Continuous Application Security — Types and tools

Continuous Static Testing

Static Testing is a software testing technique which is used to check defects in software application without executing the code. Static testing is done to avoid errors at an early stage of development as it is easier to identify the errors and solve the errors. It also helps to find errors that may not be found by Dynamic Testing.

The tools used are similar to SonarQube Scanner. The link to get started https://docs.sonarqube.org/latest/setup/get-started-2-minutes/

Continuous Dynamic Testing

Dynamic Testing is a software testing method used to test the dynamic behavior of software code. The main purpose of dynamic testing is to test software behavior with dynamic variables or variables which are not constant and finding weak areas in the software runtime environment. The code must be executed in order to test the dynamic behavior.

Typically used tools are — Zap or Burp

https://portswigger.net/burp/communitydownload

Interactive Application Security Testing — iast

IAST (interactive application security testing) analyzes code for security vulnerabilities while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality. This technology reports vulnerability in real-time, which means it does not add any extra time to your CI/CD pipeline.

Typical tools — Contrast Security

https://www.contrastsecurity.com/contrast-community-edition

Continous Secret Scanning

Identifying secrets or keys stored in cloud infra scripts. Keys are usually leaked in GitHub (or similar) repos. Truffle hog is a popular tool to find such secrets in codes and can be integrated with pipelines. The pipeline will reject the build if the keys are found in the code.

https://trufflesecurity.com/security

Continuous Library Security Scanning

While open-source software offers many benefits to enterprises and development teams, open source vulnerabilities pose significant risks to application security.

Many development teams rely on open-source software to accelerate the delivery of digital innovation. Both traditional and agile development processes frequently incorporate pre-built, reusable open-source software components. But most open-source software is not subject to the same level of scrutiny as software that is custom developed. In fact, in a 2014 analysis of more than 5,300 enterprise applications, researchers determined that open source components introduced an average of 24 known vulnerabilities into each web application. Many of these open source vulnerabilities could potentially expose an organization to threats such as malware injections, data breaches, and Denial-of-Service (DoS) attacks.

https://owasp.org/www-community/Vulnerability_Scanning_Tools

Continuous Container Security

Container security is the use of security tools and policies to protect the container, its application and performance including infrastructure, software supply chain, system tools, system libraries, and runtime against cybersecurity threats. It typically checks

  1. CVE
  2. Policy violation
  3. Runtime Detection

https://docs.anchore.com/current/docs/installation/anchore_cli/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store