From the community

Delio Tech: Secure by design - shifting security left

March 30, 2020 | Technology

Content provided by Delio

Delio
Delio Tech: Secure by design - shifting security left

Security is an essential and critical part of any product development process. Due to the continually shifting nature of security, it should be high on every business's agenda. It seems almost every day in the media we’re reading about a new vulnerability found within a piece of software that was previously thought to be secure, or a new data breach coming from a large company.

A common approach to security with code is to push it far down the pipeline to the Information Security (InfoSec) team, where they would test the application for any security issues and compliance. As can be seen in the diagram below, such testing can require hours and hours of input from Developers and Testers through to DevOps Engineers and the InfoSec team itself. 

 

The image highlights what used to be Delio’s traditional approach of checking security shortly before deployment. This old approach is further highlighted below and has now been replaced.

  1. A Developer takes a week to write a snippet of code
  2. They deploy the code to the staging server via the pipelines where the code gets tested
  3. Once completely approved and tested, the code is then sent to a demo server where testers review the code again
  4. The code is about to be released
  5. Hold on! InfoSec takes a look, and it’s bad news. The underlying open source component, which your code relies on, is insecure and cannot be used
  6. The Developer has to rewrite their code and begins Step 1 again

 

Not only is this process time-consuming, but because it requires much effort, it impacts team morale. Because of this, Delio decided to take a different approach: shifting the security check ‘to the left’ during development. 

 

Boosting morale with a more efficient security check approach

Security checking ‘to the left’ is essentially the process of moving these checks to the start of the development cycle. It reviews whether code is secure from the get-go rather than waiting until the end, where the risk of securely rewriting large amounts of code is high.

It all starts with the right tools. We use several tools to help us check whether the code appears to be correct (using static code analysis) and check our open source dependencies for vulnerabilities against a database of Common Vulnerabilities and Exposures (CVE). This whole process by design is integrated into our CI* pipelines. On each push to our source code control repository, the pipeline can be checked alongside our tests. By adapting our pipeline, we have been able to make deployments more efficient.

Placing security checking & compliance ‘to the left’ comes with its speed penalties. However, you can easily overcome such penalties by running multiple pipelines in tandem. At Delio, for example, we now run our tests, our static code analysis and our open source vulnerability tool all at the same time. It’s also quicker to fix issues as they present, rather than much later down the pipeline when the developer has moved onto other work and then has to ‘task switch’ back to the original work. 

 

The benefits

For us, here at Delio, it means we’re saving precious development time. Also, more importantly, we’re instilling secure development practices from the start of the work, which is recommended as nobody wants to ship insecure code. Besides making the team manage workflow more efficiently, it is helping Developers understand security from the get-go. The team is being upskilled and more aware of the impact their code can have in terms of security. As a result, we’re shipping new features quicker and more securely to our clients’ platforms. 

With all of these pipelines running our tools and processes, you significantly diminish the chances of running vulnerable code in production. Nobody can ever be 100% positive whether a piece of code is vulnerable or not, but that is why strengthening the security process while making it more time-efficient, is a continuous operation. 

 

Where next?

The next part of the puzzle is having your pipelines set correctly, as it can help shorten your security analysis. Robust CI/CD* pipelines mean that an Open-Source Dependencies Check can be more easily integrated into the pipeline. Just remember to block the pipeline if your security scan fails. For example, here at Delio, we block it until we have fixed any vulnerabilities, so no further code is added until it passes all pipeline automated tests.

Despite all of this, wouldn’t it be even better if we could review the code security in real-time? This process is one of the things we are currently reviewing. Adding these tools directly into the Integrated Development Environment (IDE), allows Developers to check for security while writing their code in real-time. Whether there is a problem with the written code or whether one of the open-source dependencies is on the CVE database, these instabilities can be flagged instantly. In doing so, Developers can save a considerable amount of back-and-forth checking. By turning security into a continuous process, businesses can drive their technology to the next level.


*CI/CD: Continuous Integration/Continuous Deployment. This pipeline automates the development, testing and deployment of code.

More in Technology

Our FinTech Journey: Q and A with Samsung Electronics UK
Technology
June 17, 2020

Our FinTech Journey: Q and A with Samsung Electronics UK

The latest company to join FinTech Alliance is Samsung Electronics. We caught up with the global tec...

Samsung Developers Introduction

Posted By The Community

Technology
June 15, 2020

Samsung Developers Introduction

Ready to design and develop experiences for billions of Samsung device users? Grow and learn from ot...

Written By: Samsung Electronics

Santander to accelerate digital transformation with big tech hires
Technology
June 12, 2020

Santander to accelerate digital transformation with big tech hires

Santander has announced it will hire 3000 IT professionals across the globe.   In Brief...

Technology
August 04, 2020

Global M&A Industry Trends in Technology, Media & Telecommunications

Global M&A Industry Trends in Technology, Media & Telecommunications As COVID-19 continue...

Technology
August 04, 2020

Global infrastructure trends

The infrastructure sector sits at a collision point of global disruptions, including shifts in capit...

Technology
June 22, 2020

Technology sector shows resilience during lockdowns

Remote working, online shopping and telemedicine have shielded the technology sector from the worst...

MoneyNext Online

MoneyNext Online

When: Aug 18th - Aug 21st, 2020
Where: Online event, London
Price: FREE
Women in Tech Festival UK 2020

Women in Tech Festival UK 2020

When: Sep 15th, 2020
Where: The Brewery, London
Price: FREE