Successfully Integrating Dynamic Security Testing into Your CI/CD Pipeline
Successfully Integrating Dynamic Security Testing into Your CI/CD Pipeline
Dynamic Application Security Testing (DAST)
DAST is also called a web application scanner that is used for black-box security testing. It done not have to access to the source code, it penetrates an application from the outside of the code by merely checking all the interfaes that could be exposed to vulnerabilities. You can integrate DAST tool in to your testing environment and use it for testing before deployment to production and the same DAST tool can also be used in the production environment.
Read More: User Interface and Database Integration Using Selenium WebDriver
One major advantage of the Dynamic application security tool is that, it can identify any runtime Problems which the SAST cannot accomplish. Some of the problems that generate via server Configuration and authentication through the login or other forms can quickly arrested by DAST.
Security testing techniques on CI/CD pipelines
- Security Testing Techniques
Most Web /Cloud applications tested for security flaws at the service, infrastructure, and platform levels. We must focus on the testing performed at the service layer. Dynamic application security testing (DAST) focuses on tests to determine how a running application responds to malicious requests. More specifically, attack scenarios are defined as test cases that consist of requests are sent to the system .The challenge here is to send the correct requests and to identify the information within the response that indicates the presence of a vulnerability. DAST can be performed in a white box testing where the application code is accessible or a black box testing where the application code is unavailable. We assume the CI/CD pipeline is owned by the application owner and thus consider mostly the white box case. We consider three DAST that can be automated.- Web Application Security Testing (WAST)
- Security API Scanning (SAS)
- Behavior Driven Security Testing (BDST)
-
- Web Application Security Testing (WAST)
Web Application security testing (WAST) is the process of analyzing, testing, and reporting on the security level and /or posture of a Web application. It is used by web developers and security administrators to test and gauge the security strength of a web application using manual automated security testing techniques. The key objective behind WAST (Web application security testing) is to identify any vulnerabilities or threats that can jeopardize the security or integrity of the web application. - Security API Scanning (SAS)
It is highly recommended to test the web service through its APIs with SAS. This technique allows testing of every endpoint in detail and can cover multiple security cases like as authentication, input validation, or error handling. In SAS, a parameterized request is generated and sent to the API of the web service .The input data can vary from credentials for authentication o malicious payloads such as SQL injection (SQLi).Read More: What Are the Best Open-Source Web Security Testing Tools?
- Behaviour Driver Security Testing (BDST)
BDD is an extension of Test Driver Development (TDD) and follows the idea of integrating business insights Into testing. BDD uses a natural language approach in order to define behavior and expected outcome of test cases. BDST applies the idea of BDD to the domain of security testing of the added benefit that non security experts can understand the security tests. This technique executed against the system as a whole, it enable the identification of vulnerabilities hat target Multiple entrypoints of the system. BDST combines several security testing techniques such as SAS or WAST in order to mimic attack scenarios by a hacker, as well as to find security issues during normal system usage.
- Web Application Security Testing (WAST)
Why we use DAST
- Anyone on the internet can scan your app with a DAST and find vulnerabilities. They can use those vulnerabilities against you! It’s true that this is not legal, but that isn’t going to stop a malicious actor.
- DAST do not require a lot of setup time and can integrate into several stages of the software development life cycle.
- IT don’t require advanced cyber security knowledge to operate. Any developer can use it, even if they do not know anything about cyber security .
Strategies for DAST in a pipeline
Very First strategy is to run your Dynamic Application Security Testing (DAST) on full blast. This can takes a really long period of time, and may alienate your devs so much that they turn the tool off.
Second strategy is that to define your scope with a .HAR file. A HAR file is short form HTTP Archive format, which tracks all the logging of web browser interaction with a site also it is a json formatted archive file. If you have a team that is doing automated testing, you can record their interactions with a website on a particular segment that you later want to upload into a Dynamic Application Security Testing (DAST), and use the .HAR file to prepare the scope for what you are testing smaller.
Also, you can have option to only test what is worrying you at the time. You can focus on the top three issues affecting your organization at the time Once you have this knowledge, you can not only test for it, but you can internally teach the devs about what are those things and how to fix that problem.
A little secret about CI/CD pipeline for Security
The other secrete is that you can still be in DevOps environment and does not put ach and every test into the CI/CD PIPELINE .You can get good result by putting only some of the tests in., such as tech specific tests or HAR file driver tests, and supplement with extra security testing outside of the CI/CD pipeline .This will let you take a good look at the attack surface f the app while taking some of the burden off configuring the CI/CD pipeline.
Conclusion
Application Security testing is an important and integral part of the software development process. You will have to conduct this type of test to find security loopholes and after finding loopholes, close them with appropriate security measures and techniques. Also in security testing you must do dynamic scanning.
If someone else can point a DAST tool at your code and run it, you want to be able to duplicate that effort and find the easy-to-spot vulnerabilities before a malicious actor does. In addition, automation is like your friend !!!!! Use it as much as you can. Dynamic testing in a pipeline must be good and accurate ,but It doesn’t mean you are failing if you also test outside the pipeline.