Integrating Security into Continuous Testing

All of us understand and accept the necessity to have adequate security testing for our
applications. The question we will delve into here is is it possible to automate security
testing as part of an applications continuous integration cycle? If so, what are the benefits of
doing so?
In an agile environment, it is common to have a continuous integration (CI) process in place
to merge developer code into a common repository. Each code merge is then verified by an
automated build process to detect code integration issues. CI makes the development process
faster and drastically cuts down the time to market. But this rush does not bode well for
security testing. It can leave vulnerabilities in the code undetected.
CI is a good point in the development cycle to detect security vulnerabilities in the new code
as it gives the team the advantage of early detection and fixing of issues. Static code analysis
tools and code evaluation tools like StyleCop can point out coding issues that can result in
poor code security.

Three things to keep in mind while planning security testing

1. Decide what to look for

Security testing may cover a broad spectrum of vulnerabilities, all of which cannot be
included in the continuous integration cycle. It is better to focus more on coding best
practices from a security perspective and on detecting issues like authentication and
authorization, data leaking, security mis-configurations, unvalidated redirects and forwards,
invoking components with known vulnerabilities etc.

2. Give separate attention to security tests

Do not combine security test cases with unit or functional tests. The objective of these tests is
to discover functional issues, which does not do justice to the scope and intent of security
testing. Instead combining security with the continuous integration process ensures the testing
is more holistic and aimed at detecting security issues alone.
3. Automate tests

Automate security tests, wherever possible, and then integrate them into the CI pipeline to
ensure they are done for each and every code merge without fail. There are many tools and
scanners available that will look for commonly known vulnerabilities. Most of these tools
allow integration to a CI tool like Jenkins. But be sure to choose the right tool for your
application.
Security testing in the cloud:

While the cloud brings in scalability and low operating costs, it also brings in concerns on
security. One reason is you dont own the infrastructure. Another is a general lack of
standards and defined processes for testing in cloud, specifically in the public cloud.
With continuous security testing in the cloud, the focus could be more on threats related to
authentication & authorization, fuzzing and social engineering. Your cloud based application
may communicate to your data center using API calls. Security testing should focus on
restricting unauthorized access to this data.
Advantages of security testing as part of the continuous integration cycle

Below are the advantages of including security testing in the continuous integration process:

You get immediate feedback on any security issues in your code. Fixing these issues after
more functionality has piled on is complex and costly

Security testing is automated, hence it is faster and more accurate. And since it is performed
on every new piece of code, it ensures overall security of your system

Security testing does not get pushed to the end where it may get compromised due to lack
of time. Instead, focus is on ensuring security right from the beginning

Security testing is repeatable, reliable and efficient.

Secure your applications with security testing from Gallop Solutions

Gallops security testing adheres to international standards like OWASP and the latest testing
methodologies to guarantee the security of your applications. Contact us to know more on
how we can help you with your security testing.
Tags: Automated Security Testing, Continuous Delivery, Continuous Integration, Continuous Security
Testing, Continuous Testing, OWASP Security, Web Application Security