The DevOps are fake Uber and Netflix. In the very near future DevOps will help to make driverless cars a commonplace.
That’s what it looks like: Which leads to memory attacks
But the funny thing is that DevOps – the philosophy of designing, prototyping, testing and delivering new software as quickly as possible – was at the heart of all this. Software vulnerabilities have reached their peak.
In five years, the number of technical software vulnerabilities in the National Vulnerability Database (NVD) of the National Institute of Standards and Technology has more than tripled, from 5,1891 in 2013 to a record 16,556 in 2018.
The total number of vulnerabilities detected on the NVD decreased slightly to 12,174 in 2019. Part of this fall’s credit is undoubtedly due to the DevSecOps movement, which has been going on for two or three years. Check this link right here now 24×7 Outsource Support.
The promoters of DevSecOps insist that the safety requirements are met during the design process, so that they fit into the highly flexible engineering culture of DevOps. Still, 12,000 with newer software vulnerabilities is a lot, guys. This does not include hidden vulnerabilities that are overlooked in this rapidly changing environment – gaps that are likely to be discovered and exploited by opportunistic threat actors in the future.
Virsec, a provider of application security solutions in San Jose, tries to tip the balance in favour of the good. Virsec provides systems that help organizations detect highly discreet malicious activity – at the deepest level of code running in a real world environment.
At RSA 2020, I was lucky to be with Shauntines Jacob, Virsec’s Director of Product Marketing. We discussed the steps Virsec has taken to guide its deep discovery technologies through the development phase of new applications. Listen to the accompanying podcast for a complete overview of our conversation. These are the most important points:
Real-time operations
Hacker groups responsible for mass data theft have a number of things in common, according to Marriott and Equifax. To gain a foothold in the network’s environment, attackers had to bypass the best outdated security systems available for money. And once inside, they used a tactic that allowed them to go unnoticed for weeks by methodically looting Corone’s jewelry databases.
Today, hacker groups do this routinely; they cover their tracks by infiltrating malicious code far beyond traditional firewalls, intrusion detection and data loss prevention systems. This highly visible class of malware is only executed at runtime, i.e. between the moment the program is opened and the moment it is closed or terminated.
When an application is running, its components are loaded into the processor memory of the calculator so that the application can perform its tasks. Threatening agents know how to introduce benign bits of code into application servers; this code is then translated into attack code that is only executed at runtime.
Deterministic protection
According to Jakab, Virsec’s experiment aims to destroy these executive achievements, which are the result of hidden software weaknesses in the compiled code and firmware. Virsec provides systems to detect and repair malicious network traffic detected and repaired at this deep level. This ensures the integrity of vital operations while keeping valuable data and confidential intellectual property out of the reach of sophisticated attackers. That’s how Jacob broke it for me:
We take a deterministic approach to detecting attacks during an operation. This happens when an attacker, be it a nation state or a very complex threat agent, bypasses protection at the network level and already has access to the server. So now an attacker knows your applications inside out and the state of their vulnerabilities.
Jakab
We look at how the application is designed to determine when these types of operations take place. We take a holistic approach to control. We examine the files and processes used by the application, up to the data entered into the memory… We examine how the data in memory is manipulated to provoke malicious actions, such as taking control of your application.
I don’t think that’s a good idea.
Back to DevSecOps. In principle, DevSecOps should maintain the coverage of vulnerabilities in new software. However, DevSecOps is in a very early stage of need with many possibilities for improvement.
The idea behind the DevSecOp frameworks, which include static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and runtime application protection (RASP), is to compress vulnerabilities – without compromising flexibility.
These processes support a fail-safe approach to prototyping and testing: Invest in rapid deployment of minimally usable software to find out where it works or fails, and then fix the error in an instant without losing sight of safety.
The problem with SAST, DAST, IAST and RASP is that they are not very good at detecting architectural weaknesses, i.e. deep holes that motivated cybercriminals are likely to discover and exploit later.
Depth test slider on the left side
Virsec has learned a lot by helping large financial companies and companies that rely on powerful industrial control systems to stop pirates plunging into the depths. As a result, the company has taken the initiative to go left and share its hard-earned field data with the software development community, she says.
Virsec believes it is useful to integrate the knowledge from its core activities especially in the early design and testing phases of new software – or links to the development and production plan, as was previously the case.
According to Jakab, information on how attackers during runtime in-memory attacks can complete the process on multiple levels, from integration to system level testing and final quality testing.
Now you can integrate the results of virsec in all these test iterations and see on a very deep level where software errors can occur, she says.
What Virsec brings to the DevSecOps table is essentially a very grainy penetration test based on field forensics. I was impressed by the fact that this is probably what the elite hacker groups want. Cybercriminals want to get their hands on applications that are flexibly designed and have latent vulnerabilities.
It would be nice if the good guys beat them once. I keep my eyes open.
Akohido
Byron V. Akohido, a Pulitzer Prize-winning business journalist, has dedicated his work to raising awareness about how to make the Internet as private and secure as possible.
*** This is the syndicated blog Security Bloggers Network of The Last Watchdog, written by bacohido. You can read the original announcement at https://www.lastwatchdog.com/best-practices-how-testing-for-known-memory-vulnerabilities-can-strengthen-devsecops/.devsecops best practices,devsecops workflow
