Abstract image of a woman sitting on books and studying on a laptop

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf

Download as PDF, PPTX
N
NathanDjami

This document discusses shift left security, which is an approach to applying security practices earlier in the software development lifecycle rather than after deployment. The key aspects of shift left security are designing security into applications from the planning phase, implementing secure coding practices, and testing for security vulnerabilities earlier. Adopting shift left security reduces costs compared to fixing issues later and better protects applications, data, and organizations from security threats.

1 of 22
Download as PDF, PPTX
Shift Left Security J U N E 2022 Fundamentals of Shift Left Security Create more secure applications with best practices for your software supply chain and CI/CD pipeline
Table of Contents Introduction What Is “Shift Left Security”? Why Is Shift Left Security Important? How Does an Organization Make the Shift? The Security of Your CI/CD Pipeline The Security of Your Software Supply Chain Conclusion Cisco’s Tools 3 4 6 9 13 17 21 22 2 eBook | Shift Left Security
Introduction Modern development teams have become highly adept at building software applications. DevOps culture and practices—the leftward-on-the-timeline shifting of operational responsibilities—have empowered teams to move more quickly as they build complex applications. As CI/CD pipelines automate testing and infrastructure provisioning, applications are becoming more reliable and are shipping faster. And monitoring tools are alerting engineers to potential failures so they can respond more quickly. Today’s teams build complex systems that scale massively, comprise countless microservices, and are distributed across the cloud. But there is a downside to this progress: The complexity and distributed nature of modern applications also bring an increased risk of security threats. But in many organizations, the security team has little influence on the design or development of an application. Siloed away from DevOps, the security team is responsible for dealing with the risks and threats after the application goes live. It’s time for security, just like operations, to shift left. In this guide on shift left security, we’ll look at what it is, why it’s important, and how organizations can begin to make the shift. We’ll also focus on security in two key areas: your CI/CD pipeline and your software supply chain. Planning Source Control Management Coding Local Testing Code Review CI/CD Management Pre-Deployment Testing Development Infrastructure Provisioning Production Deployment Smoke Testing Rollbacks Day 1 Operations Shift Left 3 eBook | Shift Left Security
What Is “Shift Left Security”? A DevOps approach divides the steps in the software development life cycle (SDLC) into three phases: 1. Development includes all the planning, implementation, review, and testing that take place prior to deployment. 2. Day 1 Operations is concerned with the actual deployment of the application, and it includes infrastructure provisioning, installation, configuration, smoke testing, and deployment rollbacks. 3. Day N Operations covers all the tasks after an application goes live, including monitoring, issue detection, and alerts. 4 eBook | Shift Left Security
In this timeline of phases, the further left a bug is discovered, the lesser the impact of that bug, and the lower the cost of mitigating issues arising from that bug. That’s why automated and rigorous testing of individual code units is of such high value in DevOps culture. Shift left security says: We should take the same approach to security vulnerabilities as we do with bugs. If security risks can be handled further to the left, then fewer vulnerabilities will sneak through, and the blast radius of a vulnerability is smaller. As a result, the cost of maintaining a strong security posture is lower, and the production application is more secure. Shift left security is like exercise, rest, and a good diet. Preventative health is less costly than treating a health condition. Shift left security is less costly than fixing a breached system. Planning Source Control Management Coding Local Testing Code Review CI/CD Management Pre-Deployment Testing Development Infrastructure Provisioning Production Deployment Smoke Testing Rollbacks Day 1 Operations Monitoring Issue Detection Incident Management Alerting Post-Mortem Day N Operations 5 eBook | Shift Left Security 5
Why Is Shift Left Security Important? Because Insecurity Is Expensive. Let’s look at the potential costs of not adopting shift left security. 6 eBook | Shift Left Security
The effect on overall system security Without proper security mechanisms in place, developers can get sloppy. They’ll write hasty duct-tape code patches, rely on a convenient but vulnerable library, or manually apply changes directly to a production machine. Without security guardrails in place, the resulting system is at high risk of being exploited. The effect on productivity When a vulnerability is exploited, engineering teams are thrown into disarray. First, responsible teams will need to devote resources to incident response, damage control, and the patching of vulnerabilities. Next, you can expect a heavy-handed reaction from the security team and business stakeholders. Developer access to cloud resources will be restricted. Code updates and new features will be met by a slew of measures for enforcing manual reviews and approval. Productivity will plummet. The cost of data breaches In today’s systems, data flows between and is stored in various cloud providers and on-premises systems. Without the right security mechanisms in place, the risk of a data breach is high, and an organization may be unable even to detect that a breach has occurred. An IBM/Ponemon report found that the average time to identify and contain a data breach was 287 days. The report pegged the average cost of a breach, in hybrid cloud environments, at $3.61 million. 7 eBook | Shift Left Security
The cost of regulatory non-compliance Without a proper security posture toward the open-source libraries your applications depend on, your organization might be in violation of licensing terms. If your application mishandles personally identifiable information (PII) or protected health information (PHI), the result could be heavy financial penalties or legal consequences. For example, GDPR fines resulting from data protection and privacy violations can be staggering. The cost of system downtime Vulnerable applications, when attacked, will result in system downtime. Whether it’s the direct result of a DDoS attack or system stoppage for patching, any downtime hurts your business. When customers can’t use or access your applications, they will stop paying for your services. The risk to business reputation and loss of customer trust There’s no question that a company’s brand is tarnished when news gets out about customer data being stolen or an unbearably long system outage. If your applications are not secure, it’s only a matter of time before those security threats are realized. As soon as you lose the trust of your customers, they’ll walk. 8 eBook | Shift Left Security
How Does an Organization Make the Shift? The traditional approach to application security involves manual checks, reviews, and patch updates. Security threats are handled reactively—after an exploit makes the news or once poking around in some logs reveals suspicious activity. However, this approach is untenable for today’s complex and distributed applications. By adopting shift left security, the focus of security efforts starts well before Day N Operations. 9 eBook | Shift Left Security
