The pace and scale of security vulnerabilities is increasing. This is in spite of the fact that teams have been trying to keep their code secure for years. So, why are vulnerabilities still such a problem? When teams use security tools and strategies that don’t optimize the developer experience, development is slowed down. This creates frustration, undermines customer usability, and hampers business success. Businesses that use such tools and strategies end up de-prioritizing security, and instead focus on shipping software quickly.
Here at GitHub, we want to help you mitigate vulnerabilities while boosting developer productivity. Fortunately, the Open Web Application Security Project (OWASP) can help. OWASP provides a Top 10 list of vulnerabilities that gives developers and organizations the context they need to address security and compliance risks within their applications. Today, we’ll examine several of OWASP’s vulnerabilities and developer-optimized strategies for keeping your software safe while maintaining and even increasing developer productivity.
First of all, your development team needs an environment that fosters success. And the most important part of this is embedding security into the developer workflow. Typically, disparate, third-party tools are used to identify security risks. But these tools can be slow, noisy, and decrease productivity. However, when security is integrated into the developer flow, you can secure your code quickly and easily. As discussed in the GitHub Advanced Security ebook, other ideal environment components include:
- Visibility into your security posture across code, secrets, and supply chain.
- Communication channels that are lightweight and context‐ sensitive, allowing for easy collaboration.
- Scalability with your business needs.
It may not be possible to implement each of those capabilities at once, depending on the maturity of your business. But as you mature and continuously improve, fostering this ideal environment will help you protect against vulnerabilities and ship secure software faster.
Now that the ideal state has been described, let’s look at a few OWASP vulnerabilities and some techniques to mitigate them.
No developer intentionally exposes their software to security threats. However, sometimes API keys, clear text passwords, security tokens, and other sensitive data may remain in code, leading to cryptographic vulnerabilities.
Ideally, secrets would never reach your enterprise, organization, or repository. But they often do and need to be mitigated. Fortunately, GitHub Advanced Security can help.
By implementing push protection, GitHub’s secret scanning feature will not only scan your code for exposed secrets, but also check pushes for high-confidence secrets (those identified with a low false positive rate). It will list any secrets it detects so you can review and remove them. If a decision is made not to remove them, an audit trail will be created.
Cross-site scripting, path injection, SQL injection, and NoSQL injection are several of the vulnerabilities that have plagued applications for years and continue to stay in the OWASP Top 10 list.
One strategy to address these vulnerabilities is running consistent and effective security code reviews. Not only will your code become cleaner, free of technical debt, and code smells, it will also become more secure. Reviewing these vulnerabilities can become part of your existing GitHub pull request workflow.
Code scanning can also leverage the power of machine learning to find injection vulnerabilities and help communicate risks to developers and security professionals. CodeQL powers code scanning and scans your data for security vulnerabilities.
Threat modeling strategies can be implemented to encourage collaboration between developers, security professionals, and even risk management teams. This can help ensure that the architecture and design patterns are as secure as possible long before a single line of code has been written.
As you continue to adopt open source components at a rapid pace, it’s more important than ever to understand the composition of your software and be able to update vulnerable components.
One of the best strategies for managing the risk of vulnerable and outdated components is to alert developers as soon as a security threat is found and give them the ability to take action in their normal workflows and tooling.
By leveraging Dependabot, you will receive an alert when a repository uses a software dependency with a known vulnerability. A pull request can even be triggered by the security team, which is a simple and effective way for security and developers to communicate.
The best part of these tools is they happen within GitHub. So, you don’t need to worry about decreased productivity or excessive context switching.
By implementing these strategies, you can create a developer-embedded, collaborative, and scalable application security environment that provides risk mitigation across the supply chain. At the same time, you will ensure that developer productivity is not adversely affected.
We will be at the OWASP 2022 Global AppSec event from November 17-18, Booth #D01. Book some time with our experts here to dive deeper into this topic and answer any questions about these strategies.