How do we make our applications more secure upon release?
Over the course of the past few years, both the IT and Security teams have fundamentally changed what the auditing and review processes look like at WillowTree for both our client and internal applications. A large part of this process relates to our shift from sequential-based development audits over time to real-time “proactive” security audits.
How do you reduce the time window between developer and security remediation sessions and maintain the security of our projects over time (aka “bridging the gap”)?
According to Dark Reading, “It takes over a month for the average organization to patch its most critical vulnerabilities, according to a new report detecting trends in Web application attacks.”
To help bridge the gap and improve time to remediation the team has increased overall security automation in our CI/CD pipelines allowing for builds to be audited on each new PR change (which allows us to scan every time new code is committed) to all of our codebases and also runs on a scheduled basis. With the automation integration of a real-time scanning and alerting system the team is able to reliably track and remediate all vulnerabilities and exploits present in all of our code-bases. In turn, the utilization of security triggering and alerting in this manner also allows us to better maintain pre-existing (even legacy) projects which showcase alerts as soon as a new CVE or exploit is released. To summarize, due to smaller team sizes we also rely on developers to help us remediate some vulnerabilities which can be done at a much higher velocity when proper automation mechanisms and security triggering are set in place, allowing us to “bridge the gap” between security and product development.
The implementation of security triggering aligned with CI/CD pipelines is relatively straightforward and can be achieved through many different configurations. Overall, I will be covering a general outline of an implementation that consists of essentially 7 different parts which makes up a real-time security automation system in a CI/CD pipeline.
- CI/CD Pipeline - Serves as the foundation for running build configurations which both creates new builds/releases, does security scanning, and other custom integrations
- Github Integration - Stores repositories (codebases), git, and version control (VCS) with links to Github Actions/Other Nested API Integrations
- Application & Web Security Scanners (Static/Dynamic & Dependency) - A collection of different security scanners that are tuned for each project which perform static/dynamic codebase analysis as well as dependency scanning.
- Extra API/Middleware Integrations - linking different service layers together to allow better automated workflows which overall improves efficiency and accuracy
- Automated Security Triggers - alerting based on security rules/configurations which notify the proper teams to remediate possible security exploits or vulnerabilities present in the code, dependencies, and linked services.
- Bots, Webhooks, and Notification Systems - communicates build states, error logs, security info, and many other forms of metadata. This allows for developers to have a much better understanding of the current status of development and any leading indicators that need to be looked at.
- Security Command Center (SCC) - in-house security product which centralizes all of our security scanning data into a single platform which allows for a fast review of an entire project’s security risk and links to all relevant platforms for review and remediation.
In turn, this is how we are able to do real-time security scanning and auditing, alerting us when further action is needed to be taken to manually remediate issues. Also with a blend of different communication channels integrated, the security team is able to more efficiently notify team members and resolve/remediate issues in a smaller time frame. The channels we commonly use for these trigger notifications are things like Slack, Github, Email, and etc.
The overall built-in flexibility of this system allows teams with different codebases to be able to hook into a variety of different security automation systems which helps reduce many common integration issues when working with a large collection of tools. To summarize, by following industry leading techniques and custom implementations we are able to perform real-time security audits allowing our teams to proactively follow and remediate issues before, during, and after any builds are released. This ensures that we can do our due diligence and do our best to guarantee better security throughout the entire life of a project and properly maintain all Willowtree projects. We believe that our teams produce some of the best applications in the world and it is fitting for security to also be on the same standard.
If you have any further questions for a more in-depth explanation of any of our processes and orchestrations please do not hesitate to contact us!