Security at the Development phase Design, implementation, and testing all take place during the Development phase of the timeline. Discovering and mitigating security vulnerabilities at this early stage can reap significant savings of resources—human and financial—down the road. Security-aware planning and design Among the Open Web Application Security Project (OWASP) list of Top Ten Web Application Security Risks for 2021 is insecure design. OWASP notes: “If we genuinely want to ‘move left’ as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.” Taking these steps will ensure system designs incorporate security practices like access control, auditing, levels of isolation, and alerting. 10 eBook | Shift Left Security
Secure coding practices Secure coding practices include techniques like input validation, parameterized queries, and proper handling of sensitive data or credentials. However, the list of best practices continues to grow, and how they’re applied varies from language to language and framework to framework. One solution is for developers to use IDEs that have built-in tools that analyze your code for potential risks as you work. Many IDEs also incorporate linters which help ensure code is properly formatted and that it conforms to coding standards. Access control Most web applications have a login component and different levels of access (such as basic user, privileged user, or administrator). The OWASP list referenced above includes identification and authentication failures as well as broken access control. Therefore, when designing an application, it’s important to give special attention to the components related to access control. In other words, don’t treat them just like any other component or microservice. If a malicious user gains access to your web application with administrator privileges, the impact could be devastating. Testing Unit testing at the early stages of application development can focus on more than just business logic and preventing bugs, but also include security-related tests. Testing can verify proper measures are in place for securing access control, preventing injection attacks, and validating inputs. Security at Day 1 Operations Implementing secure practices for Day 1 Operations is heavily related to the security of the CI/CD pipeline, which we will consider in its own section in this eBook. 11 eBook | Shift Left Security
Security at Day N Operations Although shift left security does emphasize a focus on security at the Development phase and in Day 1 Operations, organizations should still adopt security best practices within the processes of Day N Operations. Adopting these practices will help teams to respond faster and more effectively in the event of a security incident. Observability With shift left security, an application can be designed from the outset to include instrumentation for exposing logs, metrics, and traces, making the components of an application observable. A DevOps team, by examining this observability data, can discern the state and the health of an application. It can also use the data to gain insights into the root cause of incidents, including security threats. Monitoring Monitoring puts a constant watch on specific metrics or application states so that engineers can know immediately if something is of concern. Observability data helps teams understand why an application is in the state that it is. Monitoring, on the other hand, tracks specific metrics to let teams know when a noteworthy state is entered. For example, a team may specifically choose to monitor critical metrics like bad password attempts, HTTP requests per minute, or database query latency. Alerting Connected to monitoring, of course, is an alerting component that notifies responsible team members as soon as certain monitored conditions surpass a critical threshold or reach a noteworthy state. 12 eBook | Shift Left Security
The Security of Your CI/CD Pipeline Day 1 Operations depend heavily on the CI/ CD pipeline, which is an integral part of the toolchain for mature DevOps teams. The CI/CD pipeline deserves special treatment in our coverage of shift left security. Engineering teams can use the automated pipeline to apply security measures when building and deploying an application. However, teams also need to ensure that the pipeline itself is secure. Let’s look at these concepts in more detail. 13 eBook | Shift Left Security
Secret and credential management As part of Day 1 Operations, the CI/CD pipeline is responsible for provisioning infrastructure and deploying workloads. Your CI/CD pipeline will be configured to use your organization’s credentials for accessing cloud provider accounts, service accounts, and other resources. Storage of these credentials must be secure. Managed pipeline services include secret management tools for encrypted storage, decrypting secrets only when your pipeline uses them. Restrict the task of infrastructure provisioning and workload deployment to your CI/CD pipeline alone. An automated pipeline ensures that these tasks are performed the same way every time. Allowing an engineer to perform these tasks manually runs the risk of skipping critical security or configuration steps. The credentials used by the CI/CD pipeline should be tightly held. Since engineers shouldn’t be allowed to perform these tasks manually, they do not need access to these secrets. CI/CD Pipeline Tokens Cloud API Keys Database user credentials Private certificates SSH Keys Kubernetes service account credentials 14 eBook | Shift Left Security
Infrastructure as code Delegating infrastructure provisioning to your CI/CD pipeline ensures you get the same infrastructure with the same configurations and settings on every deployment. By using infrastructure as code, you create declarative configurations of your system architecture. Without a declarative configuration, an engineer might make on-the-fly changes to infrastructure configurations, and this introduces drift. These habits introduce security risks and are difficult to track or audit. By adopting infrastructure as code, such as AWS CloudFormation or Terraform, every change to an infrastructure configuration can be recorded and reviewed as the configurations are stored in a version control system. Static code analysis A CI/CD pipeline can run a suite of automated tests followed by processes that build, deploy, and configure the production application. At any point in that series of processes, the pipeline can be tasked with applying additional security measures or engaging other tools. In the section on secure coding practices, we mentioned the use of IDEs for real-time analysis of code. Further analysis can be performed across all code for an application by using static code analysis tools. Tools like SonarQube can be integrated into the CI/CD pipeline and run before building the application. This will ensure that all code conforms to security standards and conventions. 15 eBook | Shift Left Security
Vulnerability scanning Just as static code analysis examines your application’s code for security flaws, vulnerability scanning checks container images or third-party dependencies for security risks. Tools like Trivy or Grype can be integrated with the CI/CD pipeline to perform scans. In the section on software supply chain security, we cover the threat of third-party dependencies in more detail. Alerting on broken CI/CD For the sake of security, all infrastructure configurations and changes, including updates or rollbacks or restarts, are handled by your CI/CD pipeline. This has several implications. First, your CI/CD pipeline must be highly available. You depend on your CI/CD pipeline to make changes to your infrastructure—and you may need to do so urgently if a security breach necessitates shutting down or isolating parts of your application. Whenever your CI/CD pipeline is unavailable, your hands are tied, and you’ll be unable to make infrastructure changes. Second, your CI/CD pipeline must be deployed securely. If the CI/CD pipeline itself is vulnerable to attack—making it unavailable or exposing its sensitive data for exfiltration—then your entire system will become vulnerable. Approaching your CI/CD pipeline with a focus on security means planning in advance for how your team will handle a broken CI/CD pipeline. Consider what would need to be done to keep your systems running securely while the pipeline is being repaired. 16 eBook | Shift Left Security
