Security Testing

Published date: April 15, 2024, Version: 1.0

Security Testing Overview

Security testing is a sort of software testing that identifies vulnerabilities, hazards, and dangers in a software program and guards against intruder assaults.

Implementing Shift Left Security

DevSecOps is a form of DevOps that incorporates security into the SDLC—security tools and processes are part of the pipeline from the beginning. This approach improves application security before releases reach production. It eliminates the silos dividing security and DevOps teams. 

Quick Links

Visibility of Work in the Value Stream Streamlining Change Approval Access Checklists Iteration Planning
Security

 

To implement DevSecOps of shifting left security testing:

  • Incorporate security tools into the CI/CD pipeline at the left of the process: Threat Modelling, Scanning vulnerabilities, Secrets, SAST, SCA, and declarative configuration.

  • Ensure collaboration between security and DevOps teams.

  • Review all infrastructure security policies before deployment.

  • Implement runtime security controls to protect production environments.

  • Build observability into applications to enable effective security monitoring.

  • Create an incident response process to ensure an effective response to security incidents.

Threat Modelling

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.

Threat modeling is a structured process with these objectives - identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritize remediation methods.

As part of organizational guideline NIRA - New Risk Assessment, Controls, Attestation Process Workshop- Application Owner and ADM.pptx should be followed to identify and pinpoint security threats along with prioritization and remediation plan

Reviewing Code

Code reviews should be integral to the DevOps process, with the security team overseeing coding and code review techniques. Developers should use security testing tools alongside other CI/CD tools—usually, there will be several tools. 

Scanning for Vulnerabilities

Vulnerability scanning is a major DevOps security focus. Deploying vulnerable software allows attackers to exploit the application, so it is imperative to identify and remediate vulnerabilities before release. Penetration testers can evaluate the initial results to distinguish actual threats from false positives. 

Vulnerability scanning is also important for Kubernetes deployments, which require updating Kubernetes when discovering new open-source vulnerabilities. 

There are three main pre-release security testing techniques for source code and traditional applications:

  • Static Application Security Testing (SAST) - identifies common vulnerabilities before developers compile a build. 

  • Dynamic Application Security Testing (DAST) - allows security testers to inspect running builds and identify various issues.

  • Interactive Application Security Testing (IAST) combines SAST and DAST.

In cloud-native environments, additional types of testing are needed to scan cloud-native resources:

  • Kubernetes manifest scanning

  • Container image scanning

  • Infrastructure as Code (IaC) template scanning

Managing Secrets

Secret management is essential for enforcing security policies for digital entities. For example, credentials for databases or other internal systems should never be hard-coded into configuration or source code. This prevents unauthorized entities from accessing resources or compromising data. 

Protecting authentication and authorization secrets usually involves:

  • Authenticating all access requests.

  • Implementing least privilege.

  • Using Role-based access control (RBAC) policies.

  • Regularly rotating credentials and other secrets.

  • Automating secret management.

  • Tracking access.

  • Avoiding secrets in code or config files. 

Infrastructure-as-Code Scanning (IaC)

IaC scanning analyzes and identifies security flaws in IaC templates and infrastructure configurations to secure cloud, infrastructure, and app deployments.

Penetration Testing

Few weeks prior to Go-live: Penetration test is conducted in the pre-prod environment (ideally in the most prod like environment)

Key Stakeholders involved in decision making: Security Architect, Delivery Team, Risk Assessor, Internal Audit, Digital AVPs

Frequency: Depending on the budget and criticality of the project – one or more than one pen test maybe conducted

Frequency: Annually

Monitoring and Ensuring Observability

DevOps security requires consistent visibility using:

  • Monitoring tools - allow teams to track the system state using various metrics. 

  • Observability tools - allow teams to debug systems by exploring undefined patterns and properties. 

DevOps teams must regularly report on system performance and health from the customer’s perspective. Monitoring should focus on defined metrics and objectives, while observability investigates unknowns. Teams should have access to tooling to track and analyze production infrastructure issues.

Tools

Withing the organization Veracode is widely used tool for Security.

Related Tools

BlazeMeter
BlazeMeter is a cloud-based performance testing and load testing platform designed for web and mobile applications. It is known for its scalability, e...
Confluence
Confluence is a collaboration and documentation tool developed by Atlassian. It provides teams with a centralized platform for creating, sharing, and ...
JIRA
JIRA is a popular project management and issue tracking tool developed by Atlassian. It is widely used for managing tasks, projects, and workflows in ...
Service Now
ServiceNow is a cloud-based platform that offers a wide range of IT service management (ITSM) and business process automation solutions. It is known f...

Contact Us

KnowledgePortalSupport@cantire.com

FAQs

Feedback & Suggestions