Posted on by DevOpsin
By Joseph Yankel Senior Member of the Technical Staff CERT Cyber Security Solutions Directorate
I am often asked how to help DevOps organizations improve their software and system security by integrating security testing into their new and expanding continuous integration (CI) environment. The first thing I say is, "It is great that you are treating security testing as important a task as other software tests." Security testing is often overlooked or simply manually done at the end of a software release cycle, if at all. When I ask them, "What type of security testing do you currently do?" I often hear excuses about the lack of time, funding, or planning as the reason they do not currently perform any security testing at all. DevOps organizations typically do not have a security testing plan in place, have not really given it much thought, and hope that CI alone can help make their software more secure. As this blog post will detail, CI certainly can help improve your application security if you are already automating security testing, but you must first have a security plan in place.
Where to Start
We have talked about how to automate security testing in previous blogs in Adding Security to Your DevOps Pipeline and Integrating Your Development and Application Security Pipelines Through DevOps, but it can seem a bit overwhelming to incorporate the many options immediately into your CI environment when you haven't taken the baby steps necessary to identify what types of testing you should do to improve your application security in the first place.
If you fall into this category, you should begin by visiting The Open Web Application Security Project OWASP and reading its Getting Started guide. The most important thing to extract from OWASP is to understand the CLASP best practices .
If you are "behind the eight ball", and know that you should provide some measure of security testing into your product, begin with testing against known weaknesses at a minimum. These types of tests are some of the easiest to automate and integrate into your CI environment and thus make a good first step in performing some security testing. OWASP has authored the ZED Attack Proxy project that provides both automated and manually run tools to test again known security vulnerabilities. See the recent DevOps blog post Adding Security to Your DevOps Pipeline , which will direct you to an earlier post that talks about two tools (OWASP ZAP, and Gauntlt) that perform non-functional tests against known weaknesses and/or web application security scanning.
So, to answer the question "Will continuous integration improve the security of my application?" I would definitely answer yes, as long as you already have a security plan, have educated yourself and your team on best practices in regards to security, and have made security a priority within the software development lifecycle.
View the webinar DevOps Panel Discussion featuring Kevin Fall, Hasan Yasar, and Joseph D. Yankel.
View the webinar Culture Shock: Unlocking DevOps with Collaboration and Communication with Aaron Volkmann and Todd Waits.
View the webinar What DevOps is Not! with Hasan Yasar and C. Aaron Cois.
Listen to the podcast DevOps: Transform Development and Operations for Fast, Secure Deployments featuring Gene Kim and Julia Allen.