This blog is co-authored by Matthew McCullough and is part three of a four-part series about DevSecOps.
Previously, the series explored a framework for continuous security and looked at one aspect of maintaining application security, a software Bill of Materials (BOM,) and associated vulnerabilities. This blog focuses on application security and how Cisco validates its software based on industry and internal security standards.
After an application is developed, multiple tests are run (e.g., unit, functional, regression, smoke, fuzzing) to ensure the application is ready to be deployed to Production. But beware. If integrated security testing isn’t included and scanning for web vulnerabilities isn’t completed, the app in production is vulnerable to an increasing number of attacks using various means such as injection, Cross-Site Scripting (XXS), or simple misconfigurations.
At Cisco, we use a variety of services that test and validate the security of our applications prior to release. One of these internal services made available to our developers is the Cloud Automated Validation Engine (CAVE). CAVE provides Dynamic Application Security Testing (DAST), Secure Sockets Layer/Transport Layer Security (SSL/TLS) validation, and host configuration auditing. It also checks the application design against Cisco’s Security Controls Framework (SCF) as part of the Cisco Secure Development Lifecycle (SDL).
How developers run tests prior to deployment varies between our internal and public applications. To accommodate these different testing use cases, CAVE was built as a completely containerized solution that makes it highly versatile and scalable. Teams can spin-up one of the various CAVE containers, send a few attributes, and get meaningful results in minutes. Developers who have access to an automated continuous integration/continuous delivery (CI/CD) pipeline or an automated testing framework can use the shared Jinkins shared library.
One of the most prominent and beneficial features of CAVE is its ability to scan web applications for vulnerabilities using its Dynamic Application Security Testing (DAST) scanner. DAST provides black box testing for our web applications and APIs. The Open Web Application Security Project (OWASP) publishes a list of the top 10 Web application security risks and provides a Web Security Testing Guide. We have integrated the guidance provided by the OWASP in addition to our own validation tests to provide full coverage for emerging attack types.
The well-known Heartbleed Bug, which found vulnerabilities in SSL/TLS communications in OpenSSL, showcases why we should be validating the crypto being utilized. We utilized CAVE’s crypto validation container to verify that not only is the most secure version of TLS being used but also that a trusted, secure, and valid certificate is being used.
When web applications run on traditional hosts or virtual containers, host security validation cannot be ignored. No matter how secure application code might be, if the host is left misconfigured, secure development efforts are not effective.
A good starting point for identifying insecure host configurations is to use the benchmarks provided by the Center for Internet Security (CIS). CIS publishes hardening guidelines for all major operating systems and releases benchmarks that validate those guidelines. These benchmark baselines have been automated in CAVE, with checks included to simplify deployment as part of Cisco containerized services. Developers get a better understanding of the security of the application and what the application is running on.
Whether developing an internal application or a public software product, developers will most likely need to demonstrate their product’s compliance with one or more industry standards. Once a scan using the CAVE container is completed, the tool automatically matches the results against Cisco’s SCF. The SCF match can then be applied to individual certifications for use as artifacts.
Often teams must demonstrate compliance with certifications such as SOC2 or FedRAMP to external auditors. These artifacts provided through CAVE make demonstrating compliance easier for developers. Results are displayed to the user (Figure 1) and can also be exported in JSON to our central reporting hub where we have visibility into all our security compliance checks throughout all of Cisco’s offerings.
Cisco’s security tooling has evolved over time to adapt to the needs of our developers and customers. Here are a few lessons we’ve learned while developing CAVE that may prove valuable to others as they create application security services.
With the complexity and frequency of web application attacks increasing, developers must invest in embedding security automation within their pipelines. Relying on manual security tests or usability testing to discover vulnerabilities alone doesn’t scale with the number of potential attack vectors that can slow down release velocity. There are some valuable tools and resources available to help validate application security.
We’d like to hear from fellow practitioners about what has worked for you in continuously testing the security of your applications. Please post your comments below and make sure to read the next blog in the series!
Visit our Trust Center
to learn about Cisco’s long-term commitment
to security and trust journey