Author: Ivan Shyshkou

Introduction

Artificial Intelligence (AI)  is a groundbreaking technology that has become integral in various fields. It enables us to offer innovative solutions in software development, decision-making, and other business areas. However, AI use can also bring security risks. In the article, we are analyzing these risks, and their impact on businesses and people who use AI. We will also show how companies can protect themselves from these risks, and keep their AI systems safe and secure.

AI Vulnerabilities and Threat Landscape

The use of AI in different areas has revealed new ways for attacks and weaknesses in the apps and systems where it is used. These weaknesses are real and can damage trust, dependability, and operation of AI systems, affecting both companies and individual users.

Here are some common examples of AI attacks:

1. Input Attacks. These attacks manipulate the content fed into the AI system, altering its output to serve the attacker’s objectives. As AI systems operate by receiving inputs, performing calculations, and returning outputs, tweaking the input can lead to disastrous consequences. Imagine the aftermath of altering a physical stop sign to a green light. What would happen to a self-driving car?
2. Poisoning Attacks. These corrupt the data that train an AI system, causing it to misinterpret information and act erroneously. Such attacks take advantage of AI’s primary sustenance, namely data. Spoil the data, and you spoil the AI system.
3. Risk of AI Theft. AI models may be stolen through various means, including network attacks, exploitation of existing vulnerabilities, and deceptive strategies. Various attackers, from hackers to corporate spies, can carry out such illicit activities. Once they access AI models, they can modify and use them for harmful purposes, hence increasing the overall social risks associated with AI.

In addition, it is crucial not to overlook the security testing of web applications that either operate with proprietary AI or utilize third party APIs. In our testing practice, we discovered vulnerabilities in such applications. To be more exact, there was a case when a client’s application utilized OpenAI, a third party AI, to generate responses. We managed to bypass the limit of free generations. This allowed us to perform numerous generations every second. As a result, the client incurred service payment costs. 

In another case, one could view other users’ conversations with AI and the results of their requests by cycling through chat IDs. Therefore, it is imperative to conduct regular security testing of web applications, as well as use DevSecOps solutions working with AI to prevent such vulnerabilities and potential financial losses.

OWASP Machine Learning Security Top Ten List

Considering the topic, it is essential to mention the OWASP Machine Learning Security Top Ten list. The latest OWASP Machine Learning Security Top Ten list, an initiative by the nonprofit OWASP (The Open Web Application Security Project), serves as a valuable resource for developers in the realm of machine learning security. This list delineates the top ten security issues prevalent in machine learning systems. Its primary aim is to provide an overview of these critical security concerns, offering insights into vulnerabilities, their potential impacts, and recommended preventive measures. This essential guide assists in understanding and addressing security challenges in machine learning systems, aligning with the general threat models discussed in our article.

For more detailed information, please refer to OWASP Machine Learning Security Top 10.

Here is the top five from the list:

1. Input Manipulation Attack (ML01:2023): This attack type involves the intentional modification of input data with the aim of deceiving models. It leads to incorrect classifications and potentially allows attackers to bypass security measures or inflict damage to the system.
2. Data Poisoning Attack (ML02:2023): In these attacks, assailants manipulate training data to provoke models into exhibiting undesirable behavior that causes the model to generate incorrect predictions and make false decisions leading to serious repercussions, including the compromise of sensitive information and system integrity.
3. Model Inversion Attack (ML03:2023): This attack involves attackers gaining insights into the training data used by the model, potentially revealing sensitive information on the dataset, thus posing a significant risk to user privacy and data security.
4. Membership Inference Attack (ML04:2023): In this attack, a hacker manipulates the training data of a model to expose sensitive information. For example, a malicious actor can train a model on a dataset of financial records and use it to find out whether a specific individual’s record is included in the training data. This allows the hacker to infer sensitive financial information. The attacker can gain insights into financial data, resulting in a loss of confidentiality, and potential legal and reputational damage.
5. Model Stealing Attack (ML05:2023): This attack type occurs when an attacker, say a competitor, gains access to the model’s parameters to steal it. For instance, attackers might reverse engineer a company’s valuable machine learning model to recreate and use it for their own purposes, causing significant financial and reputational loss to the original company. The impact of such an attack is substantial, as it affects both the confidentiality of the data used to train the model and the reputation of the organization that developed the model.

