Organizations spend a pretty penny to set up the security posture. Despite the best efforts by software companies, security breaches still occur. Software is vulnerable to various threats at different stages of the life cycle. The DevOps project flows through various phases like Plan, Build, Test, Deploy, and Monitor. Earlier security was taken as the aspect that has to be taken care of at the final stages of development. This made the code vulnerable to various threats and backtracking to resolve the issues rooted in the earlier stages of development. DevOps and DevsecOps have introduced a left shift in approach to security. This helps to identify the threats early and take countermeasures.
There are different testing flavors applied at the different phases of development. Let’s dive to know how various testing flavors at different stages of project development that make it robust.
It is more of a manual phase in which teams collaborate discuss and plan the security analysis strategy. Some of the tools that may help are Iriousrisk, Cairis, Kenna.VM, Microsoft Threat Modeling Tool , etc. (Threat modeling) .
Phase involves various security checks. These checks include practices like SCA (software component analysis), static application software testing (SAST), and unit tests.
SCA: Software composition analysis (SCA) is an automated process that identifies open-source software in a codebase. This analysis is performed to evaluate security, license compliance, and code quality. SCA tools scan package managers, manifest files, source code, binary files, container images, etc. . The identified open source is compiled into a Bill of Materials (BOM). BOM is compared against a variety of databases, like the National Vulnerability Database (NVD), internal vulnerability database, and other databases. This gives an insight into the security threats and legal vulnerabilities that can be addressed quickly by the collaborative efforts of the teams.
Some of the players at this phase are – Snyk, Veracode, Checkmarx, and Fortify.
SAST: Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing. It does not require a working application and can take place without code being executed. It helps developers identify vulnerabilities in the initial stages of development and quickly fix issues without passing on vulnerabilities to the final release of the application.
Some of the tools that perform SAST are-
Snyk, Sonarqube, Veracode, Fortify, Checkmarx, etc.
Deploy and Test
The test phase is initiated with the successful deployment of the code to the testing environments. The test phase uses dynamic application security testing (DAST) tools to detect live application flows like user authentication, authorization, SQL injection, and API-related endpoints.
DAST: Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application as a malicious user would. It does not need to access the source code for DAST .
Some of the players at this phase are -Veracode, Fortify, Checkmarx etc.
The code which is through the previous phases passes to the deployment phase.
The phase focuses on securing the runtime environment infrastructure by examining environment configuration values such as user access control, network firewall access, and secret data management. The principle of least privilege is followed . Infrastructure as a code has helped organizations ease out the configuration and scaling process. IaC security helps to secure the vulnerabilities in infrastructure configurations.
IaC Security: Infrastructure as Code (IaC) Scanning scans your IaC configuration files for known vulnerabilities. This makes the application secure in terms of server and database-related configurations. The Tools that help in this phase are -Snyk, fortify,checkmarx.
Once an application is deployed and stabilized in a live production environment, additional security measures are required. Companies need to monitor and observe the live application for any attacks or leaks with automated security checks and security monitoring loops. Runtime application self-protection (RASP) automatically identifies and blocks inbound security threats in real time. RASP acts as a reverse proxy that observes incoming attacks and enables the application to reconfigure automatically without human intervention in response to explicit conditions.
RASP is provided by the tools like Veracode, Fortify, and Checkmarx.
DevSecOps is a cyclical process, and should be continuously iterated and applied to every new code deployment. Exploits and attackers are constantly evolving and it is important that modern software teams evolve as well.