Automating web security testing within your DevOps pipelines

In traditional security, developers run tests for code security and operators ensure that firewalls and other protections work in the production environment. Access control and other tasks are handled by security experts and managers. DevSecOps uses version control and CI/CD pipelines to configure and manage security tasks automatically, across all teams, before deployment.

From DevOps to DevSecOps

DevSecOps evolved from DevOps to address the need to embed security across the software development life cycle (SDLC). By shifting security not just left in the SLDC but everywhere, DevOps teams can continuously deliver secure applications without sacrificing velocity. Incorporating testing, triage, and risk mitigation into in the CI/CD workflow itself prevents the time-consuming and costly repercussions of making a fix postproduction. By automating continuous testing, DevSecOps enables developers to fix security issues in their code in near real time rather than “bolting on” security at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.

One of the key ways organizations facilitate DevSecOps is by enabling automated and continuous testing, which aligns with the continuous integration and delivery concepts that are a key pillar of DevSecOps. Because every business is a software business, maintaining the velocity of product delivery largely depends on how well you can find vulnerabilities, and how fast you can fix them.

Modern software development is based on a complex, distributed computing model that includes microservices, serverless, and cloud-native systems. This can make it difficult to identify all the endpoints involved in a system, or trace all the API calls. Additionally, the absence of common standards for APIs compounds this struggle. While the growth of web apps means increased velocity and efficiency for your organization, the proliferation of APIs means that organizations have a much wider attack surface that third parties could potentially exploit.

Organizations need solutions that can provide a visual map of data flow and attack patterns, including both inbound and outbound API calls and service endpoints, with mechanisms to automatically verify results and real-time insights to align stakeholders across teams. But it can be a challenge to build automated systems to achieve this without slowing down CI/CD pipelines.

The solution: Interactive application security testing

Interactive application security testing (IAST) solutions perform dynamic testing to help organizations identify and manage security risks discovered in running web applications. IAST uses software instrumentation to monitor applications as they run and gathers performance information in real time. IAST solutions deploy agents in running applications and continuously analyze all application interactions initiated by manual and automated tests. IAST does not test the application itself, but rather plugs into the instrumentation layer and watches all runtime activities as a passive observer.

This approach allows the IAST solution to function automatically as part of established functional and security testing workflows, performing autoverification on detected vulnerabilities to minimize findings noise and highlight true risks. This flexible deployment and passive observation functionality means that organizations with IAST solutions enabled in the DevOps pipeline can use functional tests to discover security issues without adding steps.

The advantages of IAST solutions include

Dataflow mapping, endpoint discovery, and test coverage results that account for the type of data and technologies used by the application, as well as the ways these resources act and interact

• Automatic security tests that run in the background with no additional expert resources or scans required, and run at the same time as your other testing and CI/CD workflows
• Real-time insight into application runtime behavior, open source components, and other code-level details
• The ability to qualify the completeness and effectiveness of tests against established security standards, such as the OWASP Top10 2021 and PCI DSS, GDPR, CAPEC, and others
• Integration with ticketing system to communicate remediation of detected and prioritized issues