BACKGROUND IMAGE: traffic_analyzer/iStock

E-Handbook:

Security in open source software isn't automatic

Q
Problem solve Get help with specific problems with your technologies, process and projects.

Automated security testing frees devs to prevent breaches

Common software security mistakes include testing at the last minute and not testing open source code and VMs. Expert Matt Heusser suggests ways to avoid these and other missteps.

Businesses want to deploy a lot of products. Consequently, developers are pushed to deploy code frequently -- multiple...

times a day -- and features every one or two weeks. In this rush to produce software, security testing usually gets neglected.

You can either choose to test thoroughly and deliver once a quarter, or do security poorly and release quickly and continuously. However, there is a third option: automated security testing.

I'm reluctant to give developers additional work. I've seen that overworked developers will skip security testing. If possible, streamline their workloads; otherwise, they will become weak links.

Automated security testing is essential in rapid application development and must be in place early on. You can't do a threat model analysis without automation or else developers will have to validate every single feature. In this model, more checkboxes will keep getting added. Then all of a sudden, there's a big template that either nobody ever follows or they spend too long completing.

Simplify and modernize documentation

One way to help developers and testers is to replace static documentation with living documentation. Use a living documentation tool that makes it easy to enter a change, save and then notify others. Also, each file in a living document describes what a portion of code is supposed to do. You can't do that with Word or Excel. Nonetheless, some dev and test groups still use Word.

The most common tool is a wiki. A wiki, which is small and easy to constantly update, will comparatively show everyone's day-to-day work. That way, when the software pops out of the first build, it is more secure.

I know at least one small development team that uses an Excel spreadsheet, which is the official company process. When the auditors review, it looks like the developers have checked off all the right things. The joke is that those documents have no real value to anyone on the team, aside from saying -- disingenuously -- that security measures have been taken. The team members want to perform minimal security processes so that they can get back to developing and releasing.

Who's minding VM and open source security?

I sometimes consult with a company and discover that no one is paying attention to security. That's not to say that the company has automated security testing to the point where human intervention isn't needed. I mean that developers are running systems with zero oversight. It's common to see no one minding the security of virtual machines (VMs) and cloud applications.

I'm reluctant to give developers additional work. I've seen that overworked developers will skip security testing.

Many figure that VMs only exist to provide demands around testing and will never have production apps on them. That's faulty thinking. Software residing in VMs has to be updated as it gets patched. Some companies aren't aware of that. It's a solvable problem that's not being taken seriously.

On the cloud side, I've seen companies move apps to the cloud and pretty much turn off their own app security practices. That level of trust is naïve these days.

Too many companies trust the security of popular, well-known open source code, components and apps. Let's say a dev team chooses to use code from an unheard-of open source project in order to solve a unique problem it has. Because the code is not widely used, that team doesn't perform its security due diligence. Developers are more likely to let it be someone else's concern if they use open source software, like Apache. They may not have the time or the budget for scanning tools. They'll just piece some open source tool together and throw it out on the web.

This was last published in April 2018

Dig Deeper on Automated Software Testing

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

What automated security test tools does your Dev or Ops team use?
Cancel
Matt, Great point on Open Source. Here's a report that looks at the security of Open Source components, examining 61 projects. It looks at the health of OSS apps by categories. The highest scoring apps include Analytics, Framework, Cloud/DevOps, while the low scorers include Blockchain, programming language and Database apps.  Adding to these gaps, we found that OSS Frameworks scored worst on system-level rules. This can lead to more prevalent outages and successful hacker activity (ex. the Equifax breach). Frameworks—the basis for business applications– are probably some of the more exploited OSS, and hackers know that. This also supports the statistic that system-level rule violations are the root cause of more than 90% of outages in production.  You can access the report free here: http://content.castsoftware.com/download-wp-software-intelligence-report
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchHRSoftware

SearchHealthIT

DevOpsAgenda

Close