close search bar

Sorry, not available in this language yet

close language selection

Shifting everywhere: The importance of continuous testing in the software development life cycle

Fred Bals

Dec 04, 2023 / 3 min read

Table of Contents

“Shifting left” is the philosophy of pushing security testing as early as possible in the development process. When the idea was first popularized, the only viable tool-based option was to run static analysis during coding, and then perform penetration testing before the application went live. Today “shifting everywhere” means automated, continuous testing throughout the software life cycle.

By validating changes quickly and preventing faulty code from reaching production, automated, continuous testing is crucial in continuous integration/continuous deployment (CI/CD) pipelines, where rapid and frequent code changes are being continually deployed. CI/CD enables software development at lightning speed, and continuous testing helps build trust in—and verification of—the quality and security of software.

AST Priorities

There are three fundamental priorities for application security testing (AST) that form the foundation of DevSecOps.

  • Detecting weak or insecure coding practices in proprietary code, and doing so as early as possible (ideally at development) to accelerate remediation and avoid downstream issues
  • Identifying known vulnerabilities in open source components, including transitive dependencies that may be added into a project during a build
  • Verifying the security of data and application functions at runtime, and detecting potentially malicious activity in running compiled assets

But risk detection is only half of what is required to establish security—you also need effective risk remediation. Historically, risk detection was the responsibility of AppSec teams, and remediation was performed by development teams. In DevSecOps, these responsibilities intermingle, with AST becoming a continuous event shared among development, security, and DevOps teams as issues are prioritized for remediation and resolved. Doing this efficiently requires testing tools and security processes to be incorporated throughout the software development life cycle, CI pipelines, and other DevOps workflows.

Data from the Synopsys “Global State of DevSecOps 2023” report indicates that the more mature an organization’s security practices are, the more its DevSecOps teams value integrating security testing into CI/CD pipelines and toolchains. In fact, continuously monitoring applications in production for security incidents and anomalies was cited by 30% of the report’s respondents as a major security practice in their organizations.

Continuous testing in action

For continuous testing to work, organizations need end-to-end AppSec test coverage across their CI/CD pipelines. For example, developers who want to identify and triage security defects early and continuously need a solution such as Code Sight™, which can address security defects in real time directly in the integrated development environment, using static application security testing (SAST) and software composition analysis (SCA). Organizations looking for a SaaS-based continuous testing solution should explore the Synopsys Polaris Software Integrity Platform®, which uses the same powerful SAST and SCA engines as Code Sight.

For real-time analysis of security vulnerabilities in web-based applications, an interactive application security testing (IAST) solution such as Seeker® IAST can continually monitor and provide feedback on the security issues it discovers.

Continuous testing can also provide data and insights to help organizations improve their security practices. For example, managers with oversight of security initiatives want to understand how effectively their AppSec tools are working and need complete visibility into process and performance across teams. Development and operations teams want a centralized view of issues so they can identify the security activities that have the most impact. Those whose focus is on security want to cut through the noise to prioritize critical issues quickly.

An interesting data point in the Synopsys DevSecOps report is the growing use of application security orchestration and correlation (ASOC), now more commonly referred to

as application security posture management (ASPM). According to Gartner, implementing ASPM should be a priority for any organization that uses multiple development and security tools, which, in today’s world, is every organization.

An ASPM solution such as Software Risk Manager continuously manages application risks from development to deployment. Software Risk Manager ingests data from multiple sources and then correlates and analyzes findings for easier interpretation, triage, and remediation. It also acts as a management and orchestration layer for security tools, enabling controls and the enforcement of security policies. And by providing a consolidated perspective of application security findings, Software Risk Manager offers a comprehensive view of security and risk status across an entire application or system.

Report

Global State of DevSecOps 2023

Download the Report

Continue Reading

Top 4 software development methodologies

Top 4 software development methodologies

Mike McGuire
By Mike McGuire

Mar 24, 2024 / 5 min read

Tags: Agile, CI/CD, Software Integrity, Build Security into DevOps, DevSecOps
The Synopsys integrated DevSecOps playbook: Steps for successful DevSecOps

The Synopsys integrated DevSecOps playbook: Steps for successful DevSecOps

Steven Zimmerman
By Steven Zimmerman

Mar 04, 2024 / 4 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley

The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley

By Sammy Migues

Feb 21, 2024 / 1 min read

Tags: Artificial Intelligence, Software Integrity, Build Security into DevOps, DevSecOps
DevSecOps best practices

DevSecOps best practices

Steven Zimmerman
By Steven Zimmerman

Feb 13, 2024 / 2 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
AppSec Decoded: How to implement security in DevOps

AppSec Decoded: How to implement security in DevOps

Steven Zimmerman
By Steven Zimmerman

Feb 07, 2024 / 2 min read

Tags: Software Integrity, Build Security into DevOps, DevSecOps
AppSec Decoded:Tips for reaching DevSecOps maturity

AppSec Decoded:Tips for reaching DevSecOps maturity

Taylor Armerding
By Taylor Armerding

Jan 29, 2024 / 2 min read

Tags: Software Integrity, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security