Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/13/2020
02:00 PM
Guy Podjarny
Guy Podjarny
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Secure Development Takes a (Remote) Village

The shift to work from home isn't just about giving your Dev team the physical tools they need.

Development is a collaborative process. Yes, it requires stretches of focused time to create, but all developers heavily depend on their teammates to help plan the right solution, build the different components in it, and review any changes made. Furthermore, the development team needs to collaborate with the rest of the business to make sure its creation achieves the outcomes they all aim for. 

This collaboration has been shaken up by the full-time remote work forced upon practically all developers as a result of COVID-19. Some teams are better equipped to handle it than others, but few are truly immune to the change. The complete absence of in-person whiteboard sessions, hallway conversations, and friendly chats by the coffee machine means we now have to adapt how we work together to create and deliver great software.

Security is at an even greater risk of being ignored. For starters, risk is naturally invisible, making it all too easy to overlook it. Secondly, the practices of secure development are still being formed, and now require more careful hand-holding. Last, the collaboration between development and security teams is often not great in normal times. Today, collaboration can easily worsen now.  

What's needed? We must make a concentrated effort to secure development while working from home. Below are five best practices that both dev and security teams should adopt:

Practice 1: Empower developers to build with security front of mind.
To encourage developers to build with a security-first mindset, they first need to understand what good looks like and what is expected of them when it comes to cybersecurity. The best way to do this is to provide developers with comprehensive guidelines for security processes. This will allow them to move items forward without having to stop and wait for approval. Empowering developers with such responsibility will help them to feel more confident that they're ultimately building fully secure applications because they asked the right questions along the way. 

Practice 2: Invest in security visibility
You can't empower developers to embrace security without giving them visibility into the critical vulnerabilities. Here are a few ways to do that:

  • Build a detailed software bill of materials (SBOM) for each application so your dev team knows if any newly disclosed vulnerabilities will affect their in-progress projects.  
  • Raise awareness of vulnerabilities discovered in builds that weren't severe enough to break it to the full team — either in Slack or an equivalent internal communications channel — so you can avoid repeat mistakes across teams.
  • Create leaderboards showing how well different teams are handling security issues. This is a fun way to stoke competition while learning from each other.

Practice 3: Instead of breaking the build, fail pull requests.
Breaking the build due to a security violation is a popular CI/CD security measure, but it's also disruptive. This is especially true when working remotely as it takes that much longer to figure out the problem and get it resolved. Instead, fail pull requests — this has several advantages including: 

  • They allow you to test only the new code changes, which should be within the developer's control to fix. 
  • They're more local to the branch where code is modified, empowering developers, and maintaining individual autonomy.
  • You can choose whether a fail pull request blocks a merge or is just informational, again allowing developers to make their own judgement calls.

Practice 4: Partner up!
To help remote developers know whom to turn to when they have a security question, match up individuals from security teams with a dev person and vice versa. Building these one-on-one relationships will create a stronger overall rapport between the two functions.

Practice 5: Focus on security basics first.
It can seem counterintuitive, but when it comes to security, prioritize the basics before the esoteric attacks. Scaling how well you handle vulnerable components, configuration mistakes, and leaked tokens should take priority. Once your remote dev teams have ticked these boxes, they'll be better equipped to tackle more involved, multifaceted security challenges as they emerge.

Practice 6: Improve SSH security.
As more machines go remote, the risk of a developer machine getting compromised is higher. These dev machines often have access to sensitive systems, such as source code repositories or production systems they can SSH into. These three steps can help to more effectively secure those channels to mitigate potential damage:

  • Enable mutual key-based authentication. 
  • Enable or reduce session timeouts. 
  • Enable stronger identity-based authentication. 

Practice 7: Bug Bounties
Bug bounties are a good way to add an extra layer of security assessment capability. Check out Bugcrowd or HackerOne —they can guide you through much of the process of setting up your own program if desired.

The shift to remote work isn't just about making sure members of your team have the physical tools they need to work away from the office. It's about recreating the positive aspects of an office environment so that developers can achieve great results by collaborating with their chosen "village."

Related Content:

Guy Podjarny (@guypod) is a cofounder at Snyk.io focusing on securing open source code. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io. Prior to that, Guy worked on the first web app firewall & security code analyzer, and dealt with ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...