Securing AI: Measures and Strategies

To be protected from the multifaceted threats to AI, it is essential to implement comprehensive security measures and strategies. These include close monitoring of AI services, regular checks for any suspicious activity, and addressing any vulnerabilities in the code. To this end, you can use applications for building threat models, such as OWASP Threat Dragon and PYTM, as well as services for working with logs like Zabbix and Logstash. 

To prevent undesirable outcomes, it is crucial to ensure that the input and output data be clean and validated. For this reason, it is recommended to implement SAST, DAST, IAST, RASP, and SCA tools like Acunetix, OWASP ZAP, Burp Suite, PagerDuty, BlackDuck. Organizations should also focus on training their staff on the best practices of using AI and create security policies to ensure the secure use of this technology.

Data security is another critical aspect of AI security. It is vital to store consolidated personal data in secure environments to prevent unauthorized access and implement data management strategies to store data without directly associating it with users.  Implementation of methods that prevent user data from entering the training model’s data sets, and limiting the volume and duration of the stored data to the minimum are also essential steps in mitigating data leaks. Therefore, there is a need to use tools for secure management, such as Vault, and establish a secure development environment, for example, through Cloudflare.

The quality of AI’s recommendations is largely dependent on the quality of the training data. If AI systems are trained on unreliable or biased data, it may lead to incorrect recommendations that adversely affect various sectors. Organizations must actively focus on the quality of data used for AI training, conducting data analysis to identify errors and biases, and continuously updating and auditing AI algorithms. Implementation of quality control mechanisms for AI outputs contributes to prompt detection and rectification of erroneous decisions.

IBA Group’s Expertise in AI Security

IBA Group is always ready to help you keep your AI applications safe. Our skilled team excels not only in AI protection but also in providing a range of security services. These include helping with secure development, testing for security vulnerabilities, checking for security risks, training your employees in security, and many other aspects. Do not hesitate to contact us, and let’s team up to strengthen your AI projects and keep things safe and secure.

Author: Julia Kanaikina

DevSecOps is a seamless blend of software development, security, and operations, designed to integrate these different realms into a harmonious cycle of continuous delivery. However, the process of integrating security into DevOps is unique for each case and comes with specific obstacles. In this article, we aim to share IBA Group’s experience gained during the implementation of a DevSecOps solution in one of our projects. We will shed light on how we managed to overcome significant barriers and successfully implement an effective DevSecOps approach. This article is part of IBA Group’s DevSecOps series, and if you are interested in delving deeper into the topic, you can read the first article and the second article in our DevSecOps series.

Challenges of SAST Integration into the CI/CD Pipeline

Static Application Security Testing (SAST) integration plays a vital role in the Software Development Life Cycle (SDLC), and it is a fundamental component of CI/CD security as it detects significant vulnerabilities in an application prior to deployment to production, when the remediation costs of vulnerabilities are comparatively low. Based on the customer requirements, we chose SonarQube as a SAST tool, a renowned platform for continuous inspection of code quality. SonarQube has a great capacity to detect bugs and security vulnerabilities. However, SAST integration into the CI/CD pipeline exposed us to an array of challenges hidden before.

Addressing Vulnerabilities and Bugs Discovered by SonarQube

The introduction of SonarQube led the project management team to an unexpected revelation – a massive volume of vulnerabilities and bugs hidden within the project. The team found themselves at a standstill, as fixing these issues impeded further development and caused significant time delays. At that point, continuing product development had a higher priority than stopping and fixing vulnerabilities in the code. Moreover, project management did not want to be completely blocked by found vulnerabilities in the code. To address this, we proposed a quick and short-term solution: we decided to run SonarQube without failing the pipeline automatically so that it does not block the build, but the team is aware of vulnerabilities.

Flexible Approach and Incremental Vulnerability Resolution

As the second step, our DevSecOps team developed a more flexible solution. Recognizing the crucial security role and the necessity to maintain the speed of product development, we developed a plan to address the issues highlighted by SonarQube incrementally. We prioritized vulnerabilities based on their risk factor and impact on the project, fixing them in controlled batches. This allowed the team to keep development progressing while steadily reducing the threat landscape. Alongside, we conducted security coding training for the development team and provided rigorous manual code reviews to catch potential bugs before they became ingrained within the codebase.

Integration of Dynamic Application Security Testing (DAST)

Another type of testing that our team integrated into the customer’s software development lifecycle (SDLC) was Dynamic Application Security Testing (DAST) tool. DAST integration is crucial for ensuring the security and robustness of applications. The DAST tool is aimed at testing the application during the testing or deployment phase to identify vulnerabilities and weaknesses that may only occur during runtime. Initially, we integrated it only in the staging environment. At the same time, we faced a problem: the CI/CD pipeline slowed down by three times, which was unacceptable for the team. Thus, our goal was to achieve CI/CD with integrated security without compromising the speed.

