Secure development lifecycle for startups
With the increase of application layer attacks, companies must assess the risks they face and build a well-balanced software development lifecycle to secure the application code itself as early in the development cycle as possible.
Implementation of security solutions might be challenging for small businesses due to budget constraints. For those small and medium businesses there are a number of open source and affordable configuration management tools, such as Chef, Puppet, Jenkins 9, that help to automate any project. It is important to understand what threats are relevant in order to minimize resources on remediating non-threats.
Chef, Puppet and Jenkins are continuous integration (CI) and continuous delivery (CD) solutions. They merge code from individual developers into a project tool multiple times per day and test continuously to fix any issues on the ongoing basis (and not only at the last stage before a product’s release).
Puppet is declarative that describes the desired state of a deployment and manages how to get there from the current position, — this can be easily adopted by the Operations team.
Chef is imperative and describes the specific steps needed to do something. It is also much more flexible and uses Ruby, that allows to manage the Ruby development environment — this makes it very popular in the Development community.
Jenkins complements Chef and Puppet to provide full traceability of deployments. Jenkins is an open source tool that executes a predefined list of steps, e.g. build and redeploy the Java backend and Angular frontend every 30mins or every time a change was detected on GitHub.
Chef and Puppet are the most popular in the space and have the widest support among hardware / software providers. Puppet is used by 42 percent of businesses that use DevOps, followed by Chef with 37 percent (according to RightScale’s 2016 survey). No matter if you choose Chef or Puppet, you will be able to achieve the same goals with either product.
The most efficient practice though, is hiring or retaining security experts, who can evaluate the cyber threat landscape for the company, build in-house threat intelligence, customize solutions and maintain it up-to-date to protect against specific vulnerabilities. Even though it means extra expenses, security incidents can result in much higher post-breach costs and even destroy a startup.
In Svitla Systems, secure development lifecycle implies proactive planning and implementation of security-first design during development. First, threat models should be created and threat mitigations included in technical specifications. Next, developers perform static security analysis of their source code as they write prior to compilation. This allows them to identify and fix vulnerabilities in software before the QA phase. During QA phase the team makes a final secure code review before the release, analyzing the runtime configuration for security vulnerabilities.
A support team maintaining code with the latest patches and updates and executing continuous fuzz testing to harden the code against potential attacks. It’s vital that digital businesses have regular, rigorous maintenance and patching programs that enable them to address vulnerabilities as they are discovered.
Fuzz testing is a software testing technique used to discover coding errors and security loopholes in software by inputting massive amounts of random data to the system in an attempt to make it crash.
Any application’s security state is static, and can only be evaluated against criteria that reflect a particular point in time. Consequently, the application may be demonstrated to be secure today, but there’s no way to know if it will be secure tomorrow. It’s vital to conduct continual security reviews focusing not only on new features, but also conducting regression analysis of old code
with new and updated tools.
Developers can scan the code for flaws throughout the development cycle with open source static analysis tools available at the Software Assurance Marketplace (SWAMP)10, as well as open source dynamic analysis tools, such as Cuckoo Sandbox11.
Even if a company decides to implement Runtime Application Self-Protection (RASP), there is an affordable way to do it by getting a cloud-based solution with pay-per-use models.