Secure Development Lifecycle for Startups

Published: September 25, 2017 4 min. read
Svitla Team
By Svitla Team
Cybersecurity
351-9.jpg

 

With the increase of application layer attacks, companies must assess the risks they face and build a well-balanced software development lifecycle to secure the application code itself as early in the development cycle as possible.

Implementation of security solutions might be challenging for small businesses due to budget constraints. For those small and medium businesses, there is a number of open source and affordable configuration management tools, such as Chef, Puppet and Jenkins 9, that help automate any project. 

Chef, Puppet, and Jenkins are continuous integration (CI) and continuous delivery (CD) solutions. They merge code from individual developers into a project tool multiple times per day and test continuously to fix any issues on the ongoing basis (and not only at the last stage before a product’s release).

Puppet is declarative. It describes the desired state of a deployment and manages how to get there from the current position - this can be easily adopted by the Operations team.

Chef is imperative. It describes the specific steps needed. It is also more flexible and uses Ruby, that allows managing the Ruby development environment that makes it very popular in the development community. 

Jenkins complements Chef and Puppet to provide full traceability of deployments. Jenkins is an open source tool that executes a predefined list of steps, such as building and redeploying the Java backend and Angular frontend every 30mins or every time a change was detected on GitHub.  

Cybersecurity Managed Services Require the Most Reliable Partners Explore how Svitla Systems can safeguard your business with expert cybersecurity management and innovative solutions. Get a Consultation

Chef and Puppet are the most popular and have the widest support among hardware/software providers.  Puppet is used by 42% of businesses that have DevOps, followed by Chef with 37 percent (according to RightScale's 2016 survey). No matter what you choose - Chef or Puppet - you will be able to achieve the same goals with either product.

The most efficient practice, though, is hiring or retaining security experts, who can evaluate the cyber threat landscape for the company, build in-house threat intelligence, customize solutions and maintain it up-to-date to protect against specific vulnerabilities. Even though it means extra expenses, security incidents can result in much higher post-breach costs and even destroy a startup.

In Svitla Systems, for example, secure development lifecycle implies proactive planning and implementation of security-first design during development. First, threat models should be created and threat mitigations included in technical specifications. Next, developers perform a static security analysis of their source code as they write prior to compilation. This allows them to identify and fix vulnerabilities in software before the QA phase. During QA phase the team makes a final secure code review before the release, analyzing the runtime configuration for security vulnerabilities.A support team maintaining code with the latest patches and updates and executing continuous fuzz testing to harden the code against potential attacks. It's vital that digital businesses have regular, rigorous maintenance and patching programs that enable them to address vulnerabilities as they are discovered.

Fuzz testing is a software testing technique used to discover coding errors and security loopholes in software by inputting massive amounts of random data to the system in an attempt to make it crash. 

Any application’s security state is static, and can only be evaluated against criteria that reflect a particular point in time. Consequently, the application may be demonstrated to be secure today, but there’s no way to know if it will be secure tomorrow. It’s vital to conduct continual security reviews focusing not only on new features but also conducting regression analysis of old code with new and updated tools.

Developers can scan the code for flaws throughout the development cycle with open source static analysis tools available at the Software Assurance Marketplace (SWAMP)10, as well as open source dynamic analysis tools, such as Cuckoo Sandbox11.

Even if a company decides to implement Runtime Application Self-Protection (RASP), there is an affordable way to do it by getting a cloud-based solution with pay-per-use models.

Written by
Helen Korobko
351-9.jpg

FAQ

What is the difference between Chef and Puppet?

Chef is imperative. Puppet is declarative. In practical terms, this means that Chef specifies the exact steps to get from the current state to the desired one, whereas Puppet wants you to describe what the end state should look like and then leaves it up to the system to work out how to get there (it’s actually a little more nuanced than that). Most Ops teams find it significantly easier to adopt tools that use declarative paradigms like Puppet’s. Puppet is built around Ruby and has gained a following among developers who want to manage both infrastructure and Ruby environments via code. Despite these differences, both tools can achieve essentially the same configuration management and automation goals.

What is the difference between Puppet and Jenkins?

Puppet is a configuration management tool that sets and enforces the desired state of infrastructure such that it remains consistently configured over time, be it servers or the entire environment. It is declarative: describe what needs to be achieved, and Puppet works out how to get there. Jenkins is a CI/CD automation server – it orchestrates build, test, and deployment pipelines. Jenkins runs jobs – for example, building applications on schedules and on every code change – and provides traceability and automation across the software delivery lifecycle when working with tools like Puppet.

Is Jenkins a CI CD tool?

Jenkins is a CI/CD tool. This means it is an open-source automation server supporting continuous integration and continuous delivery. It provides easy implementation of build, test, and deployment applications as part of the software development lifecycle. All these steps can be configured to run automatically whenever a change is detected in the version control system – for example, on GitHub or even based on a particular time schedule.

Is Puppet similar to Jenkins?

Puppet and Jenkins are not truly similar but rather related, since they serve very different though complementary purposes. Puppet is a configuration management tool that declaratively defines and maintains the desired state of servers and infrastructure over time, while Jenkins is a CI/CD automation server running build, test, and deployment jobs based on changes to code or schedules. In real-world usage, Jenkins would orchestrate the pipeline, while Puppet ensured the environments were properly configured for those deployments.

Is Chef declarative or imperative?

Chef uses imperative configuration management. You write step-by-step instructions (recipes) that define exactly how to move a system from its current state to the target state – it not only describes the final desired state, as in the case of declarative tools. This imperative style, combined with its use of Ruby, makes for much flexibility and programmability available to developers when automating infrastructure and application environments.