Why should DevSecOps be made a part of the software testing process?

DevSecOps, Security testing 

If DevOps is about producing quality applications quickly and ensuring their upkeep throughout the product lifecycle, then DevSecOps is about securing the application from cyber threats. It is about integrating the security aspect into the DevOps workflow while ensuring transparency, agility, and speed. The entire DevOps paradigm is based on the following three pillars:

·         Establishing the CI/CD pipeline & letting the codes pass through it.
·         The test automation tools to ensure the functioning of CI/CD.
·         The pipeline environment.

Key challenges in delivering DevSecOps

·         Although DevOps has been adopted by the stakeholders as something that brings value for money, security has still not been accorded the same priority.

·         Difficulty in integrating security into the DevOps workflow in a transparent and Agile manner.
·         Applications are often built by downloading open source components and plugins sans evaluating their security.

The challenges have been aggravated by different approaches followed by the security and development teams. For example, the security team does not write code while the development team does not deal with security. So, aligning the two together can be a challenge of sorts. The approach has to be two pronged - one to implement DevOps security automation and the second to create a culture where security becomes the fulcrum around which every stakeholder and process works.
Furthermore, the DevSecOps implementation would need a reassessment of the existing testing processes, and if possible, overhaul the same to include security in the scheme of things. In the absence of the same, critical digital assets like sensitive personal or business data can be breached and stolen by cyber criminals. The DevOps approach of combining shift left testing with the CI/CD pipeline is way better than the traditional waterfall approach to secure applications.

However, a word of caution here! The shift left testing following the ‘Test Early, Test Often’ paradigm does not necessarily lead to a glitch free software but establishes a metrics based quality of software for each and every stakeholder across the organization. The main challenge to security testing is not the paucity of tools or the lack of understanding of methodologies but ensuring a behavioural change. This is a long drawn process that can only be achieved when there are better monitoring and involvement of the top leadership. 

Let us focus on the test strategies and tools needed to ensure DevSecOps implementation. 

#1 Security analysis: This process involves identifying the areas or phases where the testing of codes would take place. This needs to be further broken down into identifying the persons executing the test, testing stages and processes, analysing test reports, and integrating the codes. At the beginning of the planning process, each stakeholder is kept abreast of the test plan as well as their individual responsibilities. 

#2 Think like an intruder: While designing the codes to build various features and functionalities, ensure the impact of these from the perspective of an intruder. Design your codes in such a way that they protect the confidentiality and integrity of data, be it of the customers or business. Also, by way of threat modelling, you can pinpoint the vulnerable areas and the way an intruder can attack. These vulnerable areas need to be covered for a greater security compliance. So, instead of looking at the designing phase through Agile tinted glasses where build and run are of primary importance, incorporate security testing as an integral part of the decision making process. 

#3 Review the security code: This peer review of codes looks at various types of flaws including the ones related to security related and provides solutions to fix them. The use of AI-based test tools is significant here, for they can predict, identify, and fix glitches.

#4 Implement SAST & DAST: The objective of DevSecOps is not to employ each and every tool in the security testing process but to align a set of tools with your business requirements. The Static Application Security Testing or SAST checks for the uncompiled source code and identifies vulnerabilities therein before the same is pushed into production. The outcome of implementing SAST can be in the form of detecting memory leaks, pointer errors, buffer overruns, dead source codes, non-heap memory etc. 

The Dynamic Application Security Testing or DAST is about identifying security vulnerabilities while an application is running. This helps to check security issues arising out of data malformation, exposed HTTP/HTML interfaces. SQL injection, and API endpoint vulnerabilities among others.

#5 Orchestration of SAST and DAST: The suite of tools executing SAST and DAST needs orchestration to achieve test automation. This helps to setup automated workflows and the provisioning of test resources. The orchestration process for the CI/CD pipeline can be achieved by using tools like Jenkins and a range of plugins. These enable the running of test suite as and when the code is updated. 

#6 Penetration testing: Checking the code for vulnerability needs the execution of penetration testing. This way, the inherent vulnerabilities of the code can be exposed and fixed. The same can be achieved by using a suite of DAST tools such as Arachini, Burp, SQLMap etc. The tools provide adequate documentation and focus on certain types of vulnerabilities wherein the former can help to comply with regulations. 

Conclusion
The DevSecOps approach involves the testing of codes everywhere in the CI/CD pipeline. These comprise uncompiled codes and finished products in the form of dynamic applications. Ensure that security is integrated into the DevOps workflows ensuring greater transparency, collaboration, and speedy deployment. 

 This Article is originally published at Medium.com, How can DevSecOps empower your security testing efforts?

Comments

Post a Comment

Popular posts from this blog

What are the 5 ways to improve Performance Testing?

Image
Performance Testing The stiff competition in the online environment has made the customers of today choosy, demanding and vulnerable at the same time. Business enterprises, with the purported aim of extending their market footprint, are launching multiple products for different user groups (based on age, gender, geography, and purchasing power). The product launches consider user preferences, predictions, and analytics to drive better customization and personalization. The rapid pace of product launches by businesses is driven by the objectives of retaining the existing customer base, adding new ones, and staying competitive. The products should possess certain characteristics – available 24 x 7, scalable to accommodate any future growth, reliable, and intuitive. Moreover, high speed has become the new normal with customers expecting their software products to respond in milliseconds. If these were not enough, the advent of new technologies or methodologies such as DevOps,...
Read more

The role of Test Accelerators in ERP Testing

Image
ERP Testing The growing competition among businesses is leading them to implement robust ERP solutions. This is done to streamline processes, monitor inventories, manage resources, and leverage databases to help the stakeholders take business critical decisions. Every business department has an inherent way of functioning, which may or may not be in league with the other departments. This often leads to compatibility issues - especially when it comes to following of common protocols or standards. If left to their own, each department working in silos and at its own pace can create bottlenecks and hinder achieving a common objective. With ERP solutions, the various arms of a business viz., accounts, operations, sales, HR, production, or marketing can work in tandem based on common objectives, protocols, and benchmarks. The criticality of ERP in realizing ROI and other business objectives necessitates its testing before implementation. Since the business outcomes depend on t...
Read more

Which approach is the best to test aggregator mobile apps?

Image
Mobile App Security Testing The advent of 3G or 4G enabled smartphones and the running of sophisticated mobile apps on them have virtually changed the consumer behaviour globally. The behaviour, underpinned on factors like convenience, speed, cost savings, privacy, and security provided by the mobile apps (Android and iOS based,) has led to a spurt in the development of such apps.   If numbers are to be believed then out of five billion mobile users globally, the total mobile apps downloaded equalled 2.6 million and 2.2 million across Android and iOS platforms in the first quarter of 2019 (Source: businessofapps.com.)  The popularity of mobile apps has largely been attributed to the usage of aggregator apps, which pull, show, and interact with content sourced from various locations. The examples can be cited that of Facebook, Twitter, Google+, and Flipboard, among others. Since the APIs of these apps interact with numerous content sources, there is every likelihoo...
Read more