The ongoing digital acceleration has brought on a lot of new challenges to companies, as technology changes rapidly and plays a bigger role across a myriad of sectors. But what does this shift mean for application security and development teams?
It’s precisely in this interface between development and security teams that DevSecOps becomes a reality. In this article, we will go over the specifics of DevSecOps and how teams should address this topic.
What is DevSecOps?
While the previous DevOps culture brought a lot of innovation to software development, security was still a missing piece, as more often than not it couldn’t keep up with the development lifecycle speed. DevSecOps is the attempt to shift that and fully integrate security testing into the continuous integration (CI) and continuous delivery (CD) pipelines. Not only that, but the DevSecOps approach also aims to build up the knowledge and skills needed in the development teams so that the results of testing and the fixing can also be done internally.
One of the key security steps in a DevSecOps strategy is addressing vulnerabilities in the source code, which could be leveraged by attackers as a way to infiltrate the system.
“Program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.”
ISO 27001 Standard
As such, technologies like SAST/DAST have been widely used to scan and fix these vulnerabilities in the application. However, finding and fixing vulnerabilities only answers some of the security requirements in the early application development stages.
As outlined by OWASP, security and development teams must also consider the threats of tampering and reverse engineering, which are especially important in applications that handle sensitive data and critical operations (banking, e-commerce, healthcare, etc). Here, we find a missing piece of DevSecOps: source code protection.
DevSecOps & Source Code Protection
By default, the source code of web and mobile applications is exposed and can be targeted by attackers either by using a debugger or by going through the files in the application’s package. This means that leaving the source code in “plain text” potentially results in the two main threats we just saw before: reverse engineering and tampering.
Organizations such as OWASP advise adding resilience controls on top of security best practices to tackle these threats.
Mobile Top 10 2016-M9-Reverse Engineering
“In order to prevent effective reverse engineering, you must use an obfuscation tool.”
Along with OWASP, NIST also advises the usage of “obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries”.
Although obfuscation can sometimes be confused with “security through obscurity”, it has an important role to play in a DevSecOps strategy, adding a new level of protection in critical applications and greatly increasing the difficulty of reverse engineering attempts.
Because today’s attackers are often highly motivated to infiltrate a system, it’s also crucial to implement techniques that actively mitigate tampering attempts at runtime and ensure the integrity of the source code. The importance of this security control is best presented in the words of the 2021 Executive Order by the White House:
“(...) employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code”
All things considered, looking at the traditional view of the different stages of DevSecOps, it becomes quite clear that there is an important missing piece: source code protection.
Fixing the Missing Piece in DevSecOps
As stated before, ensuring the integrity of the source code requires a robust, multi-layered approach that integrates seamlessly with the existing processes and tools used by development and security teams.
This is precisely what Jscrambler provides: enterprise-grade technology that improves application security throughout the different stages of the development lifecycle. In a nutshell, Jscrambler's client-side security platform protects and monitors every app component—both the first-party code developed internally and all the third-party scripts sourced from external vendors.
When it comes to securing the code developed in-house, Jscrambler automates the protection of the whole source code at build time using a series of layers, including polymorphic obfuscation, code locks, and runtime protection. As a result, it makes it extremely difficult for attackers to target the source code, reducing the attack surface to data exfiltration, piracy, cheating, automated abuse, and intellectual property theft. This fits in seamlessly with the “Code” and “Build” stages of the DevSecOps cycle, allowing teams to automate source code protection.
Jscrambler then extends this protection to the runtime of these applications, using a holistic approach to detect and block, in real-time, malicious behavior on the client-side of web applications. Through a comprehensive webpage inventory, Jscrambler continuously gathers information from every script and network request happening on each user session and mitigates any form of malicious behavior (including data leakage, customer hijacking and website tampering). This valuable information can be fed into the DevSecOps cycle and allow the development and security teams to promptly address compromised resources such as hijacked code components (libraries, external scripts).
If you’re looking to improve your team’s DevSecOps flow, you can easily test all of these features through a Jscrambler free trial.
The whole premise of DevSecOps revolves around ingraining security from end to end into the DevOps workflow and making sure that these controls happen seamlessly, without jeopardizing product delivery.
This approach has mostly been centered around helping teams to address code vulnerabilities that could be exploited by attackers in a production environment. To that extent, tools like SAST, DAST, have played a key role in DevSecOps, integrating seamlessly into CI/CD workflows to automate vulnerability management. However, source code protection has a key role to play in DevSecOps when it comes to threats like tampering and reverse-engineering. And this is where solutions like Jscrambler come into place.