How to ensure development safety, saving time and nerves

    The transition to the digital segment of banks, retail, medicine and other vital branches of production and services has provoked numerous security threats. Today, around the world, the activity of attackers continues to grow, and the issues of protecting user and corporate data from theft and intentional damage are increasingly becoming the subject of discussion by professionals.

    How is it right for business and IT to integrate security into the development process, what tools are best used for this, how does this all fall on the actual implementation practice. We share the approaches of Rostelecom, M. Video-Eldorado, DD Planet, AGIMA.

    Yaroslav Aleksandrov, Head of Development, Solar appScreener in Rostelecom, on how to integrate SAST into development

    With the growth of the company and the increase in the number of developers, checking the product for vulnerabilities “manually” is becoming increasingly difficult. You have to use SAST - static application security testing (Static Application Security Testing). In Solar appScreener, information security is built on the basis of an internal product. The product analyzes the source code. Today, 26 programming languages ​​are supported, the source of which can be analyzed vulnerability, and supports all popular formats and project management systems.

    How to choose SAST?

    Even a simple vulnerability cannot be found using primitive algorithms. Today on the market there are a lot of SAST-solutions, both paid and free. The most popular of them are AppScan from IBM Security, Synopsys, Veracode, Application Inspector, Micro Focus, Appercut, Checkmarks.

    The effectiveness of the development process depends on the choice of tool. The main advantages of paid solutions:

    • Focus on security: specific algorithms and large rule bases.
    • Support for many programming languages.
    • User friendly interface.
    • Availability of plugins and API.
    • Availability of technical support for the tool.

    Free tools and web interfaces are often inferior to paid ones, because they contain simpler algorithms, and rule bases are less complete. Their main task is to find errors in the code. The specialization and functionality of such solutions is usually very narrow.

    Once the SAST solution is selected, you need to integrate it into the development process. Integration options may include: embedding the tool in the repository, development environments, CI / CD servers, task tracking systems. A good tool is able to successfully integrate into all the listed classes of systems.

    Note : the open SAST API includes the JSON API and CLI and provides ample opportunities for additional integration and automation.

    To select the tool that most fully meets the goals and objectives of the developer, you need to carry out their functional comparison and comparison in quality.

    A functional comparison is carried out according to several parameters: they analyze the convenience of the interface and the convenience of integration with their own tools. At the same time, it is important to carry out verification on your own codes.

    The next step is a quality comparison: they analyze vulnerabilities and false positives in relation to their own code.

    The nuances and subtleties of code analysis

    The sooner a vulnerability is found, the cheaper it is for the developer and the customer. This means that the product must be periodically checked for vulnerabilities during the development process and additionally carry out control checks before release.

    Speed ​​and resources : it is usually expected that the tool will work quickly; run on every change; show on the fly who and when introduced the vulnerability. In fact, SAST analyzes the code for at least 8 hours, it is difficult to run it on every change; it is difficult to identify the author of the vulnerability; false positives occur. So, the question arises: how to configure DevSecOps.

    It is very important here:

    • Calculate the time and resources to analyze your code.
    • Identify triggers for starting a scan based on the results.
    • Keep in mind that power will need to be recalculated periodically.
    • It is better to use incremental analysis, but this should be done with caution, since vulnerabilities can be lost.

    For example, you can run testing using SAST when a developer submits a task for review. You can also start scanning at the end of the working day.

    Another problem is false positives and getting information about multiple vulnerabilities in the report. In this case, the developer is recommended: to filter in static analyzers by vulnerabilities and by files. You can exclude libraries, analyze criticality, add exceptions for certain parameters. It is enough to do such work only once so that in the future information about false positives does not fall into the reports. It is also important to make sure that no new vulnerabilities appear and gradually disassemble the existing vulnerability database in the background.

    When working on integrating SAST into the development process, it is important to implement processes gradually without blocking the release. The process sequence may be as follows:

    • Tool selection.
    • Description of the process (creation of regulations).
    • Description of technical solutions.
    • Implementation work.
    • Trial operation.

    It’s better to start with the most critical systems: it is important to eliminate new vulnerabilities, conduct design, implement regulations and technical solutions.

