In today’s world, cybersecurity is constantly growing in importance for individuals as well as businesses. It is also constantly evolving and changing with different tactics and methods of exploitation by cybercriminals. However, it’s almost impossible to make sure every possible avenue of attack is fortified against exploitation. The bigger a software application becomes or the more apps & services are in use for a software development process, the bigger the opportunity for cyber criminals to find a weakness. That’s why automating as much cybersecurity into your software development process is ever-growing in importance. While automating a lot of the software development lifecycle is known as DevOps, including security-related functionality into that workflow is what’s known as DevSecOps.
DevSecOps is a great way to get a leg up on cybersecurity issues and catch them before they are available to be exploited by cybercriminals. Utilizing services and tools specific to cybersecurity within your software development lifecycle is not very difficult and can save a lot of manual effort and possible headaches from security incidents later on down the line. It just takes some upfront time to set up and configured correctly, and then just tweak things as you discover areas that need more or less stringent security based on your situation.
In this post, we will go over 5 of the best DevSecOps tools available to integrate into your software development lifecycle right now to greatly enhance your security posture for your organization without a ton of effort. They are in no particular order.
5 Best DevSecOps Tools in 2023
- OWASP ZAP
- Snyk/GitHub Dependabot
- Infrastructure as Code
OWASP is the Open Worldwide Application Security Project. It was founded on Dec 1, 2001, as a way to help individuals and businesses better secure themselves online.
OWASP annually comes out with a list of the most exploited security flaws in web applications across the entire internet. This is known as the OWASP top 10 and is used by the majority of cybersecurity personnel as a basis for what to focus on the most at any particular time. Cybersecurity professionals focus on many more areas than just these 10, but this list helps them determine what is being the most exploited security flaws at any given time.
OWASP created a piece of software called OWASP ZAP (Zed Attack Proxy) that can automatically crawl and scan a website and try multiple types of attacks against the site and report any findings it discovered may be an issue. It will try many of the same tactics used by cybercriminals when they try to attack websites. A lot of these automated tasks won’t help with more advanced attacks or attacks stemming from social engineering attacks, but they will help with more technical-related attacks.
When running this software against a website, it is possible that it can bring down your website or corrupt your data, so running it against your production website is ill-advised. How it should be used is deploying the website to a “staging” environment that is set up exactly like your production website. Make sure to NOT have this staging environment connected to production data sources but have testing data sources instead. Then run OWASP ZAP against the staging website and see what results come from the scan. If everything looks good, you can deploy changes to the production environment. If any findings are discovered by the scanner, review them and make any necessary changes, redeploy to the staging environment, scan once more, and then deploy to production once all issues are resolved.
This software is free to download and use and is open source and is a great addition to any website-related software projects.
Whereas OWASP ZAP scans your website once it has been deployed (known as dynamic code scanning), SonarQube/SonarCloud is a product/service that will scan the source code itself before it is deployed and alert on any possible security issues related to the source code. This is known as static code scanning. It looks for things that can be exploited. Things such as not sanitizing user input which could cause things like XSS, CSRF, SQL injection, etc, or things like bad regular expressions (regex) that could cause things to consume way too many resources and cause a Denial of Service (DOS) attack, buffer overflows, etc.
This is a great addition to have in your DevOps pipeline since source code bugs have notoriously been a great source of exploited security issues. Put this hook in your SCM repository so any findings that are of a certain severity or higher will reject the change from being merged into the branch that gets pushed to production. You are guaranteed run see numerous false positives that you will have to mark as such and then run the scan again to be able to merge the code changes. But once you mark specific areas of code as “good” within SonarQube/SonarCloud, it will not flag them in subsequent scans.
This software is not free but SonarCloud can be as little as €10/month. SonarQube is software that you can license and run on your own hardware, whereas SonarCloud is Software as a Service (SaaS).
