The pace and scale of security vulnerabilities is increasing. This is in spite of the fact that teams have been trying to keep their code secure for years. So, why are vulnerabilities still such a problem? When teams use security tools and strategies that don’t optimize the developer experience, development is slowed down. This creates frustration, undermines customer usability, and hampers business success. Businesses that use such tools and strategies end up de-prioritizing security, and instead focus on shipping software quickly.
Here at GitHub, we want to help you mitigate vulnerabilities while boosting developer productivity. Fortunately, the Open Web Application Security Project (OWASP) can help. OWASP provides a Top 10 list of vulnerabilities that gives developers and organizations the context they need to address security and compliance risks within their applications. Today, we’ll examine several of OWASP’s vulnerabilities and developer-optimized strategies for keeping your software safe while maintaining and even increasing developer productivity.
1. The ideal application security environment
First of all, your development team needs an environment that fosters success. And the most important part of this is embedding security into the developer workflow. Typically, disparate, third-party tools are used to identify security risks. But these tools can be slow, noisy, and decrease productivity. However, when security is integrated into the developer flow, you can secure your code quickly and easily. As discussed in the GitHub Advanced Security ebook, other ideal environment components include:
Visibility into your security posture across code, secrets, and supply chain.
Communication channels that are lightweight and context‐ sensitive, allowing for easy collaboration.
Scalability with your business needs.
It may not be possible to implement each of those capabilities at once, depending on the maturity of your business. But as you mature and continuously improve, fostering this ideal environment will help you protect against vulnerabilities and ship secure software faster.
2. OWASP vulnerabilities risk mitigation and prevention
Now that the ideal state has been described, let’s look at a few OWASP vulnerabilities and some techniques to mitigate them.
No developer intentionally exposes their software to security threats. However, sometimes API keys, clear text passwords, security tokens, and other sensitive data may remain in code, leading to cryptographic vulnerabilities.
Ideally, secrets would never reach your enterprise, organization, or repository. But they often do and need to be mitigated. Fortunately, GitHub Advanced Security can help.
By implementing push protection, GitHub’s secret scanning feature will not only scan your code for exposed secrets, but also check pushes for high-confidence secrets (those identified with a low false positive rate). It will list any secrets it detects so you can review and remove them. If a decision is made not to remove them, an audit trail will be created.
Cross-site scripting, path injection, SQL injection, and NoSQL injection are several of the vulnerabilities that have plagued applications for years and continue to stay in the OWASP Top 10 list.
One strategy to address these vulnerabilities is running consistent and effective security code reviews. Not only will your code become cleaner, free of technical debt, and code smells, it will also become more secure. Reviewing these vulnerabilities can become part of your existing GitHub pull request workflow.
Code scanning can also leverage the power of machine learning to find injection vulnerabilities and help communicate risks to developers and security professionals. CodeQL powers code scanning and scans your data for security vulnerabilities.
Threat modeling strategies can be implemented to encourage collaboration between developers, security professionals, and even risk management teams. This can help ensure that the architecture and design patterns are as secure as possible long before a single line of code has been written.
As you continue to adopt open source components at a rapid pace, it’s more important than ever to understand the composition of your software and be able to update vulnerable components.
One of the best strategies for managing the risk of vulnerable and outdated components is to alert developers as soon as a security threat is found and give them the ability to take action in their normal workflows and tooling.
By leveraging Dependabot, you will receive an alert when a repository uses a software dependency with a known vulnerability. A pull request can even be triggered by the security team, which is a simple and effective way for security and developers to communicate.
The best part of these tools is they happen within GitHub. So, you don’t need to worry about decreased productivity or excessive context switching.
Developer-empowering application security
By implementing these strategies, you can create a developer-embedded, collaborative, and scalable application security environment that provides risk mitigation across the supply chain. At the same time, you will ensure that developer productivity is not adversely affected.
We will be at the OWASP 2023 Global AppSec Dublin event from February 15-16, Booth #DA2. Book some time with our experts here to dive deeper into this topic and answer any questions about these strategies.
Want to gain hands-on experience? Then check out GitHub Skills for details on this, and other hands-on learning exercises!
Object Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about bypassing certain OGNL injection protection mechanisms including those used by Struts and Atlassian Confluence, as well as different approaches to analyzing this form of protection so you can harden similar systems.
It turns out that the first “all Google” phone includes a non-Google bug. Learn about the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU. Join me on my journey through reporting the vulnerability to the Android security team, and the exploit that used this vulnerability to gain arbitrary kernel code execution and root on a Pixel 6 from an Android app.