Implementing the DevSecOps methodology may seem like a slow and gradual approach towards a dynamic, that of the integration between development and security, which often needs clear and above all rapid decisions. And yet, applying the dictates of DevSecOps is the only way organizations can actually avoid the inherent security risks of using the conventional method of application development.
In the case of a Sorint.lab client the DevSecOps implementation path originated from a compromise of their systems due to a flaw in a web application. The company first requested to solve the problem immediately, and then, at Sorint.lab’s suggestion, to arrange for an extensive code review to be carried out to minimize the likelihood of it still happening.
Sorint.lab met the client’s expectations, remediating the most serious vulnerabilities and indicating the next steps to take. The analysis carried out highlighted the problems of the application and the ways to best mitigate them, indicating the activities to be implemented immediately and the additional ones to increase security while waiting for a more in-depth path towards the DevSecOps implementation.
Systems attack
The absence of a risk assessment phase and a threat model in the first steps of the software development cycle, which are instead intrinsic to DevSecOps, can lead to serious and critical security problems when the application is released.
In the case under review, the company, which develops custom applications that it then resells to its customers, after identifying the intrusion into its systems also got in touch with Sorint.lab to identify what exactly had allowed an unauthorized third party to enter the organization’s systems.
Therefore, in addition to a timely verification, it was necessary for the company to seriously consider a series of mitigations and additions to avoid similar situations in the future and make the company network and the applications used more secure.
Towards DevSecOps: how to mitigate vulnerabilities
An extensive analysis, by Sorint.lab came to the conclusion that the problem lay in a web application. Among the critical issues encountered during the investigation, it emerged that the login page was vulnerable to a SQL injection attack: anyone could enter without being authenticated.
Moreover, the analysis exposed dozens of vulnerabilities, of medium criticality, that allowed a malicious actor to extrapolate data from the application and that lacked significant code-level protections. In fact, it was clear that making the application fully secure would require a total redesign of the application by approaching it following the dictates of DevSecOps, which however the company was not yet ready to implement.
Therefore, following the investigation, Sorint.lab provided a series of useful indications to safeguard the application and increase its security, including the correction of some of the vulnerabilities and the inclusion of a Web Application Firewall, which filters traffic before it reaches the application: in this way, it is less vulnerable to attacks. In the meantime, the company also took the opportunity to upgrade physical equipment to more advanced devices.
Only with DevSecOps a true software redesign
The company has certainly increased the degree of security around the application. From this point of view, Sorint.lab responded to the immediate customer need but at the same time suggested a long-term approach that involves the adoption of the DevSecOps method to integrate cybersecurity into development: otherwise, the degree of vulnerability of the application web will always remain not up to modern standards.
DevSecOps ensures that security risks are already budgeted for at the design stage; when this is not done, it is more difficult –and sometimes not possible – to act on vulnerabilities because it would mean concretely redoing the application from scratch. The software development cycle must embrace cybersecurity from phase one.
Using a medical analogy, the use of tools and integrations is comparable to a set of palliative care: it picks up the temporary pain of the company, as a very vulnerable application, but it cannot solve the problem to the root. For a complete treatment, capable of remediating security problems, organizations need to understand the importance of switching to a DevSecOps model: this is the only real cure.