Continuous Application Security — Types and tools
Continuous Static Testing
Static Testing is a software testing technique which is used to check defects in software application without executing the code. Static testing is done to avoid errors at an early stage of development as it is easier to identify the errors and solve the errors. It also helps to find errors that may not be found by Dynamic Testing.
The tools used are similar to SonarQube Scanner. The link to get started https://docs.sonarqube.org/latest/setup/get-started-2-minutes/
Continuous Dynamic Testing
Dynamic Testing is a software testing method used to test the dynamic behavior of software code. The main purpose of dynamic testing is to test software behavior with dynamic variables or variables which are not constant and finding weak areas in the software runtime environment. The code must be executed in order to test the dynamic behavior.
Typically used tools are — Zap or Burp
This guide is intended to serve as a basic introduction for using ZAP to perform security testing, even if you don't…
Interactive Application Security Testing — iast
IAST (interactive application security testing) analyzes code for security vulnerabilities while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality. This technology reports vulnerability in real-time, which means it does not add any extra time to your CI/CD pipeline.
Typical tools — Contrast Security
Continous Secret Scanning
Identifying secrets or keys stored in cloud infra scripts. Keys are usually leaked in GitHub (or similar) repos. Truffle hog is a popular tool to find such secrets in codes and can be integrated with pipelines. The pipeline will reject the build if the keys are found in the code.
Continuous Library Security Scanning
While open-source software offers many benefits to enterprises and development teams, open source vulnerabilities pose significant risks to application security.
Many development teams rely on open-source software to accelerate the delivery of digital innovation. Both traditional and agile development processes frequently incorporate pre-built, reusable open-source software components. But most open-source software is not subject to the same level of scrutiny as software that is custom developed. In fact, in a 2014 analysis of more than 5,300 enterprise applications, researchers determined that open source components introduced an average of 24 known vulnerabilities into each web application. Many of these open source vulnerabilities could potentially expose an organization to threats such as malware injections, data breaches, and Denial-of-Service (DoS) attacks.
Continuous Container Security
Container security is the use of security tools and policies to protect the container, its application and performance including infrastructure, software supply chain, system tools, system libraries, and runtime against cybersecurity threats. It typically checks
- Policy violation
- Runtime Detection