In recent years security has taken a back seat to time-to-market. We’ve moved from a waterfall to an agile software methodology and left ourselves with less and less time in the release cycle to tack security on at the end. Sure, we all run a Pen test at some point in the CI/CD chain, but who has the time to check through all those false positives?
At the end of the day, “I might get hacked” is a significant motivator. But “I will lose revenue if I can’t get to market on time” has become the more important driver.
Let’s step back a bit and look at this objectively. An application’s risk evolves over time. You can start to assess whether your original design addressed security concerns properly in the development phase. Once you move into the CI/CD chain, you can catch “mistakes” or security holes in the code by setting up systems with:
- Artifact repositories that can notify you when code libraries become vulnerable
- Penetration tools that can find security holes in your code
- Source code scanners that analyze source code for vulnerabilities
- Software Composition Analysis (SCA) tools that can identify outdated or poorly licensed open source code
But what happens after you push your code into production? That’s where applications that aren’t regularly updated can go stale over time. Bit rot sets in and your risk goes up.
Balancing speed of development with security and compliance requirements can be a constant struggle. We address his issue and overview our new runtime security solution in this on-demand webinar.
Combatting Bit Rot
ActiveState is still famous for providing the very first Perl for Windows distribution: ActivePerl back in 1998. Believe it or not, some of those original implementations are still in place today. The developers have moved on, but the script or application is still perfectly functional, so the maxim, “if it ain’t broke, don’t fix it” pertains 20 years later. Unfortunately, even though the application isn’t broken, the original underlying Perl 5.6 technology certainly is. Your Perl 5.6 from 20 years ago now features a number of well-documented security vulnerabilities.
So when dealing with the philosophy of a “ship first, fix later” release cycle, how can you best manage application risk? The options to date that can help you track security across your software development lifecycle and into production all involve installing some kind of continuously running agent, either:
- At the system level using Application Scanning Tools (AST) like Contrast, Fortify, AppScan, etc
- Within the application’s code using Runtime Application Self-Protection (RASP) solutions like Snyk, Immunio, Prevoty, etc
The ActiveState Platform offers an alternative: an interpreter plugin that runs whenever and wherever your code is exercised across your development lifecycle, as well as in production. The plugin only runs when your code is initially loaded, eliminating the performance and destabilization concerns typically associated with agents since it doesn’t need to run continuously. And because it tracks risk without delaying your software development pipeline, it won't slow down time to market.
To learn more about the security and risk capabilities of the ActiveState Platform, watch our short demo: Monitoring Risk in your Open Source Code.