There seems to be no consensus on the right approach to building an application security toolchain. While it doesn’t matter one way or another to some people, the vast majority are divided on whether one end-to-end tool or integration of best-of-breed solutions is the right way to go. There is no “correct” answer if that’s what you’re looking for, but it does make sense that small and medium-size businesses would prefer the former due to the single point of updates and maintenance. On the other hand, a best-of-breed list of well-integrated tools would come with the obvious advantages of being able to function independently of each other if need be.
Putting all the best players together doesn’t automatically translate into a good team. There are levels of integration and the higher levels come from maturity, experience, and, quite often, trial and error. Let’s say we take the best-of-breed approach by having five different tools for firewall, intrusion detection, backup, encryption, and compliance. While on paper this might sound like a good idea, integrated systems work best when they’ve been designed to work together from the ground up. If that isn’t the case, what you normally get is a bunch of tools loosely coupled together using the least common denominator method that leaves out a lot of the good stuff.
All-in-one integrated application security toolkits
Another option is to go with a set of tools that are all from the same vendor — this puts them in the category of solutions built to work together. The advantage here is a common user interface across all tools in addition to common hardware requirements that are easier to cater to. What’s even better is when a vendor integrates its own best-performing tools into a “platform” that’s more than the sum of its parts. Case in point, the Polaris Software Integrity Platform from Synopsys that’s a combination of three different tools. Coverity for static code analysis, Black Duck for software composition analysis, and Seeker for interactive application security testing.
A new and key feature of this platform is the Code Sight IDE plugin that uses Coverity to constantly scan your code and look for mistakes or bad coding practices that could cause problems in production. It also gives you real-time and interactive feedback on how to remediate such problems. This prevents a lot of mishaps from happening in the coding stage, saving an invaluable amount of time, money, and effort going forward. Other features include consolidated risk reporting and integration with other security platforms. While deciding to go with a single vendor comes with the obvious fears of a “lock-in,” Polaris is advertised as an open platform that works well with others.
WhiteHat application security platform
There’s been a lot of focus on DevSecOps and how security has to be built into the entire development lifecycle to be truly effective. That’s exactly what the WhiteHat application security platform is focused on doing. Similar to the Polaris platform, this one is a combination of a number of tools including Sentinel Dynamic for dynamic application security testing (DAST), Sentinel Source for static application security testing (SAST), and WhiteHat SCA (software composition analysis). In September 2018, WhiteHat took things up a notch by adding AI power to Sentinel dynamic, which not only drastically decreased the time taken to identify threat vectors but also eliminated a lot of the time consuming false positive identifications.
Where WhiteHat differentiates itself from the crowd is where they really emphasize on education and address the issue of skill shortage in particular. That’s why the platform includes an e-learning solution designed to bring security personnel as well as the wider developer community up to speed on topics like secure coding, mitigation, and defensive remediation. In an annual report, the organization was quite vocal about how new technology inevitably introduces new vulnerabilities to the enterprise. The report also highlights the security implications of new initiatives into digital transformation and how they need to be accounted for from the beginning and not as an afterthought.
Bridging the gap
Another platform focused on DevSecOps and bridging the gap between Sec and Dev teams, in particular, is Veracode. It does this by integrating well with both Dev and Sec processes while also allowing them to share information with each other and collaborate. Veracode is based on the same principles that code anomalies need to be detected early in the application lifecycle and it does this with the help of Veracode Greenlight. Greenlight is a powerful tool that runs in the background while using minimum resources to detect defects in your code in real-time. In addition to being integrated with GRC (governance, risk, and compliance), Veracode also excels at analytics.
One security platform that not only integrates well into the app development lifecycle but is open source as well is Snyk. While some pronounce it “snick” and others pronounce it “sneak,” the bottom line is it’s a great value security platform. Threats don’t normally jump in out of nowhere, they grow from underlying app dependencies that have degraded over time. The ability to map and track an application’s dependencies is among the key features of Snyk. That and of course the ability to find and fix vulnerabilities automatically based on an enriched and “hand-curated” vulnerability database. Snyk integrates with developer environments and offers automated remediations to problems identified in code while it’s still being written.
It’s been said quite often that the best defense is a good offense and if you’re wondering how that applies to DevOps, think Netflix’s ChaosMonkey program. For the uninitiated, they built a program to just randomly keep attacking themselves all day so they would learn to always be ready for a problem. A slightly more “domesticated” version is what we call penetration testing, which is basically an attempt to breach your own system’s security using the same tools that are available to potential attackers. This is a great way to ensure security at scale and a method that a number of security tools are now using to their advantage.
A good example is Chicago-based mobile security company NowSecure that was originally a mobile forensic lab and now provides best-in-class penetration testing services. NowSecure also integrates well with other threat intelligence solutions allowing insight into much broader data sets. Another example is HyperCube that takes pen testing a step further and creates a virtual model of your entire infrastructure so that it can be attacked at will without actually disrupting your live environment. Though this might sound like the kid-safe version of Chaos Monkey, not everyone is hardcore enough to actually attack their own live environments. HyperCube also excels in “zero-trust” networks, which we’re seeing a lot more of amid the global lockdown.
Zero-trust or perimeter-less are two new buzzwords that we’re probably going to see a lot more of as we progress into a new world where working from home is a necessity. With no well-defined perimeter to defend, we need to start looking at security not as a “fit-it-and-forget-it” one-time deal but as a service that will need to keep updating and innovating to keep up with the bad guys. There is no doubt that machine learning and artificial intelligence are going to play a key role in defending this new attack surface that is seemingly limitless in extent. What we definitely need more of are unconventional ideas like the folks at Nullafi, who are now focusing on protecting data where it lies instead of looking for a perimeter to defend.
Featured image: Pixabay