in policy scans, reducing the security burden for both security and developer teams.

In practice, security teams should work with developers to identify where those potential risks are and how they can be eliminated. At the same time, developers can train and work with security teams to prevent issues from entering code or infrastructure components. This teamwork and sharing of common goals will improve overall software quality and security across entire organizations.

We have listed the best mobile app development software.

This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Related Post