    The regulations must necessarily indicate:

    • Steps to check the code for vulnerabilities.
    • Responsible for starting the scan.
    • Roles and results.
    • How will the communication process be established.
    • Service Level Agreement.
    • Responsible for process control.
    • The order of adding new systems to the process.

    This approach allows the implementation of SAST in the development process in one calendar year. It is important to consider all changes and risks.

    Final recommendations:

    • Use SAST at every stage of development.
    • Adapt the integration to your code and your process.
    • Start by fixing new vulnerabilities.
    • Gradually eliminate old vulnerabilities.
    • Create a process based on SAST.
    • Deploy gradually, starting with no impact on releases.

    Vladimir Sadovsky, Head of the M.Video-Eldorado Information Security Incident Monitoring and Response Team, on how to build a secure programming process

    The basic idea behind the concept of secure programming comes down to helping the business; accelerate processes; minimize the risks of problems associated with vulnerabilities in the product.

    The classic approach to security can be visualized as follows:

    Its main problem is related to the high cost of improvements that are necessary to ensure security. In addition, it is important to provide data encryption protocols, encryption of the integration bus transfer protocol, and so on.

    As for ecommerce sites, they are attacked more often than many others. The objectives of such attacks are an attempt to obtain a certain financial benefit (to trick the program and purchase expensive goods for free), or to seize the personal data of customers. Unfortunately, while some problems can not be closed using the classic vulnerability scanners. For example, if the application has a fingerprint authorization scanner, not a single static analysis will show the incorrectness of such functionality in the application. This increases the risk of incidents related to the penetration of intruders into the user accounts of the application. At the same time, the closer the retailer’s application is to the release, the more expensive it will be to fix vulnerabilities and bugs.

    The scheme for using the code security testing tools for the ecommerce platform may look as follows:

    Here, it is clearly shown which team was involved in the implementation of one or another application functionality. If an error or vulnerability is detected, the functionality will be aimed at finalizing this particular team. As a result, the time spent on fixing bugs and problems is reduced, because the direct developers know their code better.

    Next, the final testing starts, during which the entire code of the final product is analyzed and the remaining bugs are “cleaned up”.

    Retail Security Threats

    The main driver for retail is sales - whether it's offline stores, the Internet, marketing, customer databases. Everything is aimed at getting as close to the user as possible. In addition, modern retail seeks to sell their products using omnichannel; Launches various marketing campaigns and programs. All this is interesting not only to consumers, but also to intruders. An additional safety assessment appears here - potential damage. The analysis is designed to identify bugs on the site, logical errors and classic security problems from which real consumers subsequently suffer.

    It is also important to understand that potential damage begins with the testing phase. It happens that the environment in which it is produced is deeply integrated with the productive, so changes that are made during the test phase can cause incidents and problems. To avoid this, it is important to develop a process map and take appropriate measures before the start of development.

    If an external contractor is involved in the development, it is important to assess whether it is able to fulfill the necessary safety requirements. For this, it is necessary to make regular assessments of the competence of developers and the level of the executing company in terms of Internet security. The contract should include clauses for certification of developers; record who is responsible for errors that led to damage. It is important to regularly train development teams and provide comprehensive intellectual property protection.

    It is also very important to provide access control, organize a trusted environment, and configure monitoring and data leakage prevention tools. We will also have to formulate detailed requirements and policies for safe programming, fix all versions of Open Source and external libraries.

    At the design stage, it makes sense to use a scenario approach, build a threat model and conduct a risk analysis at several stages. When a new task comes to developers, it is important to understand what business processes it will affect and evaluate initiatives from the point of view of possible fraud scenarios at the levels of business requirements. Each risk is considered in the framework of three probabilities: optimistic assessment, average and pessimistic. Bots are sent to the site or application. Every tenth of them is malicious. Based on three scenarios, potential damage to the business is calculated.

    There are various static and dynamic analyzers that allow you to identify problems and fix them in time. The task of the IT department is to verify that the code chain works correctly from the point of view of technical requirements. The task of the security department is to check the code for security vulnerabilities.

