1. Check your code dependencies
Separate audit performed by companies on over 1,000 commercial applications indicates that 96% of them include open source components. More than 6 in 10 applications contain known security vulnerabilities in the component, and some have been there for four years. However, only 27% of respondents said they had a process for automatic identification and detection of known weaknesses in open source software.
Developers often do not have the time to review the code in their open source library or read the documentation, Gupta said, so the automated process for managing open source and third-party components is a basic requirement for DevSecOps. You need to know whether your open source usage causes contextual and other vulnerabilities in your code, and its effect on vulnerabilities on dependent code.
Checking code dependency is fundamental to DevSecOps, and utilities such as OWASP Dependency-Check can help ensure that you do not use code with known vulnerabilities in your software.
The OWASP utility works by scanning your code and library of open source components to see if it contains major OWASP deficiencies. It works with an updated database of all the known vulnerabilities in open source software.
2. Don’t bite off more than others can chew
The SAST tool allows developers to scan code while writing so they can receive instant feedback on problems that may be causing security problems. This tool helps developers identify and update potential security vulnerabilities as part of the normal workflow, and therefore should be an essential component of your DevSecOps practice.
However, the key to introducing these tools is to think small. Often, when security forces execute static test tools in the CI / CD chain, the team tends to turn on the checks to kill all security problems and eventually only creates problems for developers.
For example, when introducing SAST tools in development, you can start by simply enabling rules to catch SQL injection errors. Once your developer sees how this tool helps them capture errors during coding, they are more likely to work with it. “You need to build trust in the tool before you turn on more rules.”
E-SPIN specialized and helping enterprise customer from the transition to DevSecOps for breakthrough business and productivity. Feel free to contact E-SPIN for various requirement, from process, system, tool, people education/training to managed services.