DevOps Pipeline Security
When developing software, ensuring integrity of the product is a top priority. Manually checking source code for weaknesses is not an option when trying to protect an application, as it is generally financially infeasible for human developers to take the time to comprehensively find flaws.
Thankfully, this task can be automated using security scanning tools, and several different types of application security testing. Security scanning tools are tools used in DevOps to identify issues early on or mid-development to prevent vulnerabilities from making it into the final version of the application.
Using DevOps security tools in your CI / CD pipeline can prevent attacks in the future by catching weaknesses in development, and can save developers a lot of work in the process. Different types of security scanning tools conduct their scanning and testing in different ways, and have different fortes and limitations. For this reason, it is advisable to use several different types of security scanning tools. The four major types of security scanning tools recommended by OWASP are Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST) and Software Composition Analysis (SCA).
Static Application Security Testing (SAST), also called source code analysis tools, is a type of white-box software testing.
SAST analyzes the source code of an application from the inside out while the components are at rest. It checks for security vulnerabilities as defined by a set of predetermined rules or classifications, and identifies these coding errors in the source code as possible vulnerabilities that need to be addressed.
Some pros and cons of SAST are as follows:
- SAST scales well, as it can be run on lots of different types of software and can be run repeatedly.
- It’s very useful for finding errors and vulnerabilities that it can identify with high confidence.
- The output of SAST is very useful to developers, highlighting vulnerabilities down to the precise section of a line of code.
- Many types of security vulnerabilities are difficult to find automatically, and therefore hard for SAST to identify.
- SAST can present a high number of false positives, leading to noise that can make it difficult to identify actual issues in the code.
- Often SAST tools can’t identify configuration issues, as they’re frequently not represented in the source code.
Dynamic Application Security Testing (DAST), also referred to as penetration testing, is a black-box testing tool that is a common alternative to SAST. The testing method of DAST differs from SAST in several key ways, as it simulates external attacks to an application in a dynamic environment.
Rather than checking the source code for weaknesses as SAST does, DAST checks for exposed interfaces and vulnerabilities from an external perspective as the application is running.
Pros and cons of DAST include:
- Simulates a “real world” attack scenario, in which the attacker does not have access to the source code.
- DAST is good for testing HTTP interfaces.
- Security professionals are often needed for DAST to be useful, as it can be difficult to automate and scale.
- Since DAST can’t see source code, it can’t identify problems down to the individual line like other testing methods.
Interactive Application Security Testing (IAST) is a newer alternative to both SAST and DAST that tries to combine elements of both. Like SAST, IAST analyzes the source code of an application and can identify specific problems within lines of code and notify the developer. However, IAST doesn’t scan the entire codebase, only certain points as defined by the tester. This makes it faster than SAST at the expense of having less coverage.
Meanwhile, like DAST, IAST analyzes the application post-build in a dynamic environment. This gives a similar perspective to the “real world” testing of DAST, when an attack occurs on an application that is complete and running. IAST works by deploying agents and sensors that observe an application’s operation and analyzes traffic flow to identify security vulnerabilities.
Pros and cons of IAST include:
- IAST has a relatively low number of false positives when identifying weaknesses.
- It has instant feedback, and works quickly to provide results to developers in real time.
- It’s very scalable, and can be run on lots of types of software.
- Rather than scanning all of the source code, it may needs to be told where to scan by the developer, so it doesn’t provide the same coverage of alternatives like SAST.
- IAST can be expensive.
- Setup of IAST can be time consuming and expensive.
Software Composition Analysis (SCA)
Software Composition Analysis (SCA) is a set of tools that perform automated scans of an application’s code base, with the purpose of understanding what libraries or dependencies compose the application. The first step in SCA is identifying all open source components in an inventory report, including direct and transitive dependencies. Once the inventory is established, details about attribution requirements, open source licenses and their compatibility with the organization’s policies are all presented. The final step is to identify open source components in use with known security vulnerabilities.
Many SCA tools not only notify the users when these libraries have vulnerabilities, but also suggest fixes and automatically identify libraries that need to be updated or patched. This is where SCA differs from the other security scanning tools; Rather than finding individual weaknesses within the application or its source code, SCA simply identifies the software components in use within the application and identifies which of those components are vulnerable.
Developers shouldn’t bear the entire burden of protecting their software from attack, as it is a difficult and never-ending task. The most prudent and sustainable option when protecting software is to seek automated help whenever possible. Security scanning tools, particularly when used in tandem with each other, can provide peace of mind for developers by conducting application testing in a number of different ways, catching most, if not all weaknesses during software development.