Академический Документы
Профессиональный Документы
Культура Документы
All of us understand and accept the necessity to have adequate security testing for our
applications. The question we will delve into here is is it possible to automate security
testing as part of an applications continuous integration cycle? If so, what are the benefits of
doing so?
In an agile environment, it is common to have a continuous integration (CI) process in place
to merge developer code into a common repository. Each code merge is then verified by an
automated build process to detect code integration issues. CI makes the development process
faster and drastically cuts down the time to market. But this rush does not bode well for
security testing. It can leave vulnerabilities in the code undetected.
CI is a good point in the development cycle to detect security vulnerabilities in the new code
as it gives the team the advantage of early detection and fixing of issues. Static code analysis
tools and code evaluation tools like StyleCop can point out coding issues that can result in
poor code security.
Security testing may cover a broad spectrum of vulnerabilities, all of which cannot be
included in the continuous integration cycle. It is better to focus more on coding best
practices from a security perspective and on detecting issues like authentication and
authorization, data leaking, security mis-configurations, unvalidated redirects and forwards,
invoking components with known vulnerabilities etc.
Do not combine security test cases with unit or functional tests. The objective of these tests is
to discover functional issues, which does not do justice to the scope and intent of security
testing. Instead combining security with the continuous integration process ensures the testing
is more holistic and aimed at detecting security issues alone.
3. Automate tests
Automate security tests, wherever possible, and then integrate them into the CI pipeline to
ensure they are done for each and every code merge without fail. There are many tools and
scanners available that will look for commonly known vulnerabilities. Most of these tools
allow integration to a CI tool like Jenkins. But be sure to choose the right tool for your
application.
Security testing in the cloud:
While the cloud brings in scalability and low operating costs, it also brings in concerns on
security. One reason is you dont own the infrastructure. Another is a general lack of
standards and defined processes for testing in cloud, specifically in the public cloud.
With continuous security testing in the cloud, the focus could be more on threats related to
authentication & authorization, fuzzing and social engineering. Your cloud based application
may communicate to your data center using API calls. Security testing should focus on
restricting unauthorized access to this data.
Advantages of security testing as part of the continuous integration cycle
Below are the advantages of including security testing in the continuous integration process:
You get immediate feedback on any security issues in your code. Fixing these issues after
more functionality has piled on is complex and costly
Security testing is automated, hence it is faster and more accurate. And since it is performed
on every new piece of code, it ensures overall security of your system
Security testing does not get pushed to the end where it may get compromised due to lack
of time. Instead, focus is on ensuring security right from the beginning