The Security of Your Software Supply Chain Open-source software has become a staple in modern software development. While the application you build may be proprietary, it likely has a set of third-party dependencies which include open-source libraries, packages, container images, or tools. Those dependencies in turn have their own sets of dependencies. The entire chain of dependencies—starting with your first library dependency and reaching all the way to the smallest I/O package at the end—is your software supply chain. An emphasis on security implies heavy scrutiny of every package in your software supply chain. A security vulnerability in your software supply chain exposes your application to risk. 17 eBook | Shift Left Security
The far-reaching impact of a software supply chain attack By relying heavily on open-source software in their software supply chain, organizations give an unquestioning level of trust to the developers and organizations behind these third-party dependencies. However, even if the maintainers of these projects are not malicious actors, who can guarantee that their approach to security will be as conscientious as yours? Libraries continually undergo version updates, and each new version brings with it the potential for introducing a vulnerability. Libraries trusted as secure in the past may undergo several version updates without any further vetting. Some open-source projects may be trusted and innocuous for a long time in order to gain trust and adoption, only to be updated with intentionally malicious code in a later version. Imagine the reach that a security vulnerability could have if it were introduced at the lowest level possible—in a dependency that is relied upon by several key packages that are widely used throughout the industry. A shift left security approach to application development requires taking back that blind trust. Common attack vectors for the software supply chain Of the many different ways that a software supply chain can come under attack, the following are noteworthy attack vectors. Common Supply Chain Attack Vectors Dependency Confusion Container Image Vulnerabilities Compromised Packages Corrupted Packages Sabotaged Packages 18 eBook | Shift Left Security
Dependency confusion A dependency confusion attack occurs when your package manager updates your application with code from an unsafe, public package rather than your vetted, private package. For example, your application might depend on a trusted, internal package called auth-lib. Internally, your package is at version 2.9.3. A malicious actor might publish a package under the same name, auth-lib, and release malicious code as version 2.9.4. The intent of the attack is to confuse package managers that are not properly configured to prioritize private packages over public packages. The susceptible package manager will discover that a new version of the (public) package is available, and then it will download and install it, overwriting the trusted package. Vulnerabilities in container images When an application directly uses or depends on tools or libraries that use containerization, then that application is open to security risks through container image vulnerabilities. Container images can often be more opaque than open- source libraries where the source code is freely available for examination. Because of this, the risk of security vulnerabilities in container images is real and reasonable. Compromised libraries/packages Dependency libraries undergo frequent updates. Security patches, feature additions, and performance enhancements can all result in a version update, which comes from the authoritative maintainer of that software. If, however, a malicious actor can gain control of the release process to manipulate the update, the result would be the dissemination of malicious code under the guise of a trusted update. Package corruption or sabotage Recent events (for example, an incident involving faker.js and color.js) have also shown that package maintainers themselves may intentionally sabotage their own packages or introduce malicious code. If an open-source library is present at a deep enough level in the software supply chain to be used widely, the result of such sabotage can be crippling. 19 eBook | Shift Left Security
How to protect your software supply chain Adopting shift left security will mean implementing certain security measures—especially in the earlier stages of application development—to protect your software supply chain. These measures include the following: • Take a complete inventory of your software supply chain. By starting with a software bill of materials (SBOM), you have a baseline from which to begin checking your dependencies. OWASP CycloneDX is a lightweight SBOM standard that can help. • Assess your dependencies for security risks. For example, Security Scorecards is a tool from the Open Source Security Foundation that assigns scores to each open-source dependency to give you an understanding of your risk. • Secure your package manager against dependency confusion attacks by prioritizing internal packages over public packages, even those with a higher version number. • Use lockfiles to lock the dependencies you use to specific versions which you have already vetted as trusted. Dependency versions will require approval rather than being automatically updated. • Integrate vulnerability scanning tools in your CI/CD pipeline. With the depth and complexity of today’s software supply chains, it’s impossible to manually check all of your dependencies for security threats. Vulnerability scanning tools can examine container images and third- party libraries for security threats. • Use signed images to ensure that the images you incorporate are created by verified parties. • Use trusted registries for your container images. 20 eBook | Shift Left Security
Conclusion Shift left security is trending, but it can’t be treated as just another tech-speak catchphrase. Today’s applications, complex and distributed, expose a large surface area that is vulnerable to attack. Security can’t be an afterthought, with measures taken reactively on day two. The negative effects and financial cost of an exploited vulnerability would be too great. Instead, security needs to be in focus at the outset of application design and carried out through protocols and the integration of tools during development, testing, deployment, and beyond. In particular, adopting shift left security means taking special precautions to leverage and secure your CI/CD pipeline. Also, it means paying special attention to the security of your software supply chain. 21 eBook | Shift Left Security
Cisco’s Tools As your organization adopts a shift left security approach to its applications, Cisco is ready to journey alongside you. Check out these tools and resources: APIClarity, for API traffic visibility in Kubernetes clusters. This open source, cloud-native tool uses a service mesh framework to capture and analyze API traffic, and identify potential risks. Check out the GitHub repo. Cisco AppDynamics with Secure Application. Protect your organization and your users from attacks and vulnerabilities with unified business performance and security observability. Learn more. KubeClarity, a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities, in container images and filesystems. Go to the GitHub repo. Panoptica, the Cisco Secure Application Cloud, provides robust security from CD/CD to runtime – for containers, Kubernetes, and service mesh, and APIs. All in a single pane of glass interface. Sign up for free. For more perspective, read the story from Cisco’s Michael Chenetz in Stack Overflow: Security needs to shift left into the software development lifecycle. 22 eBook | Shift Left Security

