The key to DevOps and DevSecOps is automation. It ensures that the build and publish processes are repeatable, which is important when the publish speed is too high for manual steps to occur between release phases or at set times.
Automation ensures that required steps are completed each time code is pushed and removes human memory from the equation so that key tasks, such as regression testing, are performed. Automation also helps enhance security by serving as a policy enforcement to prevent direct developer access to production and thereby serving as an enforcement point for segregation of duties.
For many security practitioners, especially those new to application security or software development, it can be difficult to identify opportunities for where and how to automate security testing in a pipeline. of development.
Here are five areas where teams can add automated security controls in development pipelines.
1. Code quality (SAST)
Perhaps the control that comes to mind first when people think of software security is the quality of the code, that is, the security testing of static applications (SAST). Those familiar with the Unix Lint tool, used to find errors in C code, understand the concept of static code analysis.
Static analysis tools evaluate the source code or, more rarely, the object code for security issues. In the context of a DevOps toolchain, this can be automated in one of a few different places:
- It can work when a developer validates the code, that is, when they scan the code and provide data as to whether there are high severity issues.
- This can happen before a construction.
- It can be used when using a tool that can validate the object code rather than the source in post-build.
One strategy may be to establish a baseline metric – an acceptable error rate – above which user intervention is required. Base it on the number of issues, the severity of the issues, or both. Above this threshold, require a developer to take action to correct the code before he can be promoted. Another option, depending on the publish frame rate and SAST’s setting for false positives, is to report the issue for further downstream review, but not actively blocking the code push.
2. Web Application Analysis (DAST)
Automation can be added to dynamic testing of applications after they are created but before they go into production.
Dynamic Application Security Testing (DAST) tools work by studying an application from the outside to the inside. It involves examining the surface of an app, interacting with it, and observing what happens. Within a DevOps toolchain, a useful place to include automated use is post-construction during automated quality assurance. To get up and running quickly, explore the use of the open source application scanner Zed Attack Proxy in daemon mode – that is, command line interface only – automatically triggered to run in parallel with other test activities. Test web UI elements with this approach or REST APIs, for example, by incorporating parameter fuzzing.
3. Analysis of containers / analysis of vulnerable dependencies
In most stores these days, new app development depends on app containers, such as Docker or Rkt. Containers are beneficial because they group together an application or component and the required underlying libraries, middleware, resources, and other dependencies.
This is a useful feature of containers, but one of the potential drawbacks is that sometimes these underlying components have known vulnerabilities. Since the container has the dependencies grouped together in a way that requires less work from an operations point of view, the temptation may be to forget about these vulnerabilities or not realize that they exist.
Automated tools that analyze containers, like open source Light Where Anchor motor tools, examine dependencies within a container to help resolve this issue by finding and reporting vulnerable support components. To automate, these tools can be run on containers any time after they are created. If major issues are discovered in the dependencies, trigger a manual review to remedy the vulnerable dependency, note the problem for future action, or take any other necessary action.
4. Software composition
There are many reasons why a business creates a software nomenclature (SBOM) – both for the business itself and for its customers. The difficult part of producing an SBOM is the complexity associated with keeping the list of underlying dependencies up to date and accurate. Introducing a Software Composition Analysis (SCA) tool into a toolchain is a useful way to keep an SBOM up to date.
An SCA tool can also help determine the best place to add automation. For example, software that runs on object files or executable images should run after build, while software that runs on source might run alongside validation.
5. Automated vulnerability analysis
The tools listed above cover most software components, but not all. Web UI systems and REST APIs can be analyzed by DAST, and containerized software goes through container analysis. But what about software that is neither?
For these, it may be useful to incorporate vulnerability analysis. Teams deploying to a virtual machine in the cloud or deploying a custom operating system installation will find that a vulnerability scan can help them find and report potential security issues. Automating vulnerability scanning pairs well with configuration management, which means that whenever the configuration of a deployed resource is changed (think infrastructure-as-code scripts here), execution a vulnerability scanner afterwards can add value.