Today, more than ever before, development organizations are focusing their efforts on reducing the amount of time it takes to develop and deliver software applications. While this increase in velocity provides significant benefits for the end users and the business, it does complicate the process for testing and verifying the function and security of a release.
The days of long-running, waterfall-style development cycles, wherein security was manually evaluated and bolted on at the end, are gone for good. With the move towards an agile development methodology, security testing and remediation is inherently shifting to the left. And to support this, developers must adopt tools to automate security testing for easy vulnerability identification at the earliest point possible in the development lifecycle.
Below, we discuss the why and how of implementing an effective strategy for automated security testing within the development lifecycle.
Shifting security testing to the left
Through the use of automation, security testing can be executed earlier (or left) in the development pipeline. This is advantageous for a variety of reasons. For one, the earlier vulnerabilities are discovered, the less expensive they are to fix. If a security issue was introduced into the code early in the release cycle, it’s more likely that it’ll be resolved in minutes or hours. Whereas, a vulnerability discovered at the end of the release cycle could face complexity that increases the time required to remediate.
Moreover, earlier execution of security tests ensures that vulnerabilities pose less of a threat to the delivery schedule. When security tests are automated as part of the build and integration processes, there is less uncertainty as the release approaches the later stages of the development lifecycle. This reflects well on both development personnel and the organization as a whole.
Shifting security left can also help reduce security debt, which piles up over time and can only add to serious risk if left unchecked. Instead of leaving the prioritization and remediation of bugs and vulnerabilities until the very end, shifting security left encourages collaboration between security and development to tackle this issue and determine which security debt is acceptable, and which should be remediated ASAP, reducing lingering risk.
Automated security testing for developers
So with the intent being to automate and shift security testing to the earliest possible point in the development lifecycle, let’s analyze how this is done in practice.
What are we looking for when we test? What does automated security testing involve?
Automated security testing for applications is accomplished by scanning code for vulnerabilities. Static code analysis, for instance, scans a codebase while the application is not running. The code is evaluated against a set of policies to ensure that developer implementation is in compliance with the security standards set forth by the organization. Non-compliance with any standard would indicate a vulnerability. These vulnerabilities can include anything from failure to properly protect database calls from SQL injection, to non-compliance with PCI standards for processing, storing, and transmitting credit card information. Furthermore, automated security testing can be leveraged to validate the security of third-party libraries being used by the system.
Organizations that wish to shorten their development cycles and enable continuous delivery should utilize security analysis tools early and often, throughout their development lifecycle. This means leveraging IDE integrations that allow developers to scan their code at their convenience and to include security scanning as part of the build and integration processes - just as is done for other forms of automated application testing.
Making sense of your automated security testing options
There are some specific aspects to consider when evaluating options for automated security testing.
Infrastructure considerations
When talking about automated security scanning options, one question is the infrastructure required to support it. Should your strategy involve the use of on-premises tools or those that are cloud-based? From an infrastructure perspective, cloud-based automated security testing platforms provide several important advantages.
For one, on-premises tools require the organization to assume some overhead. Installation, configuration, and upgrading will come at a cost to the DevOps team in terms of time and resources. With cloud-based options, the complexity of managing a security scanning toolset is simplified. Instead of managing the hardware and software associated with an on-premises tool, development teams can instead leverage a service that is highly scalable and consistently updated – ensuring immediate access to the latest features and the highest level of flaw detection accuracy.
Cloud-based security scanning tools, like Veracode, provide APIs for use in evaluating the security of an application’s codebase. These APIs equip organizations with easy access to security scan functionality, enabling development teams to test for vulnerabilities early and often throughout the development process. According to the State of Software Security v11, a report based on scan data from 130,000 applications, scanning via API reduces the time to fix 50 percent of flaws by 17.5 days. This is likely the result of an increase in development teams’ ability to identify security problems at the early points in the development lifecycle, when they are less expensive to fix.
Pipeline integrations
By the time a DevOps team is considering integrating automated security testing into their development process, they are undoubtedly leveraging CI/CD to streamline integration and deployment. With that said, an organization’s continuous integration platform should have an impact on the choice of security scan tooling.
Executing security scans on application code as part of CI/CD pipelines is a surefire way in which development teams can improve the level of security within their application releases. Therefore, an organization’s security scanning tool should be able to easily integrate with their CI/CD system.
Pipeline scans are immensely valuable from the perspective of secure development. As code is committed and pipelines are kicked off, security scans can be executed as part of the build process. Some vulnerabilities of a lower level of importance can be reported upon, but without impacting the application’s progression through the pipeline. In contrast, vulnerabilities deemed to be of higher severity and unacceptable to the business should be configured to fail the build. This forces development personnel to fix critical security defects immediately, ensuring they aren’t present as the development process comes to a close and the application is released.
Testing early and often within your IDE
Those tasked with evaluating options for automated security testing should also consider the availability of IDE integrations. These integrations allow developers to scan their code and get fast feedback prior to committing to a shared repository. When used properly, this will prevent many vulnerabilities from being introduced in the first place. Furthermore, providing developers with the ability to scan as they code facilitates developer engagement with secure coding practices. Over time, this helps to instill a culture of developing with security in mind.
Automated security testing with Veracode
With solutions for static code analysis, dynamic analysis (DAST), software composition analysis (SCA), and more, Veracode provides DevOps teams with the functionality to gain actionable insights for addressing security vulnerabilities in a more time- and cost-efficient manner.
Veracode static analysis scanning can be integrated with many of the major CI/CD systems in use today (including GitLab and Jenkins), allowing development teams to continuously evaluate the security of their application throughout the entire SDLC. Furthermore, integrations exist for IDEs such as Eclipse, IntelliJ, and VSCode, helping developers to identify and remediate security shortfalls while they code. Thereby, this enables the development of secure applications without sacrificing velocity or stifling innovation.
Wrapping up
Automated security analysis, feedback in real-time, and low organizational overhead is the name of the game in modern-day AppSec. The earlier security defects are identified, the less impactful they are to the development process. Cloud-based platforms can help with this, providing fast feedback as part of the development and build processes. This, as a result, equips developers to construct secure applications from the outset. To learn more, read our guide: Five Principles For Securing DevOps.