The concept of secure software development is associated with DevSecOps. The software development process brings together formerly siloed roles in development and operations to collaborate and produce better and more reliable software products using automated tools like Jenkins and Bamboo while increasing confidence in the application building process (Desai & Nisha, 2021). However, the fast pace of code development within a software development environment often leads to gaps between coding and secure coding. While Developers focus on the speed of application code development to meet business requirements and service level agreements, security teams are left with little or no time to check the security of configurations, perform source code review and analysis, and vulnerability assessments.
Embedding security practices within a software development life cycle (SDLC) is challenging because traditional security methods do not accomplish the requirements and purpose of software development which is to achieve rapid deployment of software and services through the automation of the software delivery process (Rafi et al., 2020). Thus, security impedes rapid innovation and creativity in the software development process, leading to delays in getting software products to the market. However, without security, applications developed become vulnerable to common application attacks like SQL Injection, Code Injection, Buffer Overflow, Cache Poisoning, Cross-Site Scripting (XSS) as a result of application vulnerabilities like broken access control, insecure access design, input validation, security misconfiguration, software, and data integrity failures (OWASP, 2021).
Common Web Application Attacks
According to OWASP top ten, broken access control is the number one risk most web applications face (OWASP, 2021). Access control is used to prevent unauthorized access so that users can only access what their permissions require them to access. Thus, failures in access control mechanisms may lead to unauthorized disclosure, modification, or even data destruction. The most common access control vulnerabilities that arise from broken access control include violating the principle of least privilege or deny by default; users bypassing access control checks by modifying the URL, resulting in parameter tampering or force browsing. Also, broken access control may lead to insecure direct object references where a user’s account can be viewed or edited by providing a unique identifier. Privilege escalation and metadata manipulation like replaying or tampering with JSON Web Token (JWT) are vulnerabilities associated with broken access control (OWASP, 2021). To prevent broken access control, applications should be developed, in a way that unauthorized users cannot modify access control checks or metadata. This could be achieved by instituting the deny by default, implementing access control mechanisms once and re-using them, and enforcing record ownership (OWASP, 2021).
Apart from broken access control, injection attacks are among the most common web application attacks that could lead to data loss, loss of data integrity, denial of service attacks, and entire system compromise. An injection attack occurs when malicious code is injected into a system or database, passing through a bug within that system. Injection attacks mainly result from insufficient user input validation of the application software. Thus, the attacker uses the injection to introduce codes into the vulnerable software program, thereby changing the course of execution within the software. An application software becomes vulnerable to injection attacks like SQL injection, NoSQL, OS Command, and Object Relational Mapping (ORM) when applications do not perform input validation and when hostile data is used with object-relational mapping search. Performing static, dynamic, and interactive source code reviews are the best ways of identifying injection flaws in application software.
Integrating Security into Software Development
To develop secure applications that are free from bugs and less vulnerable to cyberattacks, organizations need to incorporate security techniques and best practices into DevOps environments to ensure secure code development and deployment (Zaydi & Nassereddine, 2020). Integrating security best practices like threat modeling, static, dynamic, and interactive application security testing tools into continuous integration and continuous delivery (CI/CD) pipelines help in identifying injection flaws within the application before deployment into production (OWASP, 2010). Thus, introducing DevSecOps in the SDLC is the best way to reduce creating applications vulnerable to cyber-attacks, given that this approach revolves around integrating security in DevOps efficiently from the planning phase of the SDLC. An effective DevSecOps program continuously uses automated security programs and tools to test codes and avoid slowing down development operations. However, implementing DevSecOps comes with the challenges of speed in code deployment, collaboration between teams, and integrating security tools into the DevOps environment (Desai & Nisha, 2021). As a result, using DevSecOps tools like SonarQube, Codacy, Acunetix, and GitLab, during CI/CD automatically reviews and scans codes to detect bugs and vulnerabilities, thereby addressing security concerns without slowing down the CI/CD processes. Secure DevOps limits security vulnerabilities in applications, thus reducing the attack surface for cybercriminals.
Desai, R., & Nisha, T. N. (2021). Best Practices for Ensuring Security in DevOps: A Case Study Approach. Journal of Physics: Conference Series, 1964(4), 042045. https://doi.org/10.1088/1742-6596/1964/4/042045
OWASP. (2010). OWASP Secure Coding Practices Quick Reference Guide. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
OWASP. (2021). OWASP Top 10 – 2021. https://owasp.org/Top10/
Rafi, S., Yu, W., & Akbar, M. A. (2020). Towards a Hypothetical Framework to Secure DevOps Adoption: Grounded Theory Approach Proceedings of the Evaluation and Assessment in Software Engineering, Trondheim, Norway. https://doi-org.coloradotech.idm.oclc.org/10.1145/3383219.3383285
Zaydi, M., & Nassereddine, B. (2020). DevSecOps PRACTICES FOR AN AGILE AND SECURE IT SERVICE MANAGEMENT. Journal of Management Information and Decision Sciences, 23(2), 1-16.