Software vulnerabilities are a key concern for any business today. Vulnerable software – that is, software with weaknesses that can potentially be exploited by attackers – can occur in many ways: because of a developer’s typo, due to poor design choices or because a developer integrated compromised open source or third-party packages to save time.
Here at iC Consult, we take software vulnerabilities very seriously: not only because we know that you, our valued customer, rely on the code we provide – but also because most vulnerabilities are quite easy to fix if they are detected early in the Software Development Lifecycle (SDLC). Fixing them after they have been deployed is much more cost-intensive – and much more dangerous.
This is why all our developers follow a strict Secure Deployment Process that maximizes our chances to detect and mitigate any vulnerabilities in our code as soon as possible – and we would like to walk you through this process in more detail in the following pages.
The graph above demonstrates the cost-saving benefits of the shift-left approach. It displays three lines: when bugs are introduced, when defects are found, and the increasing cost of fixing bugs and defects at each phase of software development. Most bugs are introduced during the coding phase but are rarely discovered at that stage. Instead, they are mostly found during later testing stages, when fixing them becomes significantly more expensive.
The green line represents the proposed defect detection cycle based on earlier testing, which is the essence of the shift-left approach. It shows that by moving testing activities earlier in the development process, defects are found sooner. This leads to cost savings as early detection enables easier identification of root causes, faster reproduction of defects, and minimizes the imp
Static Application Security Testing
SAST (Static Application Security Testing) analyzes custom code (or parts of it) for vulnerabilities while the developers are still coding, right in their IDE (Integrated Development Environment), before the application is built or deployed. Our tools alert developers as soon as they make a mistake and ensure compliance with all relevant guidelines and practices without executing the code. Our SAST solution covers a wide range of programming languages and development platforms and integrates seamlessly with all common IDEs – allowing our devs to code more securely without having to change their toolset.
New Possibilities, New Requirements
Of course, continuous security must be guaranteed for this. New security paradigms such as zero trust and modern authentication methods such as OpenID Connect and multi-factor authentication provide this. At the same time, however, they are also the sticking point at which the old B2B partner platforms fail. Because these ten, fifteen or twenty-year-old solutions are often no longer up to date. Retrofitting, if at all possible, involves a great deal of effort and high costs; the result is then a solution that combines high license fees with incomplete implementation and deficiencies in the user experience.
Software Composition Analysis
Open source code is a key element of modern application development. It allows developers to integrate standard capabilities by using existing, free software – and thus gives them more time to polish the USPs of their own applications. Unfortunately, not all open source components are safe: Some packages contain vulnerable code, others are downright malicious. To ensure only secure components are integrated, iC Consult uses a dedicated Software Composition Analysis (SCA) solution. This automated tool identifies all open source components in the codebase and checks their security, license compliance and code quality stats.
Unit Testing
Unit Testing is a dedicated testing process developed and implemented by our own experts and has proven its worth time and time again by identifying a significant percentage of the defects in our code. The idea behind Unit Testing is to split our application into multiple parts and to test if each individual part is working correctly. To achieve this, we isolate the smallest unit of testable software from the remainder of the code and determine whether it behaves exactly as expected. This allows us to automate our testing process, helps us to discover errors in complex applications and enhances the test coverage by giving attention to each unit.
Integration Testing
Integration Testing is a dedicated step where we test the interfaces between the modules and expose any problems that might occur when the components are integrated and have to interact with each other.
Schema Validation
Misconfigurations are usually only identified once an application is deployed. At this stage, Kubernetes will detect misconfigurations automatically – but by then, deployment has to be rolled back and another deployment window has to be found. By validating the schema at a much earlier stage, we are able to detect and resolve possible misconfigurations during the deployment preparation. This helps us ensure seamless deployment and – once again – shortens the time-to-market for your service.
Image Scanning*
Scanning container images for vulnerabilities allows developers and development teams to review the security state of the container images – and fix any issues identified during the scan without slowing the deployment process.
Runtime Container Scanning*
We have a dedicated set of tools and processes in place to scan your containers in production. This allows us to detect dangerous container vulnerabilities and misconfigurations, which are then automatically remediated or forwarded to the developers with suggested fixes. Policy engines with custom detection rules help us automate this process and track unexpected behavior and activities.
* An image is a snapshot of an environment, and a container
runs the software.
Dynamic Application Security Testing
While SAST is a valuable tool to identify many common vulnerabilities in custom code, some weaknesses can only be detected in a runtime environment. This is where dynamic testing comes into play: DAST is a black box security testing technique that tests the application without exposing the source code or the application architecture. This allows us to focus on the true runtime issues – e.g., during authentication or server configuration – as well as on vulnerabilities that are detected at runtime.
Application Configuration Validation
During the Configuration Validation step, we ensure that all systems in your landscape are configured consistently and in compliance with your requirements.
Conclusion
And this is it: our Secure Deployment Process in a nutshell. We hope that the knowledge that every single bit of code deployed in your environment has gone through this rigorous testing and QA process – and thus been purged of any vulnerabilities and weaknesses – will help you rest easy. We are more than happy to go the extra mile for better security, as it helps us to reliably provide you with better and more secure code – and significantly reduces the development time and costs of deployment on your end.
Our Patching Process
In addition to our established DevSecOps process, we review the security status of all our components at least every two weeks. Following this review, any components affected by known CVEs will be patched, tested and rolled out to customers. If a critical CVE is found (think: Log4j), we will create a dedicated task force to work on a fix – while keeping you informed about any risk and attack vectors.
CVE Whitelisting by the CVE Criticality
Committee
If a critical CVE is found but cannot be fixed, our CVE Criticality Commitee will analyze the threat level for our platform. If the risk is deemed acceptable, the CVE can be whitelisted to unblock our development. From this point forward, the CVE will be reviewed on a regular basis, until it becomes fixable or the risk level has to be adjusted.