How DevSecOps Can Combat Zero-Day Threats

Zero-day threats are becoming more dangerous than ever. Recently, bad actors have taken over the TikTok accounts of celebrities and brands through a zero-day hack. In late May to early June, reports of high-profile TikTok users losing control over their accounts started to surface after opening a direct message. The malware used for the attack was able to infect devices without the users downloading or installing anything.

TikTok appeared unaware of the extent of the damage. The company’s spokesperson, Alex Haurek, said that the number of accounts compromised was “very small,” but he also declined to provide a specific number. He said they have been working with the owners of the affected accounts to restore access and that they have implemented measures to make sure the problem does not happen again.

If a massive company with vast resources can fall victim to a serious zero-day attack, it follows logically that smaller companies find themselves in a more vulnerable position. This underscores the importance of maximizing the integration of DevOps and security.

The Threat of Zero-Day Vulnerabilities

Zero-day vulnerabilities are security weaknesses or issues in software that have not been discovered, identified, and profiled yet. Nobody knows they exist, let alone how they work. There are no security patches available to address them. When threat actors discover them, they get to launch attacks generally unhindered and unmitigated. Most existing cyber defenses tend to be ineffective against such attacks.

TikTok is just one of the major organizations hit by zero-days. In 2017, Microsoft was rocked by a zero-day exploit in MS Word that led to compromised personal bank accounts. In 2020, at least two zero-day vulnerabilities that enabled remote attacks were discovered in Apple’s iOS. That same year, the popular video-conferencing platform Zoom sustained a serious zero-day encounter – a vulnerability that made it possible for hackers to take over devices and access files.

However, the lack of information about vulnerabilities does not mean there are no ways to detect, block, and mitigate them. Zero-days are stoppable or at least mitigatable with the right strategies and solutions. They are not easy to address, but they can significantly impede threat actors’ efforts to attack undetected. And one of the best ways to keep them at bay is through DevSecOps.

A Foundation for Modern IT Security

DevOps has been a favorite buzzword in the software development field in the past few years, but it eventually became apparent that security cannot be disregarded in the quest to optimize the software development process and accelerate time to market. Cyber threats have become increasingly aggressive and sophisticated, and it has become necessary to involve developers in building cyber protection.

Separate review solutions are not ineffective in general, but they cannot immediately address issues that lie in the software code itself. With this in mind, it’s the developers who are in the best position to implement practices that emphasize security from the ground up, while still keeping high deliverability in mind.

For one, developers can adopt the shift-left principle, wherein security testing tools and processes are integrated into the CI/CD pipeline. They can identify and address vulnerabilities during the development phase as part of their standard routine, instead of undertaking a separate security testing phase. This significantly removes security issues before software is deployed.

Developers can also embrace secure coding practices by following guidelines or standards like the OWASP Secure Coding Practices and the Open Project’s Secure Coding Guidelines. This is also known as the principle of “security by design,” wherein developers build software that is built specifically to be resilient against both known and unknown vulnerabilities.

Additionally, DevOps teams can implement continuous vulnerability scanning to constantly check their code for possible weaknesses. This involves the use of vulnerability scanning tools throughout the development pipeline. It entails additional costs, but the security rewards are indisputable. The ability to detect vulnerabilities in real-time ensures rapid patching and remediation, preventing threat actors from spotting and exploiting the vulnerabilities.

Also, DevOps teams can leverage Infrastructure as Code (IaC) to streamline secure cloud environment management. IaC enables the configuration and provisioning of infrastructure through code, which makes it easier to iterate security configurations and check the code for issues before deployment. Security practices are baked into the code, ensuring the consistent implementation of security standards and mechanisms.

Moreover, DevOps teams can leverage containerization and microservice architectures to isolate applications and make it easier to address zero-day attacks. These do not necessarily prevent the emergence of zero days, but they help control and resolve the problem. Each container runs in an isolated environment, which means that if vulnerabilities are exploited, the compromise can be limited to the affected container. Also, it will be faster to patch the affected container and conduct forensics to ensure that the same problem does not recur even in other containers.

DevSecOps Best Practices

A successful DevSecOps strategy requires more than just tools. It is not enough to have security software and testing integrated into the entire development process. Organizations should also take into account best practices such as continuous monitoring, regular testing and audits, and employee education.

It is, however, important to use security tools that enable continuous monitoring, including automated and AI-driven services capable of comprehensively monitoring the development process for security issues. AI can also power robust vulnerability alert systems that employ contextualization to avoid security information overload and make sure that the most crucial and urgent alerts are not buried under insignificant details such as false positives and logs of low-risk events.

It may sound redundant, but security audits and testing are not the same as continuous monitoring. Audits and testing are conducted on a periodic basis and they target specific areas or functions. Continuous monitoring is an ongoing process that reveals trends and immediately discernible vulnerabilities, but these processes are not as thorough and in-depth as periodic penetration testing.

Lastly, DevOps teams should have high-level proficiency in security optimization. This requires them to undergo training and closely collaborate with the security team.

DevSecOps From Day One

The instances of zero-day attacks are unlikely to drop. It is advisable to prepare for them and even anticipate the growing aggressiveness and cunningness of threat actors in finding and exploiting vulnerabilities. It makes perfect sense to embrace DevSecOps, which may require a paradigm change for many organizations. Organizations need to observe new practices and invest in new tools and processes that proactively and more effectively address security issues associated with zero-day vulnerabilities. 

DevSecOps is hardly foolproof, and it’s possible that no amount of vigilance would have stopped the TikTok zero-day attack. However, organizations definitely have better chances of avoiding unpredictable security issues if they integrate their security tools, streamline their security processes, implement continuous monitoring, and conduct regular penetration testing and security audits.