More Related Content

PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
PDF
Top 6 Web Application Security Best Practices.pdf
SolviosTechnology
 
DOC
Five Mistakes of Vulnerability Management
Anton Chuvakin
 
DOCX
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
PPTX
Building an AppSec Team Extended Cut
Mike Spaulding
 
PPTX
Mike Spaulding - Building an Application Security Program
centralohioissa
 
PDF
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Top 6 Web Application Security Best Practices.pdf
SolviosTechnology
 
Five Mistakes of Vulnerability Management
Anton Chuvakin
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Building an AppSec Team Extended Cut
Mike Spaulding
 
Mike Spaulding - Building an Application Security Program
centralohioissa
 
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 

Similar to Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf(20)

PDF
Security-First Development_ Safeguarding Your Software from Threats.pdf
Tyrion Lannister
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
PDF
How to Ensure Security in Software Application Development.pdf
himanshuwowit
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
PDF
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
PDF
Procuring an Application Security Testing Partner
HCLSoftware
 
PDF
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
PDF
What is Secure Code Review and Its Process.pdf
nainasharma1819999
 
PDF
The complete guide to developer first application security By Github.Com
nootjeiviwe
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PDF
Fortify Continuous Delivery
Mainstay
 
PDF
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
PDF
Research Article On Web Application Security
SaadSaif6
 
PDF
Building a Fortress - How to Integrate Security Testing into Your QA Process.pdf
madhusudhanarao52
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
PDF
Applicaiton Security - Building The Audit Program
Michael Davis
 
PDF
3 Misconceptions Ruining The DevSecOps Integration
Enov8
 
PDF
5 Effective Ways Modern Applications Can Boost Your Security
tebsseo
 
PDF
Many products-no-security (1)
SecPod Technologies
 
Security-First Development_ Safeguarding Your Software from Threats.pdf
Tyrion Lannister
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
How to Ensure Security in Software Application Development.pdf
himanshuwowit
 
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Procuring an Application Security Testing Partner
HCLSoftware
 
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
What is Secure Code Review and Its Process.pdf
nainasharma1819999
 
The complete guide to developer first application security By Github.Com
nootjeiviwe
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
Fortify Continuous Delivery
Mainstay
 
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Research Article On Web Application Security
SaadSaif6
 
Building a Fortress - How to Integrate Security Testing into Your QA Process.pdf
madhusudhanarao52
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Applicaiton Security - Building The Audit Program
Michael Davis
 
3 Misconceptions Ruining The DevSecOps Integration
Enov8
 
5 Effective Ways Modern Applications Can Boost Your Security
tebsseo
 
Many products-no-security (1)
SecPod Technologies
 

Recently uploaded(20)

PPT
Chapter1-Introduction to big data analytics.ppt
ShafeenNagoor
 
PDF
Basic-Mechanical-Engineering-23ES1006.pdf
minzashim34
 
PDF
FORENSICS Book for investigators Europa.pdf
rakeshsehgal93
 
PDF
KEY DRIVERS OF HIGH TB BURDEN IN TOP 10 COUNTRIES: A SYSTEMATIC REVIEW
hiij
 
PDF
PLC Handbook history of PLC and it's features
deenwap
 
PDF
lecture Slides DJM30062 unit 3 RELAY 12 sept22.pdf
zatietjdn
 
PPT
UNIT I HOSPITAL INFORMATION SYSTEM in Computer in medicine
kalimuthukumar1
 
PPTX
New ppt test.pptx................................
RamAgrawal49
 
PPTX
Draft Final Presentation_Mah-STU Restructuring_V3.0_01.10.2024.pptx
sarveshhydraulic
 
