At a certain level of software development maturity, organizations will automate manual tasks on the path to application...
delivery. They might switch from manual deployments of WAR files on an Apache Tomcat server to a Jenkins server that orchestrates deployments with Kubernetes-based containers.
However an organization arrives there, once it has a CD pipeline in place, it will perform a litany of software quality checks on the code. The organization might run unit and integration tests, analyze static code, deploy to test environments and execute functional UI tests. These stages verify that an application is ready for deployment, but the pursuit of software quality doesn't end there.
An application must have predetermined requirements for performance, load and security; a CD pipeline can help to verify these requirements. Of those three areas, developers most often overlook security, as such requirements can be difficult to define or measure. However, baseline vulnerability scans are easy to implement in a pipeline.
There are many benefits to automated security scanning, including reduced risk, cost and development time. With these scans, you can safeguard an application from common exploits and vulnerabilities as you release new features.
Don't leave security testing tasks until the end of the development lifecycle. Scan earlier -- and more often -- to attain a foundational level of security in deployable code.
When you scan earlier, you find vulnerabilities earlier. Furthermore, if a team elects to perform security scans frequently, it can remediate issues more quickly; developers can track changes that cause those issues, because there will be fewer susceptible changes.
Zap those vulnerabilities
You can quickly cover a wide range of vulnerabilities with automated security scanning tools, such as Zed Attack Proxy (ZAP) from the Open Web Application Security Project, called OWASP. ZAP helps beginners who want to explore web security -- which includes experienced developers and testers shifting security left in the software lifecycle -- as well as veteran penetration testers. The scanner helps teams take advantage of tests that they already run, and it provides reports with detailed information about requests that contain vulnerabilities. These reports serve as actionable information for developers, who use them to test and remediate the findings.
When you run existing functional tests through the ZAP tool, it will often pick up vulnerabilities like SQL injection, broken authentication and sensitive data exposure; the tool scans for vulnerability markers within web traffic, such as incorrectly configured user session tokens, exposed application errors or other sensitive data.
Take an active approach
It's not enough to just perform passive scans, which often test happy path scenarios. Teams should simulate threat actors that try to compromise systems. ZAP provides an active scanning mode, which tests common vulnerabilities and uses known exploits to attempt to expose sensitive data or uncover vulnerabilities.
To conduct this type of active scan on every code change would consume a lot of time, so split up your security testing into stages. Every time you run functional UI tests, put them through the ZAP passive scan. Save active vulnerability scans for when you have more time, such as overnight or once a week on a mainline branch.
Once you run vulnerability scans and generate reports, code inspection tools, like SonarQube, can help you display vulnerabilities and establish quality gates to further mitigate risks in live code.
Matthew Grasberger will cover this topic in depth in "Automated Security Scanning for Your Delivery Pipeline" at STAREAST in Orlando, Fla. The conference runs April 28 to May 3, 2019. TechTarget readers can save $200 on registration fees by using promo code SECM. Can't make it to the actual event? Register for STAREAST Virtual for free. You can stream select presentations live from anywhere.