DevSecOps: The buzzword Descopes is currently on everyone’s lips. The possibility of agile development and user safety. The ever-faster pace, at which teams develop new functions often leads to significant risk, namely poor security in web applications. By using the Descopes approach and continuously testing the software, developers can create secure web applications and minimize security deficiencies.
The constant improvement of this process enables development teams to achieve continuous security for their web applications. These advantages are convincing: More and more developers want to use Descopes and wonder how they should start with the integration.
DevSecOps: Perform Dependency Check
Many developers use libraries in their applications. Your applications may be safe, but that doesn’t help if the dependencies used are vulnerable. That’s why developers have to check these for weaknesses as well. Tools suitable for this can be found for various programming languages.
Checking The Containers In Docker
Docker containers help to provide the code as quickly as possible. But here, too, developers should pay attention to security. Because the same thing that applies to your libraries also applies to Docker basic containers. Developers have to make sure that they only use trustworthy basic containers – such as the official Linux distributions or images of the programming languages used – and check whether these already contain vulnerabilities. Some providers that host the built containers can do this verification for the developers.
DevSecOps: Do Not Use The Container As Root
The default account in most Docker containers is root. However, developers should not use this for security reasons. Instead, it’s worth creating a normal user account. This works with the following lines of code in the Docker file:
- # Create user account app user
- RUN add user –disabled-password –geckos “app user
- # Switch to the app user account
- USER app user
Conduct Security Peer Reviews
Regardless of how experienced developers are, chances are their code has security flaws. A simple way to check the code for security problems is to implement peer reviews – the checking of the code by other programmers – in the development processes. Peer reviews are a great tool for code quality.
Programmers can use another developer’s review to focus on security and avoid logical mistakes that can lead to problems. And even if the reviews show that there are no unresolved issues, programmers can continually learn more about safe programming by looking at the work of others.
The following steps are suitable as a guide for the code reviews:
- Write code
- Send code to the repository
- Creation of a pull request
- Have a colleague check the code
- Use their feedback to improve their code (this can be repeated until both are satisfied)
- Merging of the pull request and provision of the software
- Don’t forget: what could go wrong?
Always Ask The Question: “What Could Go Wrong?”
Instead of relying only on quick successes, developers should always ask themselves the question, “What could go wrong?”. Is it bad authentication? A logical mistake? System overload? Because these thoughts during the implementation can ensure that the errors do not occur in the finished product. Developers can also add so-called “Evil User Stories” and “Abuse Cases” as ticket types in the Issue Tracking System to their normal “User Stories” or bugs to always ask themselves the question of what could go wrong.
DevSecOps: Perform Automated Security Tests
Software development without functional tests is hardly imaginable. The probability of correctly implementing all functions without tests is zero. Automated unit and integration tests support developers tremendously here. The same is also true for security tests. There are various alternatives for automated security tests:
Static code analyzers such as the open-source tool Sonarqube check the program code for security problems and technical legacy problems. Dynamic security scanners also check the running application for security gaps by automatically simulating an attacker. There are open-source tools such as OWASP ZAP and commercial providers such as Crashes Security. The security scanners must be integrated into the CI / CD build pipeline to test each release for security gaps automatically.
Responsible Disclosure Of Security Vulnerabilities
Of course, developers cannot always be 100 percent right either. That’s why they need the help of others. Creating and maintaining a bug bounty program is a lot of work, and not every programmer likes it when others hack their application all the time, even for a good cause. Creating a Responsible Vulnerability Disclosure Policy tells users who to contact in the event of a problem and asks them to report vulnerabilities instead of misusing or selling them.
Additional Tip: Create Your Infrastructure As Code
Seven tips are not enough for you? Ok, but this trip takes a little more effort: Programmers should create their infrastructure as code with tools like terraform as an additional layer of security. This enables them to create secure basic resources such as server instances with a good TLS configuration or pre configured firewalls. Developers can use the same security procedures as for their application code, for example, code reviews.