Fitting automated security throughout the CI/CD pipeline


As companies compete with how fast new features and products can be released on the digital market, a byproduct of DevOps could be the neglect of sufficient and consistent information security throughout the pipeline – yes that means from start to the next improvement. Sure, automated security testing in production is a given, but what about during build and testing in the Continuous Integration and Continuous Delivery (CI/CD) Pipeline?

This guide goes into why security is needed in the various stages of software development and how automated security like Detectify’s scanner could be applied:

The evolution of DevOps

Developers and operations teams are coming closer together in the workplace and even integrated in the same team or role to reduce production bottlenecks. Some would even argue that Ops is thinking and working more like Developers to upkeep continuous delivery of web applications and product. This practice is commonly known as Continuous Integration and Continuous Delivery (CI/CD).

Continuous integration and delivery also needs continuous monitoring

Security professionals today are outnumbered massively by developers. While modern developers are becoming more aware of the risks of coding without security, they’re faced with an even greater pressure of delivering quickly and frequently to meet customer or market demands. Sometimes security is overlooked in developer environments or it’s seen as a blocker to releasing new features, and it can be easily left out of the DevOps culture. We don’t have to look far for the proof, as we see more headlines of companies leaving digital artefacts behind such as API keys and user tokens found in git repositories. By adding continuous web application security scanning earlier in development, you may be able to catch sensitive information before it moves onto the next stage of development.

For example, Detectify’s web app scanner runs security tests called Sensitive Information Disclosure, and this test will check applications for details such as leaked usernames, passwords, etc. That way affected teams are notified when such sensitive information is found so the developer team can take action.

Why should you run security scanning on internal environments?

In the build or testing stages there may be a lot of proprietary information available as you are developing. The last thing you would want is for an external actor to gain access into your development and leak or even steal your company plans.

In 2018, the DevOps Community survey reported 33% had or suspected a breach due to web application vulnerabilities in the last 12 months. Checking the security of web applications even in early phases can help secure that this information stays private before production and no sensitive information like user tokens or login details are accidentally leaked. You can also make audits to check that access is limited to the intended users only.

How to set up Detectify for internal environments:

  • If you would like Detectify to reach an application behind a firewall, you can whitelist our IPs to give access. We use AWS as our cloud service provider and our data centres are located in Ireland. Get the IPs and more details here.
  • For developer or staging environments, Detectify will be able to reach your environment if you have ngrok or a similar alternative. You will find the detailed guide to setup here.

Fitting automated security throughout the CI/CD pipeline

Why automate security in DevSecOps?

DevSecOps aims to scale up security together with the CI/CD. One way of doing this is to replace the manual work of code reviews for security issues with automated security testing. Developers with the knowledge of vulnerability testing can build their own tests for automation, but this can take time. An alternative is to use web application security scanners to run automated scans to check for any common security flaws on a continuous basis: during staging, production, live or the moment something is deployed. Time and effort could be saved from scanning and fixing bugs after releases.

If you’re using a tool like Detectify, scan summaries are provided and notifications of critical vulnerabilities can be sent to security engineers or directly to the developer team via Jira or another integration. Since Detectify provides remediation tips in the report, developers can take immediate action on a critical vulnerability or prioritize as they see fit.

Leveraging white hat hacker knowledge together with automation

White hat hacking has emerged in the application security space to help bring common vulnerabilities and out-of-the-box logical flaws to light, and also show the implications of leaving such an opportunity open to bad actors.

Bug bounty

Image: How bug bounty programs reward

Bug bounty programs like Hackerone, bugcrowd and intigriti are offering such services to connect companies with hackers who are then reward for each valid bug they find aka bug bounty hunters. And for DevOps teams, receiving a vulnerability report with a valid proof of concept makes it easier to understand what went wrong, how did it happen and ideally information on how you can remediate it. These adjustments are made to the build and pushed through the CI/CD pipeline.

An alternative would be to subscribe to an automated security scanner that is collaborating with white hat hackers or bug bounty hunters to source vulnerability tests like Detectify. Applications are then automatically monitored for bugs with a test bed of up-to-date vulnerability knowledge from forefront of cybersecurity. Since crowdsourced security knowledge is automated through the scanner, it can benefit a team that is not ready to take on an influx of reports from bug bounty hunters. It can even complement existing pentesting or go together with bug bounty programs.

It’s time to “push left” and automate Security throughout the CI/CD

This paradigm shift of developers building products with security is being championed by security engineers and DevOps leaders in application security today. The idea is to move security testing left in the CI/CD process and encourage security by design. In fact, security Organizations can start seeing security from a proactive point of view as a business benefit and enabler instead of it becoming a blocker or a reason to suspend an application. Applying security and automated security earlier on would then become a reason for developers to push code live with confidence.

How does Detectify help?

Detecify is a SaaS-based web application and domain monitoring security scanner. We collaborate with our Detectify Crowdsource community of handpicked white hat hackers to crowdsource security research from the forefront of cybersecurity.

Our user-friendly and intuitive tool, makes security reporting and remediation easier for developers and security teams. It is a DAST tool which means conduct black-box testing for security audits on your applications just a hacker would, but using harmless payloads. We offer integrations into services like Splunk, Slack, PaperDuty and Jira. Start your free 14-day trial with Detectify today and sign up here.

 


 

Written by:

Jocelyn Chan
Marketing Coordinator



Source link