Embracing DevSecOps: Building Security into Cloud-Native Development Workflows
By Mark Kriaf, Partner Solutions Architect at AWS
By Ryan Lloyd, Vice President, Product Management at Veracode
Time limitations, increasing demands, rapid technology adoption through the digital shift, and the need to stay innovatively sharp are just some of the challenges software developers face today.
Developers are in the trenches when it comes to creating quality code. They are typically very comfortable with their existing tools, so introducing something new can be a challenge as well.
Automation and integration are critical to producing applications with fewer flaws at a speed that won’t slow developers down.
However, this is only possible with a well-planned DevSecOps program and the right tools embedded into your software development lifecycle.
In this post, we’ll dig into the importance of the digital shift and how you can implement DevSecOps into existing workflows with the combined control of Veracode’s scanning tools and Amazon Web Services (AWS) integrations.
Veracode is an AWS Advanced Technology Partner with the AWS DevOps Competency. Veracode application security (AppSec) solutions create secure software, reduce the risk of security breach, and increase security and development teams’ productivity.
Making the Switch to Digital
The digital shift is well under way. We know from the 2019 Gartner report “Formulate a Cloud Strategy” that by 2022, 70 percent of organizations expect to have a formal cloud strategy in place. Shifting to the cloud reduces operational costs, increases efficiency of security and development teams, and reduces downtime.
Security in the software development process must adapt in order to keep pace. This is especially important in application development where outdated testing causes lengthy scan cycles, and policy or compliance goals don’t always fit in a modern world.
AppSec in the cloud is the remedy many organizations need during their digital shift, as it enables them to keep code secure without interrupting the development process or slowing teams down.
Cloud-native AppSec not only empowers organizations to shift security sooner in the development process and find flaws faster, but also provides a platform for accelerating development workflows and increasing the output of quality code.
As more organizations transition applications to the cloud, or build new cloud-native apps and services, they must ensure they are keeping security top of mind with the right integrations, training, support, and most importantly, the right cloud architecture.
DevSecOps Security in Your Pipeline
The accelerated adoption of cloud services by core customers is proof-positive this trend is staying on the uptick and is too critical to ignore.
Veracode made the decision to switch to AWS for its cloud architecture when it became clear customers needed more flexibility. As a software-as-a-service (SaaS) provider, that gave Veracode the scalability required to handle the millions of security scans customers perform every year.
Building cloud-native applications allows customers to take advantage of services and AWS Software Developer Kits (SDKs) so they don’t have to reinvent the wheel to work around technical limitations.
Additionally, Veracode for AWS CodeStar is a set of DevOps offerings for scaling CI/CD pipelines in the cloud. This comes with scaling advantages and the ability to template your pipeline as infrastructure. Veracode’s solutions fit in as part of that cloud-based CI/CD pipeline with integration to AWS CodeBuild and AWS CodePipeline.
Utilizing AWS, Veracode sees customers adopting optimized Static Analysis (SAST) and Software Composition Analysis (SCA) security tests in their CI/CD pipelines, which they can integrate through CodeBuild and CodePipeline.
Through the My Code, Our Code, and Production Code phases of the software development process, these scans play an integral role in catching security flaws quickly, while also providing actionable feedback and guidance. In the My Code phase of production, leverage IDE scans (SAST and SCA) to test your code while you work and prevent the introduction of new vulnerabilities.
SAST, SCA, and IAST fit within the Our Code phase of production as pipeline scans, providing fast feedback on open source and proprietary code in under 90 seconds to help prioritize remediation efforts. Finally, in the Production Code phase, policy scans (SAST, SCA, DAST, and penetration testing) enable you to prove security measures for auditing and reporting ahead of deployment.
Figure 1 – My Code, Our Code, Production Code.
Security testing in a typical developer workflow may include:
- Agent-based SCA scans: Agent-based SCA scans run after a build step to give developers a look at the source and built artifacts with feedback on third-party dependences, which often carry flaws.
- Pipeline scans: Pipeline scans (SAST, SCA, IAST) enable developers to scan from their pipeline as part of a CI/CD process for early and immediate feedback on every build.
- Policy scans: Policy scans (SAST, SCA, DAST, Penetration Test) allow developers to scan at release time with an applied policy to ensure the risk of the release is clearly understood.
- Sandbox scans: Sandbox scans are like a branch inside the application; developers can scan the branch to understand whether it will pass current policy requirements.
In a typical developer workflow utilizing AWS CodeBuild, developers can configure scans in the pipeline for fast pass or fail tests on security issues when they push their code to a new feature.