PDF
THE STUDY OF INCREMENTAL PROCEDURE WITH DEEP LSTM FOR MULTICLASS SENTIMENT AN...
ijait
 
PPTX
AI -Basics of artificial intelligence lecture notes
deepika1108
 
PPTX
Module 2-4-6-2022ADASSFFGDFSDFSDASDS.pptx
Dr. J S Sri Kantamurthy
 
PPTX
SIH25016-TechTitans.pptxxxxxxxxxxxxxxxxx
Shreya331840
 
PPTX
Module 3-updated-STUDENTSSADSADADASDS.pptx
Dr. J S Sri Kantamurthy
 
PDF
Basic-Mechanical-Engineering-23ES1006.pdf
minzashim34
 
PDF
EVALUATION OF THE CHALLENGES FACING ONBOARD TRAINING IN TANZANIA: A DEMATEL M...
journalijbiss131
 
PDF
Cable supported bridges - concept and design -- Gimsing, Niels J. -- ( WeLib....
valter gentile
 
PDF
DESIGN AND DEVELOPMENT OF A PRIVACY-PRESERVING SEMI-PUBLIC BLOCKCHAIN-BASED R...
ijait
 
PDF
quantumCryptography-noise aware-privacy amplification.pdf
teesam615
 
PPTX
Smart_Pesticide_ SIH2025.pptx
krushangrprajapati
 
Chapter1-Introduction to big data analytics.ppt
ShafeenNagoor
 
Basic-Mechanical-Engineering-23ES1006.pdf
minzashim34
 
FORENSICS Book for investigators Europa.pdf
rakeshsehgal93
 
KEY DRIVERS OF HIGH TB BURDEN IN TOP 10 COUNTRIES: A SYSTEMATIC REVIEW
hiij
 
PLC Handbook history of PLC and it's features
deenwap
 
lecture Slides DJM30062 unit 3 RELAY 12 sept22.pdf
zatietjdn
 
UNIT I HOSPITAL INFORMATION SYSTEM in Computer in medicine
kalimuthukumar1
 
New ppt test.pptx................................
RamAgrawal49
 
Draft Final Presentation_Mah-STU Restructuring_V3.0_01.10.2024.pptx
sarveshhydraulic
 
THE STUDY OF INCREMENTAL PROCEDURE WITH DEEP LSTM FOR MULTICLASS SENTIMENT AN...
ijait
 
AI -Basics of artificial intelligence lecture notes
deepika1108
 
Module 2-4-6-2022ADASSFFGDFSDFSDASDS.pptx
Dr. J S Sri Kantamurthy
 
SIH25016-TechTitans.pptxxxxxxxxxxxxxxxxx
Shreya331840
 
Module 3-updated-STUDENTSSADSADADASDS.pptx
Dr. J S Sri Kantamurthy
 
Basic-Mechanical-Engineering-23ES1006.pdf
minzashim34
 
EVALUATION OF THE CHALLENGES FACING ONBOARD TRAINING IN TANZANIA: A DEMATEL M...
journalijbiss131
 
Cable supported bridges - concept and design -- Gimsing, Niels J. -- ( WeLib....
valter gentile
 
