BEST PRACTICES: How testing for known memory vulnerabilities can strengthen DevSecOps

DevOps wrought Uber and Netflix. In the very near future DevOps will help make driverless vehicles commonplace.

Related: What’s driving  ‘memory attacks’

Yet a funny thing has happened as DevOps – the philosophy of designing, prototyping, testing and delivering new software as fast as possible – has taken center stage. Software vulnerabilities have gone through the roof.

Over a five year period the number technical software vulnerabilities reported to the National Institute of Standards and Technology’s National Vulnerability Database  (NVD) more than tripled – from 5,191 in  2013 to a record 16,556 in 2018.

Total vulnerabilities reported in the NVD dropped a bit in 2019, down to 12,174 total flaws. Some credit for that decline surely goes to the DevSecOps movement that has come into its own in the past two to three years.

DevSecOps proponents are pushing for security-by-design practices to get woven into the highly agile DevOps engineering culture. Still, 12,000-plus fresh software vulnerabilities is a lot, folks. And that’s not counting the latent vulnerabilities getting overlooked in this fast-paced environment – flaws sure to be discovered and exploited down the line by opportunistic threat actors.

San Jose-based application security vendor, Virsec, is seeking to tilt the balance a bit more to the side of good. Virsec supplies systems that help companies detect malicious activities transpiring very stealthily — at the deepest levels of software code getting executed in a live environment.

I had the chance at RSA 2020 to visit with Shauntinez Jakab, Virsec’s director of product marketing. We discussed steps Virsec is taking to direct its deep-detection technologies towards the design phase of creating new apps. For a full drill down on our conversation give a listen to the accompanying podcast. Here are key takeaways:

Runtime exploits

The hacking groups responsible for massive, headline-grabbing data thefts – think Marriott and Equifax — share a couple of things in common. To gain a foothold inside the network perimeter, the attackers had to bypass the best legacy defense systems money can buy. And once inside, they employed tactics that enabled them to remain undetected for weeks as they methodically ransacked crown-jewel data bases.

Hacking groups today routinely do this; they cover their tracks by injecting malicious code well beneath the purview of legacy firewalls, intrusion detection tools and data loss prevention systems. This ultra-stealthy class of malware executes fleetingly, only at runtime — the period of time between opening a software program and quitting, or closing.

During runtime, pieces of the application get loaded into the RAM of the computing device’s CPU  allowing the app to do its thing. Threat actors know how to slip benign-looking snippets of coding into application servers; this coding then gets transformed into attack code that executes only during runtime.

Deterministic protection

Virsec’s expertise lies in flushing out these runtime exploits that pivot off of arcane software flaws at the compiled code and microcode levels, Jakab says. Virsec supplies systems to detect and remediate any malicious network traffic discovered executing at this deep level. This serves to preserve the integrity of vital operations, while keeping valuable data and sensitive intellectual property beyond the reach of sophisticated intruders. Here’s how Jakab broke it down for me:

“We take a deterministic approach to detecting attacks during runtime. This is when the attacker, be it a nation-state or a very sophisticated threat actor, has bypassed network-level protections and already has access to the server . . . so now the attacker knows your applications inside and out, and knows the state of their vulnerabilities.

Jakab

“We look at how the app was designed to function to determine when these types of exploits are taking place. We take a control-flow-integrity approach.  We examine the files and processes the app is leveraging down to the data that’s being inputted into memory . . . we look at how data is being manipulated in memory to trigger a malicious action, such as taking control of your application.”

‘Fail fast’ by design

Back to DevSecOps. In principal, DevSecOps should be keeping a lid on the vulnerabilities cropping up in new software. However, DevSecOps is in a very early emergent phase, with plenty of room for improvement.

Squashing vulnerabilities – without impairing agility – is the idea behind DevSecOp frameworks including Static Application Security Testing (SAST,)  Dynamic Application Security Testing (DAST,) Interactive Application Security Testing (IAST) and Run-time Application Security Protection (RASP.)

These processes support a “fail fast” approach to prototyping and testing: pour everything into quickly deploying minimally viable software to learn where it works or fails, and then iterate and remediate on the fly, keeping one eye on security.

The problem with SAST, DAST, IAST and RASP is they are not very good at catching vulnerabilities that are architectural in nature, i.e. the deep flaws that motivated cyber criminals  actors are likely to subsequently discover and exploit.

‘Shift left’ deep testing

Virsec has learned a lot helping big financial services firms and enterprises that rely on hefty industrial control systems to stop deep-dive hackers. Thus, the company has embarked on a “shift left” initiative to share its hard-won field intelligence gained with the software development community, she says.

Virsec sees value in essentially integrating the insights gained from its core operations into the early phases of designing and testing new software —  or to the left of the development-production timeline, as it were.

Intelligence about how threat actors carry out memory-based attacks, in runtime, can supplement  multiple levels from testing, from integration and system-level tests on up to final quality assurance testing, Jakab says.

“Now you can insert Virsec findings in all of these testing iterations, and get visibility at a very deep level of where there may be software errors,”she says.

What Virsec is bringing to the DevSecOps table is, essentially, very granular penetration testing based on in-the-field forensics. It struck me that his is very likely what the elite hacking groups are standing by to do. Cybercriminals can’t wait to get their hands on agilely developed applications full of latent vulnerabilities.

It would be nice if the good guys beat them to the punch, for once. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/best-practices-how-testing-for-known-memory-vulnerabilities-can-strengthen-devsecops/