    The search for security vulnerabilities in business logic boils down to the following aspects:

    • Implementation of security self-tests when testing applications.
    • Creating costume rules for a static analyzer with reference to critical business processes and integrations.
    • Manual analysis of parts of the modified code, in the context of a functional that has high criticality based on risks.
    • The process of finding bookmarks in the code, periodic audit of external libraries.

    Not all security issues can be found eliminated at the code and development level. The task of the security department is to build and establish an effective process for managing vulnerabilities and incidents. To do this, you need to constantly analyze user behavior, profile them, monitor the behavior. If it deviates from the usual patterns of business, you need to consider this as an incident and immediately respond.
    Analyzing user behavior helps:

    • Working with Big Data and building models of abnormal behavior and abnormalities.
    • The process of monitoring and auditing JS scripts. Modern sites do not work without JS scripts. Often they are loaded from external resources. Therefore, it is important to understand their functionality, and what kind of threat JS-scripts are for the site.
    • Search for vulnerabilities based on analytics services and metrics Google and Yandex.
    • Regular security testing of the project as a whole.
    • Using Bug Bounty to identify new vulnerabilities.
    • WAF integration to protect applications and effectively respond to problems.

    It is important to constantly collect and analyze data to identify new abnormal cases.

    Dmitry Nikulchev, DD Planet - on how to protect the data of users of web and mobile services

    Safe programming in DD Planet is based on several principles. The first of these is reliability. Product performance should be predictable, correct and trouble-free. Even if the initial data was entered incorrectly (accidentally or intentionally as part of an attack on a product).

    The second is security. The ability to protect against external threats, attacks and maintaining operability after their reflection and elimination.

    The third is privacy. Ensuring safe and correct work with personal data. This is critical when developing enterprise and custom applications.

    For example, the Zhivu.RF service, developed and supported by DD Planet, is a private social network for neighbors and contains a lot of personal data. The user profile is confirmed with the help of State services, and belonging to a specific address (neighborhood) is an extract from the USRN from Rosreestr. This imposes on the developer serious obligations related to the protection of personal information.

    Storage and processing of user data

    We store all personal data in ISPDn (Personal Data Information System). They are contained in an isolated virtual network with a secure IT infrastructure. Intrusion detection tools, a security analysis and vulnerability search server, as well as a backup server are integrated into the virtual network.

    To identify vulnerabilities, we use the “manual approach” and rely on expert analysis. This principle does not imply the use of any automated tools: the research is conducted by an experienced specialist, and when identifying vulnerabilities, he focuses on his own knowledge. It is clear that this technique entails a lot of time and requires the presence of highly qualified specialists in the company. However, it is considered the most effective in terms of accuracy and completeness of data coverage during verification.

    Severity in the fight for the perfect product

    In client development, it is important to make releases on time, while the application should be bug free and guarantee users security. Following this principle, during product testing, we use the principle of evaluating tasks by priority - Severity. That is, we rank all the tasks to eliminate bugs, depending on the degree of negative impact on the product of the defect.

    Priority in resolving bugs in DD Planet is as follows:

    1. First of all, we identify and eliminate blockers or errors in which the user does not have the opportunity to perform the target action. For example, a visitor cannot register on the site or in the application; log in to your account; Access the target data or sections of the application.
    2. Next, we track and fix critical bugs - security problems, system freezes, a malfunctioning business process, and periodic application crashes.
    3. Then we analyze the problems of the medium-level - we find errors that appear only in certain specific situations.
    4. The final stage is minor minor changes - we get rid of minor bugs, work out comments on the interface, and so on.

    This sequence helps us to quickly get rid of bugs, focusing on key aspects for the user.

    The product release takes place in several stages. First, it is published on a test environment to identify bugs. Then there is a bug fixing of priorities with the level of Severity 1 and 2. After that, we make a release for production. For some time after the release, part of the team is engaged in fixing bugs with a priority of 3 and 4. A few days later there is another update in prod after fixing the remaining problems.

    To ensure maximum product safety:

    • Use parameterized database queries.
    • Get rid of query construction inside the application to avoid sql injections.
    • Connect to the database only under a special wired account with the minimum necessary set of rights.
    • Keep security logs regularly.