Balancing Speed and Security in the CI/CD Pipeline

To achieve this goal, we decided to define the scope of the application that should be tested in the first place. Through a combination of code analysis, threat modeling, and vulnerability assessment, we managed to identify and prioritize the areas that demanded the utmost level of attention and could consequently lead to security breaches. The DAST tool was integrated into the CI/CD pipeline and configured to test only these specific parts of the application, so we were able to speed up the testing process. Furthermore, we developed other configurations for the DAST tool to cover other types of vulnerabilities. As a result, they could be run upon request or scheduled on a weekly basis, for instance, outside the CI/CD pipeline.

Fostering Organizational Awareness and Adaptability

However, dealing with technical issues was only part of the solution. The key to successful Security integration into DevOps lies in raising the awareness of business management. Security is not merely a technical concern but an organizational one. We held awareness sessions explaining the role of DevSecOps, its benefits, and the potential risks of not using it. Our efforts led to a better understanding of DevSecOps amongst business leaders causing their active involvement and support.

Embracing a New Working Model and Cultivating Change

SAST and DAST integrations into the CI/CD pipeline episode was just one facet of the multifaceted challenge we faced. Another significant hurdle that reared its head was the difficulty in adapting to a new dynamic working model. The key of DevSecOps lies in its ability to foster rapid, iterative development while ensuring continuous security integration. This represents a significant shift from traditional phase-based software development methods. As a result, our team found itself grappling with the challenges of changing gears midway through the project.

Customer’s team was used to designating phases for development, security, and operations but DevSecOps made us blur these lines. Unexpectedly, everyone had to wear multiple hats – developers had to think about security, and the operations team had to get involved in the early stages of development. This required not just a change in mindset, but also a shift in our practical approach.

However, the solution was not to return to our comfort zones, but in embracing the change and pushing our boundaries. We initiated comprehensive training programs for the team to better understand their new roles. Knowledge-sharing sessions were held where different teams could learn from each other. We turned to fostering a culture that welcomed change and encouraged continuous learning.

Initially, it was a struggle. But gradually, the team started experiencing the benefits of this integrated approach. Improved communication between the teams led to a better understanding and collaboration. Constant feedback cycle helped us identify and rectify problems much earlier in the development phase. As the result, security integration helped to promote a culture focused on continuous improvement, where security practices are regularly evaluated, updated, and adapted to emerging threats. With time, what seemed like a steep mountain became an easily navigable hill.

Growing as a Team and Achieving Organizational Resilience

This shared journey has not only enabled us to overcome the challenges we faced but has also facilitated the growth of our team and organization, enhancing our problem-solving abilities and fostering organizational resilience.

At IBA Group, we firmly believe that every challenge presents an opportunity for growth and learning. If you are seeking to implement DevSecOps into your development cycle, we are here to provide assistance. Our expert team, backed by extensive experience, is prepared to address any inquiries, challenges, or requirements that may arise on your DevSecOps journey. Let us combine our efforts and collaborate in creating secure and resilient software solutions together.

Keep in mind, the key lies not in finding a path without obstacles, but in harnessing the strength and expertise to navigate through them. This is the commitment that IBA Group guarantees to deliver.

Author: Julia Kanaikina

Are you struggling with the security of your applications while trying to keep up with the fast pace of software development? Do you find it challenging to ensure the safety and integrity of your software throughout its lifecycle? If yes, then DevSecOps might be the solution you need.

In the article, we will discuss what DevSecOps is, what problems it solves, and what benefits it can offer your organization.

What is DevSecOps and what problems does it solve?

DevSecOps embodies an approach that integrates development, security, and operations teams, emphasizing security adherence across the entire software development lifecycle (SDLC).

Security, traditionally, has often been treated as an afterthought addressed only once the development phase is complete. However, this approach can leave systems vulnerable to attacks as security flaws may be introduced early on in the development process and remain undetected until it is too late.

In contrast, the DevSecOps approach prioritizes security from the outset. By embedding security into every aspect of the development process, from planning and design to testing and deployment, DevSecOps seeks to minimize the likelihood of security issues arising in the code. This approach requires collaboration between development, operations and security teams with a shared focus on creating secure and resilient software.

