DevSecOps will go mainstream this year

Cybercriminals love Shadow Code exploits because hacking a commonly used library or service can place the malicious code on hundreds or thousands of websites. For example, the widely used jQuery JavaScript library has been breached multiple times, leading to digital skimming attacks broadly across the e-commerce sector. Adding jQuery to an application without appropriate security review to ascertain whether there was an outstanding vulnerability on that version of the library is a classic Shadow Code failing. Typosquatting is another favorite broad use case where hackers create malicious third-party scripts with names very similar to legitimate services for payments or chatbots, to name two examples, to trick developers into adding this code, or to reduce suspicion when this code sends stolen data to these domains. The malicious scripts then execute hard-to-detect skimming attacks against application users, often evading detection for months.

The definition of DevSecOps

Acourding do SumoLogic, DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams. The DevSecOps movement, like DevOps itself, is focused on creating new solutions for complex software development processes within an agile framework.

DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of code. Silo thinking is replaced by increased communication and shared responsibility of security tasks during all phases of the delivery process.

DevSecOps will go mainstream this year

With a growing percentage of code running on client-side applications coming from third-party JavaScript libraries or services, we see an increase in “Shadow Code.” When looking at front end JavaScript code, Shadow Code is code that is introduced into an application without a formal approval process or security validation. Shadow Code often takes the form of third-party vendors or open-source libraries delivering specific functionalities into an application. Shadow Code can also include first-party code introduced by a rogue or compromised developer, or unauthorized code injected into the application through a vulnerability or security breach. Because it was not appropriately reviewed or might have been compromised or modified since code review (which is commonly the case with 3rd party vendors), Shadow Code may harbor malicious client-side code that alters application behavior to illegally gather and exfiltrate PII from websites. The malicious code may escape further scrutiny since it executes on the client-side.

Who is Ido Safruti

Ido Safruti, CTO and co-founder of app security leader PerimeterX. Ido co-founded PerimeterX and as CTO is responsible for stewarding the company’s technology vision and leading the R&D team. Before PerimeterX, he was Senior Director of Product Management at Akamai focused on web performance and scalability. Ido joined Akamai through the acquisition of Cotendo, where he was VP for product strategy. Prior to Cotendo, he headed a cybersecurity branch of the Israeli intelligence services. He holds a master’s degree in computer science from Tel Aviv University and a degree in physics and mathematics from the Hebrew University.