Today software projects almost always have software package dependencies that are utilized to reduce the amount of code that has to be written for specific functionality. If someone else has already written something that does exactly what you need, and it doesn’t cost anything, why should someone spend the time and effort to write code that does the exact same thing? This is where things called package managers such as npm, yarn, pip, Apache Maven, etc come into play. They allow you to easily install packages that another application can easily utilize and save developers a lot of time and effort.
However, many times, these dependencies have security flaws in them that can also cause the application using them to have security issues. This is where Snyk and GitHub Dependabot come to the rescue. These services will scan all the packages that have been included in the host application and alert when there are updates available and when there are known security issues with the dependent software packages. This allows for the host application maintainers to either change the package being utilized or update the package to remediate the vulnerability. Without these automated scans and notifications, developers would have to constantly manually check all the dependent packages to see if there were any known vulnerabilities in any of them. When there are numerous projects being managed by a team and each project has numerous dependencies, that would be very inefficient and a waste of people hours.
These services have a limited free tier to use but offer paid plans for more features and more scans/repositories that can be scanned. So small teams with only a few repositories should be able to utilize the free plan(s), whereas larger organizations with more repositories or need additional scans will need to pay for the services.
Infrastructure as Code
A great way to make sure you have a consistent environment where applications are deployed is by utilizing what’s known as Infrastructure as Code. This is where all infrastructure is defined within files and stored within an SCM repository instead of being manually provisioned each time a change is needed or new infrastructure is needed. The files have everything needed declared within the files themselves and can be used multiple times to set up multiple instances the exact same way every time.
This makes it much easier to make sure everything is configured in a secure manner and replicated across every instance. It also allows for much quicker deployment of new resources when needed as each piece is not having to be done manually. Having infrastructure defined in source code files also allows for the history of changes to be tracked so that if anything negative happens after a change, it’s much easier to determine what may have caused the issue. It also gives the ability to quickly revert changes and redeploy using the previous version of the source files to a known working configuration.
There are multiple providers for Infrastructure as Code such as AWS CloudFormation, RedHat Ansible, HashiCorp Terraform, Puppet, Chef, and others. It is advised to research each to determine what is best for any given situation since each has pros and cons. Some of these also are not completely free while others are. There are also some that are specific to a particular cloud provider while others are provider agnostic.
Security concerns do not stop after it’s deployed to production. Monitoring running applications is a must in order to see many issues that may not have been discovered before deploying to production.
If monitors discover a lot of outgoing traffic from your network from a particular set of IPs that have not been seen often before, it could be an indication that threat actors may be exporting a lot of private data and should be looked into immediately. Monitors may also be able to catch bugs in software that weren’t discovered in testing but are being seen by end users. This could be because initial testing didn’t think of the ways end users may either be trying to abuse the application or because how end users are just doing things not initially thought of by the development team. These monitors could show where crashes or issues are occurring that may pose a threat to security if cyber criminals were to discover and try to exploit them. This gives the chance to possibly correct these issues before any security incidents occur if the correct monitors and alerting are in place.
There are many platforms that can be utilized for monitoring and alerting. Some examples are New Relic, Datadog, AWS CloudWatch, Sentry, Dynatrace, and others. Again, these providers each have pros and cons related to pricing, offering, ad vendor lock-in. So research the options to see what may possibly be best for a given situation.
There are many aspects to helping to prevent cybersecurity incidents in any organization. DevSecOps is not the complete solution just as no single aspect can be. Cybersecurity has so many different aspects and avenues of attack that it takes everyone in an organization to always be thinking about it and trying to help prevent any attacks. That’s where internal company training is always needed.
However, automating as much security as possible is always a great investment to make in any organization. Having things set up to help protect you from specific types of attacks and not having to think about those particular pieces of the puzzle will greatly enhance the security posture of any organization and any software that the organization creates and customers utilize.
These may be the top 5 most important DevSecOps tools you can easily incorporate, but that doesn’t mean they should be the only ones. So now go off and secure those software development workflows!