To achieve this goal, the DevSecOps process relies on a range of best practices and tools. For instance, DevSecOps encompasses employing automated security testing tools, such as static application security testing (SAST) or dynamic application security testing (DAST), for early vulnerability detection during development. Additionally, incorporating secure coding practices, like OWASP guidelines, ensures that security aspects are embedded from the outset. Emphasizing continuous monitoring and feedback, DevSecOps enables prompt, efficient identification and resolution of security concerns.

The Importance of DevSecOps

The importance of DevSecOps lies in its ability to mitigate attack risks and data breaches, optimizing organizational resources. Enhancing software quality and dependability, it detects and rectifies vulnerabilities in early development stages. DevSecOps fosters security prioritization, yielding robust, trustworthy software.

What Benefits Do DevSecOps Offer?

The value of DevSecOps is evident in the benefits it provides to organizations, including:

• Enhanced Security.

By integrating security into the development process, organizations can identify and mitigate vulnerabilities early on, reducing the risk of attacks and data breaches.

• Faster Time to Market.

DevSecOps services ensure that security is not a bottleneck in the development process. This approach enables organizations to develop and deploy applications faster while maintaining the security of their software.

• Cost-Effective.

Fixing vulnerabilities early on is less expensive than dealing with them later. DevSecOps services help organizations identify and fix vulnerabilities early, reducing the cost of security.

• Improved Collaboration.

DevSecOps services promote collaboration between development, security and operations teams. This collaboration leads to better communication, shared responsibilities, and a more efficient development process.

Interesting Facts and Statistics about DevSecOps

• According to Gartner, by 2023, 90% of DevSecOps initiatives will have incorporated automated security testing and vulnerability remediation into their pipelines, up from 50% in 2020.
• Based on the research conducted by IBM, the typical expense associated with a data breach in the United States amounts to $8.6 million.
• In a survey conducted by GitLab, 63% of respondents reported that they had increased their investment in DevSecOps practices over the past year.
• Organizations that adopt DevSecOps practices can release software 2.6 times more frequently than those that do not adopt them. In addition, the same survey revealed that organizations that adopted DevSecOps practices could recover from downtime 24 times faster than those that did not adopt them.

How to Measure DevSecOps Success

To evaluate the success of a DevSecOps implementation, it is essential to measure its performance using specific metrics. In this article, we will discuss four key metrics to assess the effectiveness of a DevSecOps strategy: Deployment Frequency (DF), Lead Time for Changes (LT), Mean Time to Recovery (MTTR), and Change Failure Rate (CFR).

1. Deployment Frequency (DF). Deployment Frequency is the rate at which software is successfully released into production. This metric indicates how agile and efficient your DevSecOps process is. A higher DF suggests that your team can deliver new features, bug fixes and improvements quicker, leading to a more competitive and responsive product.
2. Lead Time for Changes (LT). Lead Time for Changes is the time it takes for a code change to go from commit to a deployable state. This metric measures the efficiency of your DevSecOps pipeline and the effectiveness of your team’s collaboration. A shorter LT implies that your team can quickly integrate changes and deliver value to customers. To measure Lead Time for Changes, calculate the time difference between a code change commit and the moment it becomes deployable in the production environment.
3. Mean Time to Recovery (MTTR). Mean Time to Recovery measures the time it takes for a system to recover from an interruption due to deployment or system failure. This metric is crucial in assessing the resilience of your DevSecOps process and the team’s ability to restore service quickly. A shorter MTTR indicates that your team can efficiently troubleshoot and resolve issues, minimizing customer impact.
4. Change Failure Rate (CFR). The Change Failure Rate is the percentage of changes or hotfixes that lead to failures after the code has been deployed. This metric reflects the quality of your team’s work and the effectiveness of your testing and monitoring processes. A lower CFR indicates that your team can deliver stable and reliable software updates.

Conclusion

DevSecOps benefits organizations by integrating security into every aspect of the development process.  Doing so provides enhanced security, faster time to market, cost-effectiveness, and improved collaboration. The DevSecOps cycle ensures that security is not an afterthought but an integral part of the entire development process. This approach to software development enables organizations to deploy applications quickly while maintaining their security posture. What does DevSecOps do? It empowers organizations to achieve their goals in a fast-paced world where security is a top concern.

If you are interested in learning more about DevSecOps services and how your organization can benefit from them, do not hesitate to contact us. Our team of experts can help you implement a DevSecOps solution that meets your needs and ensures the security of your applications.