DESIGN AND DEVELOPMENT OF A PRIVACY-PRESERVING SEMI-PUBLIC BLOCKCHAIN-BASED R...
ijait
 
quantumCryptography-noise aware-privacy amplification.pdf
teesam615
 
Smart_Pesticide_ SIH2025.pptx
krushangrprajapati
 

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf

  • 1.
    Shift Left Security JU N E 2022 Fundamentals of Shift Left Security Create more secure applications with best practices for your software supply chain and CI/CD pipeline
  • 2.
    Table of Contents Introduction What Is“Shift Left Security”? Why Is Shift Left Security Important? How Does an Organization Make the Shift? The Security of Your CI/CD Pipeline The Security of Your Software Supply Chain Conclusion Cisco’s Tools 3 4 6 9 13 17 21 22 2 eBook | Shift Left Security
  • 3.
    Introduction Modern development teamshave become highly adept at building software applications. DevOps culture and practices—the leftward-on-the-timeline shifting of operational responsibilities—have empowered teams to move more quickly as they build complex applications. As CI/CD pipelines automate testing and infrastructure provisioning, applications are becoming more reliable and are shipping faster. And monitoring tools are alerting engineers to potential failures so they can respond more quickly. Today’s teams build complex systems that scale massively, comprise countless microservices, and are distributed across the cloud. But there is a downside to this progress: The complexity and distributed nature of modern applications also bring an increased risk of security threats. But in many organizations, the security team has little influence on the design or development of an application. Siloed away from DevOps, the security team is responsible for dealing with the risks and threats after the application goes live. It’s time for security, just like operations, to shift left. In this guide on shift left security, we’ll look at what it is, why it’s important, and how organizations can begin to make the shift. We’ll also focus on security in two key areas: your CI/CD pipeline and your software supply chain. Planning Source Control Management Coding Local Testing Code Review CI/CD Management Pre-Deployment Testing Development Infrastructure Provisioning Production Deployment Smoke Testing Rollbacks Day 1 Operations Shift Left 3 eBook | Shift Left Security
  • 4.
    What Is “Shift Left Security”? ADevOps approach divides the steps in the software development life cycle (SDLC) into three phases: 1. Development includes all the planning, implementation, review, and testing that take place prior to deployment. 2. Day 1 Operations is concerned with the actual deployment of the application, and it includes infrastructure provisioning, installation, configuration, smoke testing, and deployment rollbacks. 3. Day N Operations covers all the tasks after an application goes live, including monitoring, issue detection, and alerts. 4 eBook | Shift Left Security
  • 5.
    In this timelineof phases, the further left a bug is discovered, the lesser the impact of that bug, and the lower the cost of mitigating issues arising from that bug. That’s why automated and rigorous testing of individual code units is of such high value in DevOps culture. Shift left security says: We should take the same approach to security vulnerabilities as we do with bugs. If security risks can be handled further to the left, then fewer vulnerabilities will sneak through, and the blast radius of a vulnerability is smaller. As a result, the cost of maintaining a strong security posture is lower, and the production application is more secure. Shift left security is like exercise, rest, and a good diet. Preventative health is less costly than treating a health condition. Shift left security is less costly than fixing a breached system. Planning Source Control Management Coding Local Testing Code Review CI/CD Management Pre-Deployment Testing Development Infrastructure Provisioning Production Deployment Smoke Testing Rollbacks Day 1 Operations Monitoring Issue Detection Incident Management Alerting Post-Mortem Day N Operations 5 eBook | Shift Left Security 5
  • 6.
    Why Is Shift LeftSecurity Important? Because Insecurity Is Expensive. Let’s look at the potential costs of not adopting shift left security. 6 eBook | Shift Left Security
  • 7.
    The effect onoverall system security Without proper security mechanisms in place, developers can get sloppy. They’ll write hasty duct-tape code patches, rely on a convenient but vulnerable library, or manually apply changes directly to a production machine. Without security guardrails in place, the resulting system is at high risk of being exploited. The effect on productivity When a vulnerability is exploited, engineering teams are thrown into disarray. First, responsible teams will need to devote resources to incident response, damage control, and the patching of vulnerabilities. Next, you can expect a heavy-handed reaction from the security team and business stakeholders. Developer access to cloud resources will be restricted. Code updates and new features will be met by a slew of measures for enforcing manual reviews and approval. Productivity will plummet. The cost of data breaches In today’s systems, data flows between and is stored in various cloud providers and on-premises systems. Without the right security mechanisms in place, the risk of a data breach is high, and an organization may be unable even to detect that a breach has occurred. An IBM/Ponemon report found that the average time to identify and contain a data breach was 287 days. The report pegged the average cost of a breach, in hybrid cloud environments, at $3.61 million. 7 eBook | Shift Left Security
  • 8.
    The cost ofregulatory non-compliance Without a proper security posture toward the open-source libraries your applications depend on, your organization might be in violation of licensing terms. If your application mishandles personally identifiable information (PII) or protected health information (PHI), the result could be heavy financial penalties or legal consequences. For example, GDPR fines resulting from data protection and privacy violations can be staggering. The cost of system downtime Vulnerable applications, when attacked, will result in system downtime. Whether it’s the direct result of a DDoS attack or system stoppage for patching, any downtime hurts your business. When customers can’t use or access your applications, they will stop paying for your services. The risk to business reputation and loss of customer trust There’s no question that a company’s brand is tarnished when news gets out about customer data being stolen or an unbearably long system outage. If your applications are not secure, it’s only a matter of time before those security threats are realized. As soon as you lose the trust of your customers, they’ll walk. 8 eBook | Shift Left Security
  • 9.
    How Does an Organization Makethe Shift? The traditional approach to application security involves manual checks, reviews, and patch updates. Security threats are handled reactively—after an exploit makes the news or once poking around in some logs reveals suspicious activity. However, this approach is untenable for today’s complex and distributed applications. By adopting shift left security, the focus of security efforts starts well before Day N Operations. 9 eBook | Shift Left Security
  • 10.
    Security at theDevelopment phase Design, implementation, and testing all take place during the Development phase of the timeline. Discovering and mitigating security vulnerabilities at this early stage can reap significant savings of resources—human and financial—down the road. Security-aware planning and design Among the Open Web Application Security Project (OWASP) list of Top Ten Web Application Security Risks for 2021 is insecure design. OWASP notes: “If we genuinely want to ‘move left’ as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.” Taking these steps will ensure system designs incorporate security practices like access control, auditing, levels of isolation, and alerting. 10 eBook | Shift Left Security
