close search bar

Sorry, not available in this language yet

close language selection

Automating web security testing within your DevOps pipelines

Charlotte Freeman

Dec 14, 2022 / 4 min read

In traditional security, developers run tests for code security and operators ensure that firewalls and other protections work in the production environment. Access control and other tasks are handled by security experts and managers. DevSecOps uses version control and CI/CD pipelines to configure and manage security tasks automatically, across all teams, before deployment.

From DevOps to DevSecOps

DevSecOps evolved from DevOps to address the need to embed security across the software development life cycle (SDLC). By shifting security not just left in the SLDC but everywhere, DevOps teams can continuously deliver secure applications without sacrificing velocity. Incorporating testing, triage, and risk mitigation into in the CI/CD workflow itself prevents the time-consuming and costly repercussions of making a fix postproduction. By automating continuous testing, DevSecOps enables developers to fix security issues in their code in near real time rather than “bolting on” security at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.

One of the key ways organizations facilitate DevSecOps is by enabling automated and continuous testing, which aligns with the continuous integration and delivery concepts that are a key pillar of DevSecOps. Because every business is a software business, maintaining the velocity of product delivery largely depends on how well you can find vulnerabilities, and how fast you can fix them.

Modern software development is based on a complex, distributed computing model that includes microservices, serverless, and cloud-native systems. This can make it difficult to identify all the endpoints involved in a system, or trace all the API calls. Additionally, the absence of common standards for APIs compounds this struggle. While the growth of web apps means increased velocity and efficiency for your organization, the proliferation of APIs means that organizations have a much wider attack surface that third parties could potentially exploit.

Organizations need solutions that can provide a visual map of data flow and attack patterns, including both inbound and outbound API calls and service endpoints, with mechanisms to automatically verify results and real-time insights to align stakeholders across teams. But it can be a challenge to build automated systems to achieve this without slowing down CI/CD pipelines.

The solution: Interactive application security testing

Interactive application security testing (IAST) solutions perform dynamic testing to help organizations identify and manage security risks discovered in running web applications. IAST uses software instrumentation to monitor applications as they run and gathers performance information in real time. IAST solutions deploy agents in running applications and continuously analyze all application interactions initiated by manual and automated tests. IAST does not test the application itself, but rather plugs into the instrumentation layer and watches all runtime activities as a passive observer.

This approach allows the IAST solution to function automatically as part of established functional and security testing workflows, performing autoverification on detected vulnerabilities to minimize findings noise and highlight true risks. This flexible deployment and passive observation functionality means that organizations with IAST solutions enabled in the DevOps pipeline can use functional tests to discover security issues without adding steps.

The advantages of IAST solutions include

Dataflow mapping, endpoint discovery, and test coverage results that account for the type of data and technologies used by the application, as well as the ways these resources act and interact

  • Automatic security tests that run in the background with no additional expert resources or scans required, and run at the same time as your other testing and CI/CD workflows
  • Real-time insight into application runtime behavior, open source components, and other code-level details
  • The ability to qualify the completeness and effectiveness of tests against established security standards, such as the OWASP Top10 2021 and PCI DSS, GDPR, CAPEC, and others
  • Integration with ticketing system to communicate remediation of detected and prioritized issues

Seeker by Synopsys

Seeker IAST from Synopsys provides unparalleled visibility into your web application security posture. Seeker identifies vulnerability trends against compliance standards like OWASP Top 10, PCI DSS, GDPR, CAPEC, and CWE/SANS Top 25. Seeker enables security teams to identify and track sensitive data to ensure that it is handled securely and not stored in log files or databases with weak or no encryption. Seeker has a seamless integration into CI/CD pipelines that enable continuous application security testing and verification without impeding DevOps workflows.

Seeker is purpose-built for DevSecOps. It uses instrumentation techniques and runtime analysis to continuously monitor, identify, and verify security vulnerabilities in web applications, typically during integration testing and QA, or in preproduction deployment. Whether applications are run on-premises or in cloud environments, are composed of microservices and serverless functions, or make extensive use of APIs, Seeker supports all modern application development needs. Seeker’s agent can track every test action performed by the running app. Findings are automatically verified, with results presented in real time and without the need for any additional scans.

Quickly eliminate false positives with active verification

Active verification increases the effectiveness of triage, retesting identified vulnerabilities and validating whether they can be exploited. This helps eliminate false positives and enables security and development teams to prioritize true risks for remediation.

Clearer visibility with comprehensive dashboards

Seeker’s dashboard has detail panes that provide clear visibility into your dataflow and the impact of malicious parameters. This allows you to identify at a glance whether a vulnerability was determined to be exploitable or a false positive. This saves security teams and penetration testers time, so they can focus their time on those issues that tools can’t solve, and helps your organization build secure software at the speed your business demands.

Learn more about Seeker and how it can help you automate security testing

Continue Reading

Explore Topics