How does DevSecOps enable the security testing efforts?
Posted: Sep 26, 2018
If DevOps is about producing quality applications quickly and ensuring their upkeep throughout the product lifecycle, then DevSecOps is about securing the application from cyber threats. It is about integrating the security aspect into the DevOps workflow while ensuring transparency, agility, and speed. The entire DevOps paradigm is based on the following three pillars:
- Establishing the CI/CD pipeline & letting the codes pass through it.
- The test automation tools to ensure the functioning of CI/CD.
- The pipeline environment.
Key challenges in delivering DevSecOps
- Although DevOps has been adopted by the stakeholders as something that brings value for money, security has still not been accorded the same priority.
- Difficulty in integrating security into the DevOps workflow in a transparent and Agile manner.
- Applications are often built by downloading open source components and plugins sans evaluating their security.
The challenges have been aggravated by different approaches followed by the security and development teams. For example, the security team does not write code while the development team does not deal with security. So, aligning the two together can be a challenge of sorts. The approach has to be two pronged - one to implement DevOps security automation and the second to create a culture where security becomes the fulcrum around which every stakeholder and process works.
Furthermore, the DevSecOps implementation would need a reassessment of the existing testing processes, and if possible, overhaul the same to include security in the scheme of things. In the absence of the same, critical digital assets like sensitive personal or business data can be breached and stolen by cyber criminals. The DevOps approach of combining shift left testing with the CI/CD pipeline is way better than the traditional waterfall approach to secure applications.
However, a word of caution here! The shift left testing following the ‘Test Early, Test Often’ paradigm does not necessarily lead to a glitch free software but establishes a metrics based quality of software for each and every stakeholder across the organization. The main challenge to security testing is not the paucity of tools or the lack of understanding of methodologies but ensuring a behavioural change. This is a long drawn process that can only be achieved when there are better monitoring and involvement of the top leadership.
Let us focus on the test strategies and tools needed to ensure DevSecOps implementation.
#1 Security analysis: This process involves identifying the areas or phases where the testing of codes would take place. This needs to be further broken down into identifying the persons executing the test, testing stages and processes, analysing test reports, and integrating the codes. At the beginning of the planning process, each stakeholder is kept abreast of the test plan as well as their individual responsibilities.
#2 Think like an intruder: While designing the codes to build various features and functionalities, ensure the impact of these from the perspective of an intruder. Design your codes in such a way that they protect the confidentiality and integrity of data, be it of the customers or business. Also, by way of threat modelling, you can pinpoint the vulnerable areas and the way an intruder can attack. These vulnerable areas need to be covered for a greater security compliance. So, instead of looking at the designing phase through Agile tinted glasses where build and run are of primary importance, incorporate security testing as an integral part of the decision making process.
- Review the security code: This peer review of codes looks at various types of flaws including the ones related to security related and provides solutions to fix them. The use of AI-based test tools is significant here, for they can predict, identify, and fix glitches.
- Implement SAST & DAST: The objective of DevSecOps is not to employ each and every tool in the security testing process but to align a set of tools with your business requirements. The Static Application Security Testing or SAST checks for the uncompiled source code and identifies vulnerabilities therein before the same is pushed into production. The outcome of implementing SAST can be in the form of detecting memory leaks, pointer errors, buffer overruns, dead source codes, non-heap memory etc.
The Dynamic Application Security Testing or DAST is about identifying security vulnerabilities while an application is running. This helps to check security issues arising out of data malformation, exposed HTTP/HTML interfaces. SQL injection, and API endpoint vulnerabilities among others.
- Orchestration of SAST and DAST: The suite of tools executing SAST and DAST needs orchestration to achieve test automation. This helps to setup automated workflows and the provisioning of test resources. The orchestration process for the CI/CD pipeline can be achieved by using tools like Jenkins and a range of plugins. These enable the running of test suite as and when the code is updated.
- Penetration testing: Checking the code for vulnerability needs the execution of penetration testing. This way, the inherent vulnerabilities of the code can be exposed and fixed. The same can be achieved by using a suite of DAST tools such as Arachini, Burp, SQLMap etc. The tools provide adequate documentation and focus on certain types of vulnerabilities wherein the former can help to comply with regulations.
The DevSecOps approach involves the testing of codes everywhere in the CI/CD pipeline. These comprise uncompiled codes and finished products in the form of dynamic applications. Ensure that security is integrated into the DevOps workflows ensuring greater transparency, collaboration, and speedy deployment.
Diya works for Cigniti Technologies, Global Leaders in Independent Software Testing Services Company to be appraised at Cmmi-Svc v1.3, Maturity Level 5, and is also Iso 9001:2015 & Iso 27001:2013 certified.