The breakneck pace of continuous delivery of apps and software can make it a challenge for security to be included in the development cycle, potentially leaving vulnerabilities overlooked. There may be ways to address this through automated observability that can highlight issues for developers to address. During the recent DeveloperWeek virtual conference, experts from Stanford University and DeepFactor discussed risks organizations may face if observability is not part of the DevSecOps equation.
Kiran Kamity, CEO of DeepFactor, said the inclusion of security in the DevOps cycle of software development, creating DevSecOps, is a necessity these days. In respect to security, observability allows for the inspection of potential vulnerabilities by developers who can then make needed changes quickly.
DevSecOps has gained more attention in light of breaches where the root cause could be traced back to software vulnerability, said Neil Daswani, co-director of the Stanford Advanced Security Certification Program. “If we look at the Capital One breach from 2019, there was a server-side request forgery vulnerability that was exploited,” he said. “Everyone who’s heard of the Equifax breach knows that it was due to an Apache Struts vulnerability. There was also a SQL Injection vulnerability that was leveraged in that particular attack.”
Companies and developers want to get new code and features out as soon as possible, Daswani said, which raises the need to mitigate risk while rolling out multiple new features each day. “We need to move more aggressively to a model that allows us to ship and be agile but also can help avoid some of these big breaches,” he said.
Kamity said with increasingly complex apps released at faster and faster rates, there is a need for automation to help find potential problems in the development pipeline. “It’s humanly impossible for the AppSec [application security] teams to identify the security and compliance risks in their applications in a manual fashion,” he said.
Mike Larkin, CTO of DeepFactor, said his company built an observability platform to monitor apps because he saw limits to what static code analysis tools can do. Observability is a way for developers to better understand if applications behave as they should, he said. Checking for APIs that are unsafe, Larkin said, is part of the equation. This includes dealing with legacy APIs that should have been retired yet remain in use and third-party components might also use those APIs. “The pace at which development is going today, nobody’s going to sit down and audit every piece of code they bring into an application,” he said. “There’s just not enough time for that.”
Old models of development may have included performing security tests at each stage, Daswani said, but such a process had limits. “That is a very stovepipe model and it’s not going to be as fast as being able to continuously observe your application for potential vulnerabilities,” he said.
High-profile breaches have made vulnerability an ongoing concern as apps are developed. Daswani cited a breach in 2018 at Facebook, where a security issue stemmed from a function that let users of the social network view profiles as a member of the general public. “It turns out in that particular breach, there were three software vulnerabilities that were exercised all at the same time,” he said.
Those vulnerabilities included the use of a field where users could wish members happy birthday that allowed a video encoder to be included and issues with how access tokens were issued. “That was a pretty sophisticated vulnerability,” Daswani said. “My guess is the attackers went in that direction because Facebook had locked down all of their APIs and previous exposure that resulted in the Cambridge Analytica hack and abuse of their service.”
The development cycle is poised to continue to accelerate and security may well be an ongoing concern for the foreseeable future. With the Capital One breach of 2019, Daswani said a former AWS employee was able to pose queries to Amazon’s metadata service using the EC2 instance that had the vulnerability as a relay. “The attacker sent in queries asking the metadata service for security credentials,” he said. After the request was granted, the attacker eventually worked their way into gaining access to more than 100 million credit applications with Capital One. “I would be surprised if these were the last examples of sophisticated software vulnerabilities that resulted in breaches,” Daswani said.