The distributed nature of a cloud-native architecture, with microservices deployed to a multitude of containers, can test the limits of static code analysis tools.
Matt Rose is the global director of application security strategy at Checkmarx, an organization that provides static code analysis tools that play a key role in the secure software testing phase of the software development lifecycle. In other words, Mr. Rose knows a thing or two about securing applications.
On TheServerSide, we have been covering rather extensively topics such as cloud-native computing, containers, building 12-factor applications, DevOps and microservices. So, the first thing I wanted to know from Matt was what the most common issues he was seeing when secure software testing was performed on the prototypical cloud-native application. Sadly, the results Checkmarx's static code analysis tools generate are pretty boring.
What static code analysis reveals
What does Rose see constantly? Erroneous error handling is one. Writing some data to a log file that might inadvertently violate the privacy rights of the user is another. And, from time to time, there may be a trigger point where an SQL Injection vulnerability might exist, but each of these things individually isn't the biggest problem. The biggest problem is how, in a complex, multilayered enterprise system, these often minor vulnerabilities can add up to something potentially disastrous, and that's what secure software testing tools must be able to identify.
"A lot of times, you may have five harmless things in your application, each of which is agnostic to the other. Individually, they're not that big a deal," Rose said. "But when you have them all together, then a formulated attack can happen."
Developers often write code that does exactly what it's supposed to, but it does other things as well -- other things that it's not supposed to do.
Matt RoseGlobal director of application security strategy, Checkmarx
A mad rush to implement features before the end of an Agile sprint, along with the DevOps-based approach to software development, can partially be blamed for the emergence of these small software bugs that tend to snowball into something bigger. "Developers are coding for the specs and concentrating on the functional requirements," Rose said. "Developers often write code that does exactly what it's supposed to, but it does other things as well -- other things that it's not supposed to do."
Secure software testing tools maturing
Software quality tools and static code analysis tools are maturing rapidly, and their integration with continuous integration tools and software build processes is helping to make DevOps-based development more secure. In fact, many organizations are replacing the term DevOps with DevSecOps to emphasize the importance of being security-focused as they implement highly automated systems.
With a DevSecOps approach to software development, the key is to be diligent in terms of vulnerability identification through all stages of the software development lifecycle, while, at the same time, addressing bugs and implementing bug fixes as soon as secure software development tools identify them. That ensures that problems are addressed as soon as they arise, while minimizing the amount of time production systems host vulnerable code.
To learn more about DevSecOps, static code analysis and how software testing tools are keeping pace with the emergence of microservices and cloud-native computing, listen to the accompanying podcast in which TheServerSide's Cameron McKenzie interviews Checkmarx's Matt Rose.
You can follow Cameron McKenzie on Twitter: @cameronmcnz
