The importance of security in software development is already widely understood and security testing is generally well embraced in the software delivery process. But when organisations enter the world of Continuous Delivery and Continuous Deployment, it becomes even more important to be able to test and enforce continuous security the same way – not only quarterly or monthly.
This means that the security testing, validation and approvals must be automated and able to evolve with your changing application.
Continuous Security Testing
New tools are constantly being released, providing continuous security testing capabilities. Here at Sandhata, we wanted to incorporate continuous security testing into our evolving demonstration application, Sandhata Bank, which runs on our live DevOps Innovation Platform. Part of my role in this project was to research and try out different security testing tools; both open source tools as well as those commercially available.
This is a summary of the tools I looked into, and how we have used them in the Sandhata Bank application.
1. Container Security
Twistlock is a tool focused on container security testing, designed to integrate in an automated way into the end-to-end delivery lifecycle. It offers vulnerability detection, container hardening, compliance enforcement, active threat protection and runtime policy enforcement.
For the Sandhata Bank application, we think that Twistlock is a good choice for container security in our Docker containers. It is on our roadmap to implement Twistlock in a future phase of our Sandhata Bank project.
2. Web Application Security – Static Code Analysis
SonarQube software is an open source quality management platform, built to continuously analyse and measure technical quality. It generates a report showing vulnerabilities, which can be integrated with various tools. There are plugins, for example FindSecurityBugs which can be executed using SonarScanner.
For Sandhata Bank, we implemented Sonar right at the beginning of the project, and it provided us with a way to continuously enforce our coding standards. We have since incorporated other aspects of Sonar, including FindSecurityBugs to continuously analyse the security status of our releases and alert us to any vulnerabilities.
Veracode is a licensed platform covering complete application security, focusing on automation, process and speed. It includes tools to find and fix vulnerabilities in software at every point in the development lifecycle and also offers web application scanning to help catch exceptions, which automated testing could have missed.
We decided to implement SonarQube in favour of Veracode as it seemed a better fit for our purposes. SonarQube had a plugin to integrate with Jenkins, and allowed configuration through the Jenkins UI, which Veracode did not.
Also, SonarQube was able to scan through code to identify vulnerabilities before the code was compiled, so we could incorporate security scanning tight at the start of the CI process.
3. Dynamic Code Analysis
Vega is a free, open source scanner and testing platform to test the security of web applications. The automated scanner crawls websites, extracting links, processing forms, and running modules on possible injection points to submit requests that fuzz parameters, amongst other things.
We haven’t implemented Vega yet as we have focused on enhancing other areas, but this tool is on our list of potential features to be added in future.
Vaddy is an automated web vulnerability scanner with strong CI support. Vaddy gives insight into the security of web apps and easily hooks into the standard deployment process to effectively detect vulnerabilities and deal with them before they become entrenched in the code.
For Sandhata Bank, we decided that Vega was better suited to our needs at the moment, as it is able to perform faster scans than Vaddy – and it is open source.
We are continually extending our Sandhata Bank application to incorporate new features and solutions. For more information on the live DevOps Innovation Platform, or to request a personalised demo, contact us today!
Want to know more?
Take a look at the Platform page or contact us on +44 20 7680 7105 for a no-obligation product review.