Developers often see security as a drag on software projects, both in terms of time and budget. Time is a particularly critical component in modern continuous development practices, so adding security into DevOps can cause friction if not done well.
One of the biggest hurdles is integrating security testing tools into the pipeline that can match the velocity of DevOps processes. Manual application checking just isn’t an option anymore due to the time it takes, and conventional software security tools created before cloud computing took over won’t be able to keep pace with development in a DevOps environment. Developers may have already had frustrating experiences using legacy hardware-based testing appliances or tools that aren’t scalable or well-suited for the cloud. As a result, choosing tools for your DevOps security checklist that can integrate and automate tests at multiple points in the software development lifecycle is essential. Taking this approach to the DevOps-security conundrum actually improves overall productivity and the quality of the products and services produced.
Automated testing tools can help developers identify software defects early in the CI/CD pipeline — when they are easiest to find and least expensive to fix. Application security testing tools are categorized in three ways:
- Static application security testing (SAST) tools are designed to analyze source code and compiled versions of code to find security flaws and source code issues.
- Dynamic application security testing (DAST) tools are designed to find vulnerabilities while the software is actually running.
- Interactive application security testing (IAST) tools are engineered as a hybrid approach, combining SAST and DAST.
Modern SAST tools that can be woven into a developer’s integrated development environment can scan smaller sections of code more frequently, providing immediate feedback on issues they may be introducing into the code. To be really effective, however, security issues need to be tracked in the same way as common bugs — with an issue tracker such as Jira, Zoho BugTracker or backlog. Using tools like these not only ensures issues aren’t overlooked or ignored, but also enables the build process to be halted if necessary, depending on the seriousness of the problem detected. These tools also allow metrics and quality thresholds to be defined to enforce consistent security standards and serve as a way to track improvements in the long-term quality of each developer’s code.
New DevOps security tools provide real-time detection
Not all types of security issues can be detected during the software development phase, and some only come to light when the application is running. This creates the need for DAST scanners, which crawl a running application before scanning it. This lets the scanner find all exposed input and access points within the application, which are subsequently tested for a range of vulnerabilities. The problem with DAST tools is that tests have to be run late in the development cycle, making it more costly to fix any vulnerabilities that are found. This is why many DevSecOps teams are turning to IAST tools, which combine features from both SAST and DAST. This fairly new type of application security tool runs on the application server as an agent, providing real-time detection of security issues by analyzing traffic and execution flow from within the application. The results can usually be sent directly to an issue tracking tool. The main advantage of IAST over SAST when evaluating your DevOps security checklist is that its false-positive rate is normally much lower, and it can handle third-party vulnerability detection to identify problems caused by external or open source components.
IAST tools can be run during development, quality assurance and even in production because they have little impact on overall performance. Hdiv Security’s Hdiv, Synopsys Inc.’s Seeker IAST and Contrast Security’s Contrast Assess are just a few of the latest commercial IAST tools to become available. Contrast’s Community Edition for Java is a free IAST tool for up to five users.
The goal of DevSecOps is to decrease time to market while cutting the costs of development and remediation, while improving overall application security. If the appropriate, automated security vulnerability and configuration scanning tools are deployed, developers with varying skill sets and experience can find and fix security problems as they occur. Teaching developers secure coding practices is still essential, of course, as is monitoring and protecting the production environment. By integrating automated application security testing as part of the move to DevSecOps, teams can complete a DevOps security checklist that addresses the challenges associated with developing secure applications in agile environments.