DevOps security hurdles can be overcome with the right tools
The merging of infrastructure deployment and application development, or DevOps, is in full swing. The days of a software developer creating an application in isolation of the operations team and then deploying it on hardware they procured and managed are coming to an end.
Consequently, developers are increasingly dependent on using code and modules that are provided by third parties. And that means developers are increasingly forced to trust software that has been handled by many other parties. And their development and code review processes might not be as rigourous as you’d like.
For example, back in 2014, the Heartbleed bug was revealed. This software flaw allowed an attacker to potentially access secured communications through a flaw in the SSL/TLS encryption libraries commonly used by software developers. Incredibly, the flaw had been in the code for over a decade and was only discovered through the acts of a single researcher from Google.
Increasingly, as development cycles are shortened, developers are forced to look for ways to trim back cycle times between releases. And that’s leading to the re-use of open source code from repositories such as GitHub, and libraries and services provided by third parties through marketplaces operated by Microsoft for the Azure platform and Amazon Web Services. Add in the use of third-party APIs for connecting different services and pieces of software and suddenly, the creation of applications is highly dependent on the connections between pieces of code that have been developed by multiple parties under a variety of different environments with widely varying standards.
This is why threat actors are able to execute attacks by using supply-chain poisoning. For example, customers of service company Netsarang became aware of composited code they were deploying to their customers when some dubious calls to unusual DNS servers were made. Similarly, hackers also released a “poisoned” version of Apple’s Xcode development tools which resulted in the deployment of unsecured software, infected with XCodeGhost, through Apple’s Chinese App Store in 2015.
The complexity challenge
Developers are in a very challenging position. They have to meet the increasing demands for rapid development and deployment to meet in a fast-paced and changing business environment. And that means working with third party libraries and tools while ensuring the security of business data.
Against that is the increasingly stringent regulatory environment businesses work in. The recently introduced national Data Breach notification rules in Australia, the General Data Protection Rule (GDPR) in the European Union and updated privacy legislation in New Zealand means businesses need to ensure the programs they create comply with all those laws.
With all those things in play, it’s important to remember that software is created by human beings and they can make mistakes. That means the development process and environment need to be supported and operate under the assumption that errors may be made. That’s why developers need tools that not only debug malfunctioning code that causes software to fail but also detect when data could leave what developers think is a safe enclave.
Manual checking doesn't cut it
In the past, developers worked in teams where there code was reviewed by peers before entering various testing phases. But that approach doesn’t work in the DevOps world. Things move quickly and that means there’s some trust implied when an application moves from development to testing and through to user acceptance and deployment.
The old Russian proverb, “Trust, but verify” applies. Developers need to find a way to ensure the code they write does not compromise the business. Even if the code they create is error-free, the same might not be true for code that is sourced from other repositories or that operates on third-party infrastructure. That means looking for tools that can detect unexpected activity and create a secure environment for corporate apps to execute so the personal identifiable information and other critical data are protected.
Looking towards solutions
Businesses need to take a multi-faceted approach to protect their data as it’s handled by mobile applications. That means finding tools that can automatically assess and report the vulnerabilities in an app during the development process, when remediation is simpler and less disruptive.
Once an application is developed and deployed, it’s important to protect your source code so threat actors can’t download the software, reverse engineer a hacked version and then distribute it, fooling the customers you’ve built a trust relationship with into using software that will not only steal data but harm your reputation.
How can you do that?
Tools such as Quixxi’s App Scanning and App Shield can support your development process.
Quixxi App Scanning can integrate with your mobile application development environment as the APIs and command-line tools can automatically assess and report the app vulnerabilities. That’s complemented by App Shield which obfuscates your app’s source code so, even if a hacker tries to reverse engineer your software, they’ll be thwarted as the code is hardened and encrypted, keeping out of their hands.
The DevOps movement has delivered lots of benefits to businesses. Shortened development cycles and simplified distribution mean business objectives can be realised far faster than ever before. But there are risks with the approach and that means taking mitigating steps to ensure the applications you deliver are secure when shipped and they stay secure once they are released.
Quixxi Security Scan assesses applications so you understand what vulnerabilities they have, allowing developers to reduce improve their app so it has as few vulnerabilities as possible. Quixxi Security Shield puts a secure encryption wrapper around applications so malware can’t access them or the data they handle. So, while your applications work as intended, your app becomes impervious to attack by even the most committed of attackers. Quixxi Security Sight is a suite of tools that helps you manage mobile application licensing as well as tracking how applications are used once deployed to the app store and downloaded by users. Quixxi Sight even allows a security assessment of the security status of the mobile device, including scanning the device for Malware – from inside your shielded App.