Adoption of iterative Agile software-development methodologies may be allowing fast-moving, cloud-based companies to update their software on a daily basis – but one security specialist warns that speed can make those companies sitting ducks for security compromise if they don’t support their rapid development cycles with equally iterative testing and protection mechanisms.
“Cloud platforms allow the cost of getting started with software innovation to be very low,” Manish Gupta, CEO and founder of automated security-testing startup ShiftLeft, told CSO Australia. “There are companies doing 20, 30, or 40 releases a day – which lets users experience new features on a daily basis.”
This is both a blessing and a curse: with Department of Homeland Security warning that 90 percent of security incidents happen due to exploits against defects in software, Gupta said, previous shrink-wrapped software delivery had perpetuated “a fundamental disconnect between companies that had access to source code, and those that didn't.”
“With cloud, the company that is developing the software is also the company hosting the software for the consumption of employees. And as we increasingly see software to be an assembly of multiple components, this software needs to be protected from data leakage.”
ShiftLeft, which emerged from stealth mode this month, is aiming to help companies close this gap with a system that automatically scans new versions of software as they are developed.
Within a few minutes, ShiftLeft technology analyses Java bitcode or source code to identify potentially code or vulnerable open-source components, and to flag variables that appear to be set up to store sensitive data, such as credit-card numbers. Each pass of the tool generates a custom-made ‘MicroAgent’ that is injected into the code to protect it from changes or help debug unexpected behaviour.
Working like a form of spellchecker for security, Microagents track those variables throughout the application’s lifecycle to chart exactly how that data is used, stored, and protected throughout its lifecycle. Insecure behaviours, such as failing to protect credit-card number variables with an encryption routine, are flagged to help developers spot potential vulnerabilities before they cause havoc.
“You can develop 20 versions of the application in a given day,” Gupta says, “and every time you change it we will update its DNA to give you a custom protection for that version. Because we understand what the software does, if it does something other than what it is supposed to do, we know it has been exploited.”
ShiftLeft, which has made the tool available for a free trial online, is riding a growing wave of recognition that SecDevOps – the practice of systematically closing security gaps during development – is a better way to reduce companies’ overall exposure to security violations such as the depredations of Heartbleed or similar vulnerabilities.
The tool is likely to meet a receptive audience among software developers that are rapidly becoming enthusiastic adopters of SecDevOps – in particular, those that want security but don’t know how to be agile and secure at the same time. Some 30 percent of respondents to Capgemini’s recently-launched World Quality Report 2017 said it was crucial to implement quality checks early in the software-development lifecycle, while 28 percent named the ability to detect software defects before go-live.
Australian respondents were particularly keen on improving quality, with 68 percent nominating early quality checks as a key priority, half saying that they continuously test their software, and 17 percent admitting they don’t have a specific approach to Agile testing.
Globally, 56 percent of respondents said they lacked “sufficient” development and test environments, with 51 percent citing the inability to test integration with existing environments at an early stage. 48 percent complaining about overreliance on manual testing, and 44 percent noting the lack of effective build/integration automation.
The integration of automated data-security tools into the development workflow has become a focus for many security companies, with CyberArk this month pushing its Conjur secrets-management technology into the DevOps pipeline through integration with open-source software configuration management tool Puppet.
Such smart testing technologies are underutilised in existing development workflows but wil be crucial in helping bring SecDevOps to fruition, Capgemini ANZ head of testing Jacko Smit said, noting that just 16 percent of respondents to the World Quality Report are using automated testing effectively – doubly concerning because the percentage of IT budgets allocated to quality assurance and testing had dropped from 35 percent in 2015 to 26 percent in 2017.
“The focus on speed and time to market considerations is driving organisations to adopt intelligent test automation to cater for smarter applications and increasingly complex IT landscapes,” he said in a statement, noting that emerging models are centralising application testing to improve testing efficiency.
By automating the security testing of newly developed software as well as offering a layer of protection for it, Gupta believes ShiftLeft will quickly provide critical checks and balances on hyperspeed development processes, proving its worth as an iterative code-analysis and debugging tool. Its awareness of specific coding vulnerabilities allows it to pick up on potential vectors for common exploits such as SQL injection and cross-site scripting, and the rapid creation and deployment of Microagents allows the process to be quickly integrated into many development builds in a short time.
ShiftLeft intellectual property “allows us to suss out relationships in code very quickly,” Gupta said. “Given that we can do this in 5 minutes or less, we are able to insert ourselves in a very automated, seamless manner into even the fastest of lifecycles.”