Due to the dramatically increasing number of cyber security threats, security has become a top priority for many companies and even for people operating only small websites. Unfortunately, due to their countless variants and the constantly and rapidly changing threat landscape keeping track with the latest developments is almost impossible.
As a result, attackers are permanently one step ahead. Attacks are getting smarter, more sophisticated and better organized. Due to that data breaches, phishing and social engineering attacks, denial of service attacks, website defacement, malware and ransomware attacks — just to mention just a few — are reported almost on a daily basis. Very lately we can also see an ever increasing number of successful supply chain attacks.
If a company becomes the victim of a successful attack, this could have a significant impact on its business. It might happen that customers won’t trust the company anymore and that they will move to its competitors. If this happens, most likely it will become rather challenging to recover from this (it might be even impossible) as it’s very easy to loose trust but very difficult to build trust.
Hence, considering security especially during development and the operation of web services is getting more and more important. In the past security was something that was done after software was written and deployed. But this changed recently with the shift left paradigm that is part of the DevSecOps approach. Here security is integrated earlier in the software development process. Instead of doing a penetration test after the software was deployed, security activities are done during the development and some security activities (such as threat modeling) are done even before code is written.
Security activities are also done more regularly. For instance, if software is changed the threat model is updated, static application security testing is performed automatically for each commit, dynamic application security testing is automatically done when the software is deployed in a QA environment and so on. All these activities help to reduce the number of security vulnerabilities before a software is deployed in the live environment and — also important — when it’s inexpensive to fix them.