Application security has become a critical part of cybersecurity. In the past, security teams were responsible for securing the so-called “network perimeter”, and developers could build any applications they liked within this safe perimeter. Today, the network perimeter is dead, and attackers have direct access to applications - only a click away from an organization’s sensitive data.
Security experts “assume breach” and operate as if an attacker is already inside the network.
Application security is the last line of defense. When an attacker inevitably reaches your application, the application itself must stop them - via strong authentication mechanisms, hardened configuration, and by avoiding coding flaws. To get an idea of the coding flaws that result in the worst application-layer attacks, check out the OWASP Top 10.
Today, developers are responsible for security just as much as, or even more so, traditional security teams. By adopting secure coding practices, you can literally stop attackers in their tracks. Rigorous coding hygiene is just as important as firewalls, intrusion detection systems, or antimalware programs. While these tools are important, secure coding enables “defense in depth”, ensuring that attackers who overcome the organization’s defenses meet additional resistance at the application level.
DevSecOps increases the scope of the DevOps model, whereby developers, security and operations personnel work closely together during all phases of the software development life cycle (SDLC) and continuous integration/deployment (CI/CD) pipelines.
DevOps was the first model to use streamlined and automation processes to speed up the development process and enhance software quality. DevSecOps introduces security to this process - adding security and doing away with silos between security, operations, and development teams. It makes sure that the DevOps environment incorporates security testing and security best practices, from development and planning through to testing and deployment.
Tools are a central component of DevSecOps. In a streamlined DevOps environment, security has to be automated and tightly integrated with the CI/CD pipeline.
DevSecOps tools have two central aims. The initial goal is to lower risk in development pipelines, without impacting speed, by identifying and attending to security vulnerabilities via continuous security testing. The second goal is to provide support to security teams, letting them monitor the safety of development projects without having to manually assess and sign off on early release.
Threat modeling must be the first step of any security program, because it influences the application’s design, gives developers an understanding of the types of security threats that could affect the application, and also helps incident responders plan how to defend the application in production.
OWASP Threat Dragon refers to an open-source threat modeling tool. It may be used via a web application or through an installable version for macOS, Linux and Windows operating systems.
The limitations of OWASP Threat Dragon are that the tool is linked only to GitHub, so if you are using another repository system, you will probably need to seek out a different tool.
License: GNU Lesser GPL License, Version 3 Github repo: https://github.com/OWASP/threat-dragon
Dependency Tract develops a software bill of materials and tracks the employment of software elements over the application portfolio to determine the level of risk posed by the components. The software isolates known vulnerabilities in license risk, components and outdated libraries, with built-in support for the common package-management ecosystems, such as .NET (NuGet), Java (Maven), Gems (Ruby), JavaScript (NPM) and Python (PyPI).
License: Apache 2 Github repo: https://github.com/DependencyTrack
Brakeman is known as a Ruby on Rails static application security testing (SAST) tool. It looks for vulnerabilities related to Ruby on Rails applications. You can employ it at any point in development to look for security problems.
For all site reliability engineering (SRE) teams that have Ruby on Rails applications, Brakeman provides a safety net for possible security issues. You can employ it at any stage in development - however, if you do so early on, it reduces the likelihood that your project will halt as it approaches completion.
License: Creative Commons Attribution 3.0 Unported License Github repo: https://github.com/presidentbeef/brakeman
WhiteSource Cure is a free IDE Plugin that scans code for vulnerabilities and provides remediation instructions inside the IDE. A bit like an autocorrect for grammar errors, it proposes secure code that remediates each vulnerability and lets you review the suggestions and apply them to your code. This can save developers time, help them write more secure code, and also promote developer security education.
The tool can also create customized reports showing a list of vulnerabilities detected in a project and suggested remediations.
License: Commercial, free-forever Product page: https://www.whitesourcesoftware.com/whitesource-cure/
Sandboxie is one of the most common Windows sandboxing programs. Sandboxie is free of charge, is lightweight, and has a lot of features. The tool is commonly used by developers and security professionals to test unknown or suspicious software in a safe environment. It can also be used to test in a different environment or operating system, within a developer’s laptop.
The central Sandboxie function is to launch a current program in the sandbox environment. For example, you can place Google Chrome in Sandboxie, then choose Sandbox > Default Box > Run Sandboxed > Run Google Chrome. This may be a bit slower than selecting the link via your Taskbar, but it provides a highly-secure environment when required.
An additional feature is sandbox linking. For example, if Google Chrome is opened in Sandboxie, and you download and install a program during your session when you run that program it remains protected within the safety of the sandbox environment.
License: GPL-3.0 Github repo: https://github.com/sandboxie/sandboxie
SonarQube is referred to as an open-source source-code tool for analysis. It has paid tiers for organizations, as well as community-supported development. Although OWASP has a list of source-code analysis tools, featuring numerous open-source projects, many of the tools support just a single or a few programming languages, and many of the tools have not been properly maintained.
License: GNU Lesser General Public License v3.0 Github repo: https://github.com/SonarSource/sonarqube
GitLab is known as a web-based DevOps platform that provides a holistic CI/CD toolchain in a unified application. It facilitates collaboration between development, security and Ops teams and helps them increase the pace of delivery, and attend to security vulnerabilities without negatively impacting the CI/CD pipeline. It does this by streamlining the toolchain.
GitLab helps organizations bridge stages and silos, and provides support for a united workflow that simplifies activities that were once separate - for example, CI/CD and application security.
License: MIT Expat license Github repo: https://docs.gitlab.com/ee/user/project/repository/
Alerta provides a scalable method of scanning and studying code. It provides a flexible alert system, which you can customize to meet your requirements.
Alerta integrates with many management and monitoring systems, such as Prometheus and Amazon CloudWatch. You can query alerts via the command line or see them via the web console. Alerta provides standard deployment on EC2, Amazon Web Services (AWS), Docker, Kubernetes, and more.
It is a top tool that minimizes alert fatigue because you can customize alerts through partitions. It also provides deduplication of notifications so that you view only the most up-to-date ones.
License: Apache-2.0 Github repo: https://github.com/alerta/alerta
In this article I explained the basics of application security, and the concept of DevSecOps tools that allow the organization to “shift security left”, integrating security practices from the very beginning of the development process.
I also covered several free tools that any developer should have at their disposal when building secure applications:
I hope this will be of help as you step up your security skills, on your way to becoming a DevSecOps hero.