  • 11.
    Secure coding practices Securecoding practices include techniques like input validation, parameterized queries, and proper handling of sensitive data or credentials. However, the list of best practices continues to grow, and how they’re applied varies from language to language and framework to framework. One solution is for developers to use IDEs that have built-in tools that analyze your code for potential risks as you work. Many IDEs also incorporate linters which help ensure code is properly formatted and that it conforms to coding standards. Access control Most web applications have a login component and different levels of access (such as basic user, privileged user, or administrator). The OWASP list referenced above includes identification and authentication failures as well as broken access control. Therefore, when designing an application, it’s important to give special attention to the components related to access control. In other words, don’t treat them just like any other component or microservice. If a malicious user gains access to your web application with administrator privileges, the impact could be devastating. Testing Unit testing at the early stages of application development can focus on more than just business logic and preventing bugs, but also include security-related tests. Testing can verify proper measures are in place for securing access control, preventing injection attacks, and validating inputs. Security at Day 1 Operations Implementing secure practices for Day 1 Operations is heavily related to the security of the CI/CD pipeline, which we will consider in its own section in this eBook. 11 eBook | Shift Left Security
  • 12.
    Security at DayN Operations Although shift left security does emphasize a focus on security at the Development phase and in Day 1 Operations, organizations should still adopt security best practices within the processes of Day N Operations. Adopting these practices will help teams to respond faster and more effectively in the event of a security incident. Observability With shift left security, an application can be designed from the outset to include instrumentation for exposing logs, metrics, and traces, making the components of an application observable. A DevOps team, by examining this observability data, can discern the state and the health of an application. It can also use the data to gain insights into the root cause of incidents, including security threats. Monitoring Monitoring puts a constant watch on specific metrics or application states so that engineers can know immediately if something is of concern. Observability data helps teams understand why an application is in the state that it is. Monitoring, on the other hand, tracks specific metrics to let teams know when a noteworthy state is entered. For example, a team may specifically choose to monitor critical metrics like bad password attempts, HTTP requests per minute, or database query latency. Alerting Connected to monitoring, of course, is an alerting component that notifies responsible team members as soon as certain monitored conditions surpass a critical threshold or reach a noteworthy state. 12 eBook | Shift Left Security
  • 13.
    The Security of YourCI/CD Pipeline Day 1 Operations depend heavily on the CI/ CD pipeline, which is an integral part of the toolchain for mature DevOps teams. The CI/CD pipeline deserves special treatment in our coverage of shift left security. Engineering teams can use the automated pipeline to apply security measures when building and deploying an application. However, teams also need to ensure that the pipeline itself is secure. Let’s look at these concepts in more detail. 13 eBook | Shift Left Security
  • 14.
    Secret and credentialmanagement As part of Day 1 Operations, the CI/CD pipeline is responsible for provisioning infrastructure and deploying workloads. Your CI/CD pipeline will be configured to use your organization’s credentials for accessing cloud provider accounts, service accounts, and other resources. Storage of these credentials must be secure. Managed pipeline services include secret management tools for encrypted storage, decrypting secrets only when your pipeline uses them. Restrict the task of infrastructure provisioning and workload deployment to your CI/CD pipeline alone. An automated pipeline ensures that these tasks are performed the same way every time. Allowing an engineer to perform these tasks manually runs the risk of skipping critical security or configuration steps. The credentials used by the CI/CD pipeline should be tightly held. Since engineers shouldn’t be allowed to perform these tasks manually, they do not need access to these secrets. CI/CD Pipeline Tokens Cloud API Keys Database user credentials Private certificates SSH Keys Kubernetes service account credentials 14 eBook | Shift Left Security
  • 15.
    Infrastructure as code Delegatinginfrastructure provisioning to your CI/CD pipeline ensures you get the same infrastructure with the same configurations and settings on every deployment. By using infrastructure as code, you create declarative configurations of your system architecture. Without a declarative configuration, an engineer might make on-the-fly changes to infrastructure configurations, and this introduces drift. These habits introduce security risks and are difficult to track or audit. By adopting infrastructure as code, such as AWS CloudFormation or Terraform, every change to an infrastructure configuration can be recorded and reviewed as the configurations are stored in a version control system. Static code analysis A CI/CD pipeline can run a suite of automated tests followed by processes that build, deploy, and configure the production application. At any point in that series of processes, the pipeline can be tasked with applying additional security measures or engaging other tools. In the section on secure coding practices, we mentioned the use of IDEs for real-time analysis of code. Further analysis can be performed across all code for an application by using static code analysis tools. Tools like SonarQube can be integrated into the CI/CD pipeline and run before building the application. This will ensure that all code conforms to security standards and conventions. 15 eBook | Shift Left Security
  • 16.
    Vulnerability scanning Just asstatic code analysis examines your application’s code for security flaws, vulnerability scanning checks container images or third-party dependencies for security risks. Tools like Trivy or Grype can be integrated with the CI/CD pipeline to perform scans. In the section on software supply chain security, we cover the threat of third-party dependencies in more detail. Alerting on broken CI/CD For the sake of security, all infrastructure configurations and changes, including updates or rollbacks or restarts, are handled by your CI/CD pipeline. This has several implications. First, your CI/CD pipeline must be highly available. You depend on your CI/CD pipeline to make changes to your infrastructure—and you may need to do so urgently if a security breach necessitates shutting down or isolating parts of your application. Whenever your CI/CD pipeline is unavailable, your hands are tied, and you’ll be unable to make infrastructure changes. Second, your CI/CD pipeline must be deployed securely. If the CI/CD pipeline itself is vulnerable to attack—making it unavailable or exposing its sensitive data for exfiltration—then your entire system will become vulnerable. Approaching your CI/CD pipeline with a focus on security means planning in advance for how your team will handle a broken CI/CD pipeline. Consider what would need to be done to keep your systems running securely while the pipeline is being repaired. 16 eBook | Shift Left Security
