To Tame Digital Chaos, Secure Every Stage of Software Development

The United Arab Emirates’ economic Vision programs have long been seen as roadmaps to a digital future. Even where government guidelines and whitepapers do not explicitly mention technology, their ambitious goals imply it. The closer we get to Vision 2030’s “due date”, the more anxious decision makers will be to take control of their digital destinies — to respond with agility and to the expectations of markets and regulators. In doing so, many enterprises will turn to in-house DevOps teams to build their digital experience suites. In theory, that is the only way they can deliver for both consumers and regulators.

It is in that tug-of-war between the desire of customers for superlative experiences and the insistence of regulators on secure workflows, that organizations face their most difficult challenges. Every speedy rollout has the potential to expose the business to vulnerabilities; and every security issue addressed has the potential to complicate workflows for employees and customers. The guiding principle in trying to walk this line is to secure the entire software development lifecycle (SDLC) by performing a left-shift in security strategy — bringing security considerations into earlier SDLC phases — and subsequently ensuring that vulnerability management remains part of every phase of software development thereafter.

If UAE DevOps teams can identify and mitigate threats all the way along the lifecycle, they will have achieved proactive protection, which is a hallmark of cyber-maturity. If they can minimize potential threats while saving time and resources, they will have discovered a recipe for thriving in the digital economy. To get the balance right, we must begin with clear definitions of what new solutions and updates will do, so we can embed best-practice security provisions as implementation gets underway. Frameworks like the Software Assurance Maturity Model (SAMM) can act as a strong foundation for security and development professionals to collaborate closely on the assessment of business risks associated with software vulnerabilities.

Following these practices, in which security is considered a core ingredient rather than icing on the cake, is a strong start. Software testers must still formulate their scripts in a security-conscious way. Penetration testing and dynamic application security testing (DAST), accompanied by code reviews, can help ensure vulnerabilities have nowhere to hide in the later stages of the cycle. Even when green lights are given, the live production environment must be monitored for any emerging threats.

Security-focused DevOps teams do not have to invent methods from scratch to institute best practices. The tools are already available. Software composition analysis (SCA) and static application security testing (SAST) can automate vulnerability detection by scanning source code and libraries for issues. Tools like PyTM (pythonic threat modeling) and ThreatSpec can even model threats at the design phase; and the Security Knowledge Framework is designed to help developers and software architects think like attackers even if they are not well-versed in cyber security. This is useful in a region that continues to face cybersecurity skills gaps.

These are critical capabilities in the shift-left approach to DevOps security because of the complexity and expense of ad-hoc remediation. If left to later stages, some vulnerabilities may not be candidates for simple patching and may require months of workshopping and redesign to address. But if security is integrated into the heart of every project, the organization’s overall security posture benefits. Not only will it be able to more easily satisfy UAE regulators; it will live up to international standards like ISO 27001. This has lasting, positive implications for its market reputation, especially in industries like finance and healthcare where slips in customer confidence can mean the end of a brand.

Supply-chain rein

Keeping a tight rein on the SDLC by treating it as an interconnected whole is a critical step in addressing one particular cyber threat — the supply-chain attack. While some of the more famous examples like SolarWinds and NotPetya lie outside the region, the UAE and GCC have historically presented tempting targets to threat actors, so organizations here must remain cyber-mature to avoid the derailment of economic progress. DevOps teams rely on a supply-chain of third-party open-source libraries. As mentioned previously, tools exist to automatically scan libraries as part of source-code review. Additionally, the Open Web Application Security Project (OWASP) provides an industry-standard guide specifically for the SDLC. Helpful tips include lists of known vulnerabilities, outdated software, and license risks.

Beyond process and best practice, we must take a look at threat intelligence because it is here that DevOps teams will differentiate themselves in cyber-maturity. Continuous training in high-profile threats will allow them to make better decisions while building applications. They should be aware of Log4Shell, which allows nefarious actors to remotely execute code through a vulnerability in Apache Log4j. Millions of attempts have been made by shadowy groups to compromise the millions of applications and devices exposed to this flaw; and it persists in the wild despite multiple patches from Apache.

Vulnerabilities can even be found in code-parsing tools and deployment suites. Development teams must make good use of code patterns, linters, and testing solutions to ensure code quality. They must include security checks through resources such as tslint or OWASP Dependency-Check. For extra quality assurance, team leaders should consider peer reviews, pre-commit hooks, and automated testing; they should implement formal tracking of third-party libraries; and they should use both automated and manual testing, and pentests, and adopt tools like ZAP for automated Web-attack detection. During release, DevOps teams should review configurations for security flaws, and employ tools like Open Policy Agent, ELK stack, and Prometheus to ensure secure deployment.

Taming The Chaos

Vigilance should be the default state of every digital business, and we are now firmly in an era where every business is digital. To please both markets and regulators, enterprises can no longer afford to deploy applications like setting free wild horses. They must tame the experience or risk a fatal hit to their brand. The article is authored by Yiyi Miao, Chief Product Officer at OPSWAT