These scans can run alongside other critical unit and integration testing processes in CodeBuild, such as a policy scan that allows organizations to share policy status across the board. That provides improved security and the transparency key stakeholders need.
As developers are coding, they can leverage the IDE scan for just-in-time feedback at the file level. Once developers are ready to push code to their team pipeline via CodeBuild, they can then leverage the pipeline and SCA agent scan to ensure their team’s code is free of gating security issues from their first- and third-party code on every commit.
As teams merge to their master branch for release via CodeBuild, teams can do a final policy scan to confirm their release candidate is free from any gating security issues and share their applications policy status across the organization to relevant stakeholders.
Figure 2 – AWS integration workflow.
For many Veracode customers, integration with CodeBuild and CodePipeline is achieved through AWS CloudFormation templates that represent typical pipeline variations. This may include steps for policy or sandbox scans—with and without SCA.
The pipeline can be defined in infrastructure as code (IaC), making it easier for developers to build their development pipeline once a project kicks off.
As both CodeBuild and CodePipeline enable organizations to scale and speed up their CI/CD infrastructure at pace with the applications in production, it further improves efficiency and saves valuable time for customers.
This short video describes how a user runs Veracode scans on their pipeline.
Cloud-Native Technology Support
Using the Veracode solution, users can scan code that’s deployed in containers—as well as the images themselves for vulnerabilities—while they work to achieve enhanced scaled production and streamlined costs and environments through containers.
The cloud also delivers an opportunity for organizations to leverage new technologies they otherwise wouldn’t have been able to integrate and automate. For example, to keep up with customer needs for scalability and speed, AWS services allow Veracode to architect new solutions from the keyboard up using services like AWS Lambda and AWS Key Management Service (AWS KMS).
The use of Lambda functions and serverless computing would not be possible without the cloud, presenting more opportunity to test code for vulnerabilities well in advance of application deployment.
With new technology comes new risk. Security challenges, for example, are bound to arise whenever a tool is introduced into an organization’s tech stack, as they all bring varying behaviors and features into the mix.
Veracode’s built-in support for performing a Static Analysis assessment of the AWS SDKs helps customers get ahead of potential roadblocks. Veracode’s solution supports the analysis of packaged Lambda functions so the risk of the components is clear to developers.
With the right infrastructure, tools, and automation in place, there’s still one missing piece of the puzzle: developer security training.
While an organization can build the proper integrations into its developer workflow for security analysis, it’s important not to overlook the value of developer know-how when it comes to security. Developers carry that foundational knowledge with them from project to project, which improves the health of your organization’s code as they work.
Furthermore, just-in-time training where developers learn about a flaw or vulnerability in the moment of fixing doesn’t do much to ensure they carry security knowledge with them as they move to a new project. Just-in-time education slows the entire team down, as developers need to pause to find a fix for a flaw. This creates roadblocks that are otherwise fixable with meaningful hands-on training.
Figure 3 – Veracode Security Labs leaderboard and certifications.
Veracode Security Labs checks all the boxes as a hands-on training tool that provides real examples of applications in contained environments for remediation guidance that counts.
Developers can work on exploiting and patching code in the languages they use most, which means that practical knowledge sticks. Through the free Veracode Security Labs Community Edition, developers can improve their security know-how on their budget.
Figure 4 – Veracode Security Labs interface.
In the screenshot above of the Veracode Security Lab’s interface, the user is navigating the code of an actual ReactJS-based web application to discover and patch flaws, embedding critical skills into their workflow.
Veracode is continuing to focus on building training that’s relevant to various AWS use cases for customers so that developers can prepare for their move to the cloud.
It’s impossible to overlook today’s shift to digital and the need to adopt secure cloud infrastructure, especially with dispersed teams and the increase of cybersecurity threats.
As it’s clear that automation and integration are key pieces of the puzzle when it comes to building more secure applications on schedule, Veracode hit the ground running to improve developer workflows with GitHub Actions and achieve the AWS DevOps Competency status.
Undergoing a digital transformation while implementing DevSecOps methodologies and solutions means the combined impact of Veracode’s scanning tools and AWS integrations can set you on the path to preventing damaging breaches and attacks.
Utilizing the right integrations and a full suite of solutions from a vendor you trust, laying the groundwork for a strong program foundation that centers on security in the cloud is an achievable advancement that will set your organization—and your developers—on the path to creating more innovative applications.
Veracode – AWS Partner Spotlight
Veracode is an AWS Advanced Technology Partner that helps companies move their business forward by enabling the creation of more secure software, reducing the risk of a breach, and increasing the productivity of security and development teams.
*Already worked with Veracode? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.