Note: DevGuard is a central component of the DevGuard Suite. Reference is made to the overall ‘DevGuard’ project in some places in this documentation. The assumptions made also apply to the specific DevGuard project.
Software holds a fundamental role in all areas of society and the economy. At the same time, the threat of cyberattacks is growing rapidly. The industry association Bitkom estimates the damage caused by cyberattacks in 2023 in Germany alone at around 206 billion euros 1. Vulnerabilities in software products are responsible for a significant proportion of these successful attacks. According to the 2023 status report of the Federal Office for Information Security (BSI) 2, an average of more than 2,000 new vulnerabilities per month became known in the reporting period alone, of which 15% were classified as critical 2. This represents an increase of 24% compared to the previous year.
In addition to the growing importance of software products for our society and the increasing threats, the landscape of software development itself has changed fundamentally. Whereas just a few years ago, software was developed in a very linear form using the so-called waterfall model, software development projects nowadays largely rely on agile and iterative methods (for example, according to the Scrum process model). This evolution has been and is being further accelerated by the introduction of DevOps principles in development teams. DevOps aims to reduce software delivery times significantly, improve collaboration between development teams (Dev) and operations teams (Ops) and enable continuous integration and continuous deployment (CI/CD). Equivalent to the principle of DevOps, there is also an increasing number of organisations adopting so-called DevSecOps practices. Here, the security team (Sec) is heavily involved with the same goal of fast and frequent releases 3.
However, this rapid cycle of developments and releases also harbours challenges, especially in the area of security. The strong integration of the various teams effectively results in developers increasingly taking on responsibilities that traditionally fell under the remit of IT operations (Ops) and especially IT security (Sec). However, software developers are usually not specifically trained in these areas, which can lead to an increase in security risks. Vulnerabilities in the software or infrastructure can be overlooked due to a lack of knowledge, which further opens the door to cyberattacks.
To counter this problem, various IT security frameworks such as ISO/IEC 27001, the IT-Grundschutz of the BSI or the PCI-DSS require the management of risks or vulnerabilities. However, the manual management of software vulnerabilities is a time-consuming and error-prone process. Given the complexity and scope of today's IT systems, it is almost impossible to identify and fix all vulnerabilities effectively and in a timely manner using traditional methods. The ineffective management of vulnerabilities through manual steps, without support, evaluation, summarisation and documentation, as well as the use of inappropriate tools such as spreadsheets, also increases the risk of ineffective management.
In addition, traditional vulnerability management and software scanning systems, as required by the BSI and exemplified by tools such as OpenVAS 4, focus mainly on the monitoring and security testing of complete IT systems and networks - i.e. the operating environment and the result of software development. There is a lack of direct integration and alignment with the software development process, which leaves a clear gap in specific support for developers.
DevGuard pursues the following main objectives:
- Developer-centredness and appropriateness Developers are the best line of defence against software vulnerabilities. They are faced with a task from the IT security field for which they are generally not trained. DevGuard is designed to support and relieve developers by focussing on user-friendliness, simplicity and automation. Only the realisation of these goals makes vulnerability management an integral part of IT security processes in software development.
- Automated and continuous security monitoring: By setting up the DevGuard Suite, security checks can be carried out systematically, automatically and continuously (e.g. using SBOMs). The prioritisation of the risks found should be highly automated, making risk handling much easier.
- Harmonisation, risk assessment and standard-compliant logging: DevGuard strives for structured harmonisation and preparation of the data obtained from security checks. The use of innovative algorithms enables application-specific and automated risk assessment, which enables efficient prioritisation and treatment of security risks. Furthermore, the standard-compliant logging of the recorded data ensures a high level of transparency and traceability of the security processes, which supports compliance with regulatory requirements as well as internal and external auditability.
- Confidentiality: Since information about specific vulnerabilities and risks of a project or organisation is to be processed in DevGuard, technological approaches are required to manage vulnerabilities with the highest levels of confidentiality. To this end, the application of research results, e.g. from the areas of confidential computing and homomorphic encryption, should be tested.