Security Testing in the Software Development Lifecycle (SDLC)
Product / Posted May 13, 2020
In this article, we’ll run through what software development typically looks like for enterprises in 2020, how security tools and processes can, are and should be integrated, and what features to look for to best leverage current approaches to support the development process.
Wondering what SDLC is? Start here: SDLC Explained
The Rise of Devops
Devops grew from a small number of early practitioners to be more widely adopted. It can be loosely defined as a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality. Typically it provides a significant focus on factors such as automation, the definition and management of all artifacts – including infrastructure components – as code, and continuity of delivery.
There is no single toolchain established for Devops, but typically tools and workflows exist for 7 areas that loosely align with the stages of a typical SDLC model:
- Coding – code development and review, source code management tools, code merging
- Building – continuous integration tools, build status
- Testing – continuous testing tools that provide quick and timely feedback on business risks
- Packaging – artifact repository, application pre-deployment staging
- Releasing – change management, release approvals, release automation
- Configuring – infrastructure configuration and management, infrastructure as code tools
- Monitoring – applications performance monitoring, end-user experience
A commonly encountered commercial toolchain built around the DevOps model is Azure DevOps Services, which offers specific components including Boards (ticket management), Pipeline (CI/CD), Test Plans (continuous testing) and Repos (code management).
The Tripartite – “SecDevOps” & The Secure SDLC
SecDevOps (also known as DevSecOps or DevOpsSec) is the process of integrating secure development best practices and methodologies into the development and deployment processes which DevOps makes possible.
At a high level, this involves a simple mapping between each SDLC stage and a recommended “best practice” approach to how security is best covered within that stage. Dynamic Analysis (DAST) tools, also known as Vulnerability Scanners, such as AppCheck, are typically recommended as the most suitable controls for the “Test” stage of existing pipelines:
Many mature SDLC pipelines will typically have an established dynamic testing phases, consisting of automated tools such as Behat or Selenium that provide testing for functional expectations by making HTTP requests to a test or staging deployment of an application. In these scenarios, integrating Secure SDLC practices at the Testing stage simply involves extending this phase of testing to include non-functional (security) tests. The building of security into the tools that exist in the DevOps pipeline is typically referred to as “Security as Code (SaC).”
In a Secure SDLC, every build delivered by the development team is immediately scanned in real-time for issues and the developer is notified about issues that they need to correct. So how is this typically delivered?
Continuous Integration & Continuous Testing
Many organisations will perform a process known as Continuous Integration, the practice of merging all developer working copies to a shared mainline several times a day. This is typically coupled with:
- Continuous testing – process of executing automated tests as part of the software delivery pipeline to obtain immediate feedback on the business risks associated with a software release candidate. This information can then be used to determine if the software is ready to progress through the delivery pipeline at any given time; and
- Continuous Delivery – the process of deploying code to production once it is confirmed as having passed the tests evidencing that is is a suitable software release candidate
The tool that ties together all these processes is known as a pipeline and is generally delivered as an automation server that permits an organisation to model and develop an automated workflow. Rather than a pipeline, it might help to think of this defined workflow as something more like a Rube Goldberg machine – a code candidate is submitted at the start of the workflow, and is processed by a number of tools in sequence, which perform defined pre-determined actions:
[Image by Falkor]
Some actions will act as quality gates either permitting or denying the code candidate progress (eg if tests are failed) whereas others may apply standard transformations to the artifact, such as stripping it of metadata, compiling it, submitting it to a repository, or deploying it to a production or non-production system.
Features to look for in an SDLC compatible scanner
If you are looking to establish an SDLC pipeline under a DevOps framework, or else already implement a CI/CD pipeline and are reviewing candidates for DAST scanning of code deployed to a pre-production instance, then the following feature set is important to consider when evaluating candidates:
Scan Triggers from CI/CD Pipelines
A fundamental pre-requisite is that your chosen DAST tool must support integration with your chosen CI/CD pipeline so that you can configure for scans to be triggered automatically once a build is delivered to a test or staging environment.
AppCheck offers a specific integration with JetBrains TeamCity build management and continuous integration server, as well as an API that can be used to configure, trigger and query scan results from all other major CI/CD pipeline tools.
Once your scan has completed, it’s important to know the outcome and to be able to use this for intelligent decisioning. AppCheck provides numerous integration methods including posting of scan outcomes to a webhook, and API polling for scan completion and results delivery. However AppCheck also offers specific integration with the Atlassian JIRA system to deliver findings as tickets into a customer JIRA Cloud ticketing system, to support integration with customer’s own ticket system, where they can be assigned for analysis and remediation as needed.
Specific Vulnerability Rescanning
If you fix one issue, you don’t want always to retest your entire application. It is possible to integrate AppCheck with your issue tracking systems so that issues are automatically retested after being closed by the developer.
Custom Scan Profiles
AppCheck web application scanner is highly configurable, with scans able to be configured via API or GUI to use one of a number of existing scan profiles, or to define customer-specific scan profiles. If you know that your application uses specific languages and platforms, enable scanning using relevant plugins only, reducing scan times and customising scanning for your specific application for greater scan result accuracy and faster delivery of scan completion and results.
Custom Journey Definition
If a specific code release only changed the code in a specific area of an application, why scan the whole thing? You can save time if your chosen DAST solution enables you to scan only specific portions of your application code that have changed, versus scanning the entire application.
AppCheck supports methods including the restricting of scanning to defined user journeys only. Our custom GoScript allows you to define specific customer journeys to be scanned, delivering similar tightly focused testing to that under systems such as Behat and Selenium and delivering greater scanning efficiency and faster time to delivery.
Infrastructure As Code (IaC) and Web Application support
Does your chosen DAST solution allow you to scan your platform at both the infrastructure and web application vulnerability layers? If your developers are producing web application code and your operations engineers are deploying artifacts via Infrastructure As Code (IaC) then it makes sense to pick a DAST solution capable of scanning both, automatically, when a deployment of either occurs.
If you’d like any further information or would like to see what vulnerabilities we can pick up in your web applications then feel free to email us at firstname.lastname@example.org where an AppCheck representative can set up your free vulnerability assessment.
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380