1 Making Sense of Application Security

 

This chapter covers

  • What DevSecOps is and why is it essential
  • Identifying how security roles & responsibilities are divided up between developers and everyone else in an organization implementing DevSecOps
  • Identifying the security skills you should possess as an application developer

Every week we are treated to a headline about some security vulnerability in a widely used piece of software or a data breach at a mega-corporation affecting millions of users (figure 1.1). My bank replaced my credit card twice in a five-year period due to data breaches at large retailers where I shopped.

Figure 1.1 Headlines showcasing major recent data breaches and security vulnerabilities, emphasizing the widespread impact on millions of users and the persistent threat to digital security.

We used to think that security vulnerabilities are primarily a software issue. However, hardware security vulnerabilities have been common in recent years. Specter and Meltdown[1] reported in January 2018 allowed attackers to bypass the CPU hardware protection for memory access. In a cloud or multi-tenant environment, specter and meltdown make it possible for one cloud tenant to see the memory of another tenant. The hardware walls we depend on to isolate workloads were suddenly full of holes for attackers to sneak through.

1.1 Security as a CEO-level problem

1.2 Securing communication channels

1.3 Securing application dependencies

1.3.1 Continuous dependency vulnerability detection and patching

1.4 Understanding DevSecOps

1.5 Information security roles and responsibilities

1.6 Security technologies every developer should know

1.7 Summary