DevOps came about with the understanding that software development and information technology operations work together to improve deployment frequency, while maintaining service stability. In this process, security was not often part of an original build, but rather “bolted on” afterwards. The new (and better) thinking is DevSecOps, which removes security from its silo and incorporates it into the software development lifecycle: code review, build, and deployment.
Further, DevSecOps:
- Addresses the need for proactive security rather than reactive remediation following a data breach or malware attack;
- Provides the ability to detect and fix security issues earlier in the development process, which reduces the cost of identifying and correcting them;
- Enables the implementation of security through the entire continuous integration continuous delivery (CI/CD) pipeline; and
- Allows for speed of delivery and compliance at scale
Ultimately, the automation of software tools, services, and standards through DevSecOps is enabling organizations and government agencies to deliver applications more rapidly while also incorporating security into the process. In fact, many engineers and security professionals believe that combining automation with security is the best way to scale effectively and achieve cyber resilience.
DevSecOps Challenges: Open Source & Code Vulnerabilities
According to the Sonatype DevSecOps Community Survey 2019, 85% of modern applications are built from open source components – and breaches tied to those software components increased 71% over the past five years. Organizations with mature DevSecOps practices keep a complete software bill of materials and control which open source and third-party components, libraries, and binaries are used.
With an industry average of 15-50 bugs per thousand lines of code, even the best code contains bugs. SAST (Static Application Security Testing) is useful for analyzing source code without executing it, and DAST (Dynamic Application Security Testing) works on a running application. Even when used in tandem they will only get a developer so far. That’s because such tools are applied primarily to new builds and can miss vulnerabilities hidden within third party commercial or open source frameworks, middleware, and libraries – or appear in a different layer of the software stack. It’s much more cost effective and in keeping with the need to move quickly to use automated security up front.
DevSecOps Requires a Solution at Speed
Enterprise software has to be developed and commercialized at an ever-increasing pace – but with fewer defects, especially those that can become vulnerabilities and cause problems in production. Accenture’s 2019 Cost of Cybercrime Study notes that malware is the most expensive attack type for organizations, now averaging $2.6 million per incident. Microsoft recently revealed that about 70% of all vulnerabilities in their products are memory safety issues. These statistics demonstrate the overwhelming need for automating processes and orchestrating security workflows.
The requirement then is for automated binary security that can be easily applied to the cloud as well as to container orchestration tools such as Kubernetes and Docker Swarm. In today’s connected, distributed, virtualized computing environments, it’s rational to assume that networks will be breached. Having scrambled binaries can protect both hardware and software.
Runtime Application Self Protection as Automated Binary Security
Memory corruption attacks try to trick a software program into running attacker-provided code, instead of programmer-written code. For this to work, the attacker must find vulnerabilities in the software binary code that allow for the injection of code and/or the redirection of execution. Runtime Application Self Protection (RASP) is a security technology that uses runtime instrumentation to detect and block cyberattacks by employing information from inside the running software.
RASP technology:
- Improves the security of software by monitoring its inputs and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes;
- Prevents exploitation and possibly take other actions, including terminating a user’s session, shutting down the application, alerting security personnel and sending a warning to the user;
- Closes the gap left by application security testing and network perimeter controls, neither of which have enough insight into real-time data and event flows to prevent vulnerabilities from slipping through the review process or block new threats that were unforeseen during development.
The Benefits of Alkemist for DevSecOps
RunSafe Security’s Alkemist hardens software binaries using RASP techniques. The process is termed cyberhardening, and it combats memory corruption errors and buffer overflow exploits – the weaknesses that attackers typically use to gain control of embedded systems and devices. This cyberhardening process can be easily integrated into the DevSecOps pipeline. It’s the essence of introducing security earlier in the software development lifecycle, thereby minimizing the number of exploitable vulnerabilities.
Every line of code and memory block that is called or utilized has randomization and hardening applied to thwart an attacker from understanding the memory topology of a device for malicious replication across a system. In this way security is added automatically.
By precluding an exploit from spreading across multiple devices and networks, Alkemist eliminates an entire class of cyberattacks, providing protection against downtime and data exfiltration. Additionally, by hardening binaries (in other words, baking in security), Alkemist denies malware the uniformity necessary to execute and propagate, thereby preserving developers’ intent. Alkemist works automatically and quickly, speeding deployment with security built in.
Want to learn more about how to increase cyber resilience using Alkemist? Contact us today to start the conversation.