  • 17.
    The Security of YourSoftware Supply Chain Open-source software has become a staple in modern software development. While the application you build may be proprietary, it likely has a set of third-party dependencies which include open-source libraries, packages, container images, or tools. Those dependencies in turn have their own sets of dependencies. The entire chain of dependencies—starting with your first library dependency and reaching all the way to the smallest I/O package at the end—is your software supply chain. An emphasis on security implies heavy scrutiny of every package in your software supply chain. A security vulnerability in your software supply chain exposes your application to risk. 17 eBook | Shift Left Security
  • 18.
    The far-reaching impactof a software supply chain attack By relying heavily on open-source software in their software supply chain, organizations give an unquestioning level of trust to the developers and organizations behind these third-party dependencies. However, even if the maintainers of these projects are not malicious actors, who can guarantee that their approach to security will be as conscientious as yours? Libraries continually undergo version updates, and each new version brings with it the potential for introducing a vulnerability. Libraries trusted as secure in the past may undergo several version updates without any further vetting. Some open-source projects may be trusted and innocuous for a long time in order to gain trust and adoption, only to be updated with intentionally malicious code in a later version. Imagine the reach that a security vulnerability could have if it were introduced at the lowest level possible—in a dependency that is relied upon by several key packages that are widely used throughout the industry. A shift left security approach to application development requires taking back that blind trust. Common attack vectors for the software supply chain Of the many different ways that a software supply chain can come under attack, the following are noteworthy attack vectors. Common Supply Chain Attack Vectors Dependency Confusion Container Image Vulnerabilities Compromised Packages Corrupted Packages Sabotaged Packages 18 eBook | Shift Left Security
  • 19.
    Dependency confusion A dependencyconfusion attack occurs when your package manager updates your application with code from an unsafe, public package rather than your vetted, private package. For example, your application might depend on a trusted, internal package called auth-lib. Internally, your package is at version 2.9.3. A malicious actor might publish a package under the same name, auth-lib, and release malicious code as version 2.9.4. The intent of the attack is to confuse package managers that are not properly configured to prioritize private packages over public packages. The susceptible package manager will discover that a new version of the (public) package is available, and then it will download and install it, overwriting the trusted package. Vulnerabilities in container images When an application directly uses or depends on tools or libraries that use containerization, then that application is open to security risks through container image vulnerabilities. Container images can often be more opaque than open- source libraries where the source code is freely available for examination. Because of this, the risk of security vulnerabilities in container images is real and reasonable. Compromised libraries/packages Dependency libraries undergo frequent updates. Security patches, feature additions, and performance enhancements can all result in a version update, which comes from the authoritative maintainer of that software. If, however, a malicious actor can gain control of the release process to manipulate the update, the result would be the dissemination of malicious code under the guise of a trusted update. Package corruption or sabotage Recent events (for example, an incident involving faker.js and color.js) have also shown that package maintainers themselves may intentionally sabotage their own packages or introduce malicious code. If an open-source library is present at a deep enough level in the software supply chain to be used widely, the result of such sabotage can be crippling. 19 eBook | Shift Left Security
  • 20.
    How to protectyour software supply chain Adopting shift left security will mean implementing certain security measures—especially in the earlier stages of application development—to protect your software supply chain. These measures include the following: • Take a complete inventory of your software supply chain. By starting with a software bill of materials (SBOM), you have a baseline from which to begin checking your dependencies. OWASP CycloneDX is a lightweight SBOM standard that can help. • Assess your dependencies for security risks. For example, Security Scorecards is a tool from the Open Source Security Foundation that assigns scores to each open-source dependency to give you an understanding of your risk. • Secure your package manager against dependency confusion attacks by prioritizing internal packages over public packages, even those with a higher version number. • Use lockfiles to lock the dependencies you use to specific versions which you have already vetted as trusted. Dependency versions will require approval rather than being automatically updated. • Integrate vulnerability scanning tools in your CI/CD pipeline. With the depth and complexity of today’s software supply chains, it’s impossible to manually check all of your dependencies for security threats. Vulnerability scanning tools can examine container images and third- party libraries for security threats. • Use signed images to ensure that the images you incorporate are created by verified parties. • Use trusted registries for your container images. 20 eBook | Shift Left Security
  • 21.
    Conclusion Shift left securityis trending, but it can’t be treated as just another tech-speak catchphrase. Today’s applications, complex and distributed, expose a large surface area that is vulnerable to attack. Security can’t be an afterthought, with measures taken reactively on day two. The negative effects and financial cost of an exploited vulnerability would be too great. Instead, security needs to be in focus at the outset of application design and carried out through protocols and the integration of tools during development, testing, deployment, and beyond. In particular, adopting shift left security means taking special precautions to leverage and secure your CI/CD pipeline. Also, it means paying special attention to the security of your software supply chain. 21 eBook | Shift Left Security
  • 22.
    Cisco’s Tools As yourorganization adopts a shift left security approach to its applications, Cisco is ready to journey alongside you. Check out these tools and resources: APIClarity, for API traffic visibility in Kubernetes clusters. This open source, cloud-native tool uses a service mesh framework to capture and analyze API traffic, and identify potential risks. Check out the GitHub repo. Cisco AppDynamics with Secure Application. Protect your organization and your users from attacks and vulnerabilities with unified business performance and security observability. Learn more. KubeClarity, a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities, in container images and filesystems. Go to the GitHub repo. Panoptica, the Cisco Secure Application Cloud, provides robust security from CD/CD to runtime – for containers, Kubernetes, and service mesh, and APIs. All in a single pane of glass interface. Sign up for free. For more perspective, read the story from Cisco’s Michael Chenetz in Stack Overflow: Security needs to shift left into the software development lifecycle. 22 eBook | Shift Left Security