5 ways to securely develop your software apps in the cloud

Do you work in software application development? Security testing is a crucial part of making sure your final product isn’t full of literal loopholes that threat actors can exploit. By testing, you can identify security flaws — then deal with them, obviously — and help ensure any sensitive data handled by your app remains secure.

So how do you incorporate security testing in practice? We’ll cover how you can do that (and some of the potential hurdles) in this article.

1. “Shift left” to secure your app

One way organizations are adopting security testing is by adopting the DevSecOps methodology, adopting security testing and practices into their software development processes. This is known as a “shift left”, and can help reduce the cost and time required to find and identify problems.

Sounds sensible, right? It is, but this transition can present challenges. It often involves completely restructuring your existing software dev process to accommodate security testing. You’ve also got to choose the right security testing technique for the app being developed — in this case, one size doesn’t fit all — and picking the right approach is especially important if your development is cloud based.

2. Manual code review? No way! Use SAST instead

There’s nothing more tedious and time consuming than manually reviewing every line of source code, searching for some hidden security issue. Your eyes dry out, your mind numbs, and every line becomes a blur. And if your organization is in the business of rapidly developing and deploying software, it’s simply not feasible to hold the whole process up to look over the code.

So, if manual code review is no good, how do you conduct white-box security testing that analyzes source code? The answer is Static Application Security Testing (SAST). SAST offers a way to automate your source code analysis and quickly uncover security vulnerabilities in early development. 

One cloud-native SAST tool is Amazon CodeGuru, which uses machine learning to detect security vulnerabilities listed on the OWASP Top 10 List within the application's source code. Additionally, the reviewer component of Amazon CodeGuru analyzes the source code and provides recommendations based on AWS security best practices. 

Using a SAST tool helps speed up code analysis, and enables organizations to make rapid and secure deployments. Yes, you can have your cake and eat it too!

3. Use SCA to deal with your Jenga tower of dependencies

You’ve got dependencies. Not emotional dependencies, but third-party software dependencies (Well, both are possible, but let’s not unpack that here). After all, developers often need to leverage third-party software to save time during the coding process and avoid inventing the wheel. Third-party dependencies are the natural byproduct.

The issue with these dependencies is when a security vulnerability is present in third-party software, that means you’re often vulnerable as well. Like a Jenga tower, you might be at the top of the stack, but if people start chipping away at the bottom of the stack (your third-party software), it all can come crashing down. 

So, if third-party software dependencies are pretty much a given, how can you protect your software?

Software Composition Analysis (SCA) enables organizations to analyze an app's third-party dependencies for the presence of Common Vulnerabilities and Exposures (CVE). These publicly disclosed security vulnerabilities are often targeted by potential threat actors who actively seek to leverage them in a cyber security attack. 

Google Cloud Build is a cloud-native service that provides SCA capabilities for scanning container images. Cloud Build's Security Insights surfaces container-related security information, such as present CVEs, the severity of those vulnerabilities based on Common Vulnerability Scoring System (CVSS) score, and SLSA rating for software dependencies used by the app.

4. Using DAST to black-box test sans source code 

Once your organization has a running build of an app, you might want to begin testing that running app using Dynamic Application Security Testing (DAST). This type of black-box security testing does not require access to the software application's source code; instead, DAST focuses purely on testing the behavior of the application. 

Why would you want to do that? Well, the purpose of this form of security testing is to uncover dynamic security issues that are present at runtime or while the app is interacting with external components. 

OWASP's Zed Attack Proxy (ZAP) is an open-source DAST tool designed to test the security of an application by automating web app attacks like SQL injection (SQLi). For organizations utilizing GCP, Google Cloud Web Security Scanner often provides DAST capabilities that scan GCP-hosted web apps for vulnerabilities like SQLi and Cross-site Scripting (XSS).

5. SAST and DAST: Why not both (IAST)?

Interactive Application Security Testing (IAST) combines both SAST and DAST by leveraging agent-based app components. These agents monitor the app in real-time and analyze how external black-box testing causes the app to behave at the source code level. This source-code inspection allows for deeper analysis of the app by uncovering how external input is interpreted and executed by the application.

Conclusion: Go forth and secure!

With all of these security testing methods in mind, you can empower your organization by securing your software development processes. However, if you’d like to learn more, why not check out my course “Introduction to DevSecOps for Cloud”? In it, I explain how you can “shift left” using the DevSecOps methodology. It includes both demos and hands-labs for performing security testing.