Security is a top priority for IT outsourcing companies and their clients, but maintaining high levels of security across multiple projects is often challenging and expensive. Thankfully, the key to mitigating that challenge exists in the power of automation.
Automated security testing tools allow software developers and engineers to detect system vulnerabilities throughout the entire development process, ultimately protecting valuable data from malicious attackers and resulting in higher-quality products.
By leveraging these tools it's possible to integrate the process of security testing into every aspect of the software development lifecycle, instead of only relying on the traditional—yet flawed—approach of waiting until the final stages of a project to begin testing.
Here are some of the tools and methodologies we use at PSL, along with the benefits and challenges we've discovered along the way.
In a DevOps environment, the implementation of automated security tools strengthens the culture of security throughout the entire development pipeline. These tools give developers more ownership over their deployments, allowing them to move faster and ship better quality software.
There is a considerable cost factor too. As the whole team becomes responsible for and aware of the importance of security testing, the need for expensive security specialists drops. As development and operation engineers develop a familiarity with reputable open-source tools, companies can also negate the cost of licenses for high-end testing applications.
To benefit from these cost savings and achieve DevSecOps mastery, it's vital to change the perception of security within the team, ensuring that they consider security during every stage of the software development lifecycle, not just at the end. It can help to accomplish this by ensuring that you have a security expert or experts available to coach, mentor and just generally provide guidance.
In the DevSecOps world, there are dozens of tools that help to integrate security into every stage of the SDLC. Not all of them can be integrated into a CI/CD pipeline, however, and they can stop the pipeline process, so it's important to assess whether or not each tool fits your project.
However, in order to be successful at automation, it's important to have an established CI strategy in place. Generally, it works best when it is modular and extensible, allowing it to adapt to the new security components.
At PSL, we are almost always developing with container technologies—Kubernetes, for instance—so the automated testing tools we choose are based on their compatibility with these technologies.
For example, Encore's Optima is an excellent tool that scans the information within elements on all layers, as well as the operating system, and the package dependencies in use, detecting hidden vulnerabilities that appear in other security databases.
Before performing this scan, we would do a static code analysis with tools such as SonarQube. Static analysis allows you to detect if the wrong procedures are being used to build SQL queries during a SQL injection, for example, revealing any data exposure. Another tool for this is Nexus, a security framework that is designed more for the end of the application's development lifecycle.
[Relevant Content | 4 Tips for Ensuring Quality in Software Development]
For DevSecOps to succeed, teams should follow some basic best practices that ensure security and make the most of automation. When implementing new tools, always be sure to test the various applications and frameworks with your current project to find out which are most suitable and reliable.
Always use recognized open-source applications, as there is a risk that some tools may be hiding a trojan, worm, or virus that could invade your system. Even some reputable applications might extract information from your infrastructure behind the scenes, so it's important to do the due diligence on each tool.
Bear in mind that security testing experts might find it easy to solve these issues, but it can be difficult for operations or development engineers at first. Give them time to learn and adapt to the tools and a culture of security will naturally start to emerge.
Initially, security can be a daunting prospect for your DevOps team, so we recommend working with security experts and always having a security expert available, as they can guide you through the specific concepts and best practices that ensure a secure pipeline. Without someone well versed in security advising the teams or at least available to propose mitigation and improvement strategies and analyze new tools, you may risk making security more complex overall for the team.
The overall goal is to build a strong security foundation that allows development and operations engineers to learn how to identify the automated security tools that best suit their projects and eventually shift left and implement suitable tools at every step of the software development lifecycle. As a culture of security starts to emerge, your DevOps team will quickly develop true DevSecOps mastery.
Want to know more about automated security testing tools in IT outsourcing projects? Schedule a call with PSL!
About the author:
Johan Sebastian Yepes Rios
Johan is a computer scientist with a degree from Universidad EAFIT. As an experienced Cloud and DevOps engineer, he has experience designing highly available and scalable cloud architectures. More specifically, Johan's experience includes cluster design, deployment, and orchestration with on premise machines and containers, the creation of CI/CD pipelines for software deployment, and configuration management with automation tools for infrastructure and software, among many other things.Johan enjoys learning new skills and is in constant pursuit of new challenges.