Affordable Configuration Management Tools for Startups
For any company, but especially startups, integrating security into the SDLC, and creating a proper DevSecOps workflow, is crucial to success.
Join the DZone community and get the full member experience.Join For Free
With the increase of application layer attacks, companies must assess the risks they face and build a well-balanced software development lifecycle to secure the application code itself as early in the development cycle as possible.
Implementation of security solutions might be challenging for small businesses due to budget constraints. For those small and medium businesses, there are a number of open source and affordable configuration management tools, such as Chef, Puppet, and Jenkins 9, that help to automate any project. It is important to understand what threats are relevant in order to minimize resources on remediating non-threats.
Chef, Puppet, and Jenkins are continuous integration (CI) and continuous delivery (CD) solutions. They merge code from individual developers into a project tool multiple times per day and test continuously to fix any issues on an ongoing basis (and not only at the last stage before a product’s release).
Puppet is a declarative solution that describes the desired state of a deployment and manages how to get there from your current position - this can be easily adopted by the Operations team.
Chef is imperative and describes the specific steps needed to do something. It is also much more flexible and uses Ruby, thus allowing you to manage the Ruby development environment - this makes it very popular in the Development community.
Jenkins complements Chef and Puppet to provide full traceability of deployments. Jenkins is an open source tool that executes a predefined list of steps, e.g. build and redeploy the Java backend and Angular frontend every 30 minutes or every time a change was detected on GitHub.
Chef and Puppet are the most popular in the space and have the widest support among hardware/software providers. Puppet is used by 42 percent of businesses that use DevOps, followed by Chef with 37 percent (according to RightScale's 2016 survey). No matter if you choose Chef or Puppet, you will be able to achieve the same goals with either product.
The most efficient practice, though, is hiring or retaining security experts, who can evaluate the cyber threat landscape for the company, build in-house threat intelligence, customize solutions and maintain up-to-date security standards in order to protect against specific vulnerabilities. Even though it means extra expenses, security incidents can result in much higher post-breach costs and even destroy a startup.
At my company, for example, secure development lifecycle implies proactive planning and implementation of security-first design during development. First, threat models should be created and threat mitigations included in technical specifications. Next, developers perform static security analysis of their source code as they write prior to compilation. This allows them to identify and fix vulnerabilities in software before the QA phase. During the QA phase, the team makes a final secure code review before the release, analyzing the runtime configuration for security vulnerabilities. A support team maintaining code with the latest patches and updates and executing continuous fuzz testing to harden the code against potential attacks. It's vital that digital businesses have regular, rigorous maintenance and patching programs that enable them to address vulnerabilities as they are discovered.
Fuzz testing is a software testing technique used to discover coding errors and security loopholes in software by inputting massive amounts of random data to the system in an attempt to make it crash.
Any application’s security state is static, and can only be evaluated against criteria that reflect a particular point in time. Consequently, the application may be demonstrated to be secure today, but there’s no way to know if it will be secure tomorrow. It’s vital to conduct continual security reviews focusing not only on new features but also conducting regression analyses of old code with new and updated tools.
Developers can scan the code for flaws throughout the development cycle with open source static analysis tools available at the Software Assurance Marketplace (SWAMP) 10, as well as open source dynamic analysis tools, such as Cuckoo Sandbox 11.
Even if a company decides to implement Runtime Application Self-Protection (RASP), there is an affordable way to do it by getting a cloud-based solution with pay-per-use models.
Published at DZone with permission of Nadia Beregova. See the original article here.
Opinions expressed by DZone contributors are their own.