    Do not trust user input: any data from the client (user) should be checked on the server. This will prevent the passage of scripts or malicious hex codes. User data is often passed as parameters to call another code on the server and, if not checked, can seriously compromise system security. That is why it is so important to strictly check all input data for correctness.

    Andrey Ryzhkin and Alexey Klinov from AGIMA - about how and why to control application security in custom development

    The security of the digital architecture of any product is a critical attribute for both business and users. This is an additional indicator of quality and reliability, which must be maintained at all stages of the production and operation of the application.

    Any organization has valuable information, which includes:

    • Personal data of employees and customers.
    • Access data to the client bank.
    • Company customer data.
    • Production drawings.
    • Design documentation.
    • And etc.

    This data is localized in different systems, and their security is quite difficult to control. And the theft or misrepresentation of such information entails major financial losses, a decrease in the organization’s reputation, loss of key customers and partners, and disruption of transactions and projects.

    But nevertheless, there are a lot of means of information protection in the market:

    And it is quite possible to organize a good comprehensive protection - there would be a desire and means.

    What about application security?

    A business needs a working, stable application with effective functionality that can bring financial return. But no matter how ideal the application may be in terms of functionality, it may have artifacts related to vulnerabilities. Usually they don’t think about it, since these artifacts do not manifest themselves until a certain moment - until competitors or a curious hacker need it. Vulnerabilities can be exploited for the purpose of attempting to infiltrate the infrastructure of an organization through a website or application or to gain access to valuable data that this application processes or stores. As a result, the business could be seriously affected.

    Unfortunately, security analysis is still rare for custom development. The reason is the uniqueness of the projects. They are all too different, and each has its own needs. This affects the cost of analysis. Given the low margin of the business, putting the process on stream in custom development is not always possible. Nevertheless, it is better not to neglect the process.

    How to prevent data theft from the application?

    From the very beginning of the development of a mobile or web application, it makes sense to introduce an analysis of the product code for security.

    You cannot rely solely on WAF (firewall) in terms of protection: the rule may not work out, incorrect configuration or outdated signatures may be used. Only a set of measures: the use of static analysis of source code during the development process, instrumental analysis in a combat environment, pen-test, WAF and protection against DDoS will help ensure a high level of application security.
    Instrumental scanners and pen-test will detect vulnerabilities that could not be identified by analyzing the code during development.

    How to organize the process of testing for vulnerabilities?

    AGIMA implements several approaches to the analysis of security code:

    • Full integration during the development of CI / CD.
    • Security audit at checkpoints.
    • Situational or one-time security audit.

    The ideal option is to integrate security analysis into the development process. This approach is especially relevant for projects that the same developer has been developing for a long time.

    The second option is a security audit at checkpoints. This method is suitable if the product has rare releases and it can also be a great addition to the integrated analysis.

    It makes sense to apply a situational or one-time audit if the project is quite simple, or if it has been transferred from another developer. In the second case, it is important to determine the technical debt of the product - the number of existing bugs and vulnerabilities. After that, you need to create a roadmap to eliminate them. Sometimes everything can be fixed in the first stage. If there are many problems, you will have to deal with them in the process of further development. First, eliminate critical ones, and then less dangerous ones.

    The approach, combined of the three versions listed above, allows you to: reduce the number of potential vulnerabilities on the release, minimize the technical debt of the product and reduce the time it takes for the application to be sold to the product

    The result of a security analysis implemented in the early stages of development is:

    • Reducing reputational risks for both the developer and the customer.
    • Reducing the cost of fixing vulnerabilities during the operation of the application.
    • Reduce the number of independent application security checks.

    Instead of a conclusion

    Today, the search for vulnerabilities in software products, mobile and web applications is becoming an important area of ​​activity for all leading developers. Some consider the expert analysis of vulnerabilities reliable and trust testing to internal specialists. Others use pen tests, vulnerability scanners, and code analyzers. Still others integrate SAST tools into the development process. In this case, before starting work, it is recommended to build threat models and analyze potential risks associated with theft and distortion of critical data.

    You should not rely only on firewall and free security features. The most reliable way is to use an integrated approach, regularly and thoroughly check the code for bugs and vulnerabilities.

    Also popular now: