Security used to be an afterthought during development, or security would come in late in the release cycle. This meant that security issues were found late in the development cycle and close to the final release, and there would not be sufficient time before the release to fix all security defects found.
Security has been shifting left in the DevOps and release process. This means that security is part of the development cycle and not a step that ends up being a release checklist.
There are multiple steps to Security.
- Static Code Analysis – There are tools like Coverity, Bandit, Veracode that run static analysis on the code written by a developer and identify potential security issues and vulnerabilities in the code.
- Software Component Analysis – As part of your build and binary creation process, you may pull 3rdparty or open-source packages and incorporate them in your generated binaries (jars or container images, for example). These external and generated binary packages must be scanned for vulnerabilities and license compliance. There are tools like JFrog Xray, Snyk, Blackduck, etc., that can help with the identification and management of such packages.
- Environment Security – Another aspect of the security process is securing the environments used for build and deployment. The OS or images being used need to be periodically updated so that system packages are updated periodically to the latest versions or whenever vulnerabilities are identified and patched. For such scanning, tools like Qualys and Wazuh can be used for security and compliance.
- Dynamic Analysis – After build and deployment, when the application is running, it can be tested and evaluated using dynamic analysis software. This is done to identify compile-time and run-time vulnerabilities. This can be identifying memory leaks, unauthorized access, etc., using a tool like Checkmarx DAST. Penetration testing can also be included here, which can be done using tools like Burpsuite.
- There are also tools to check for secrets within code. These can be integrated with your code management repository via webhooks and can be a required check for every PR.
A good reference for security tools is available here.
As listed above, many security aspects must be considered as part of the software development and release process.
There are a multitude of tools available for each scenario. Several tools can provide multiple capabilities. The tool selection will come down to the cost, support for programming languages, and ease of integration and use.
Shifting left on Security and including it in the DevOps process helps identify security risks earlier in the development cycle and shipping secure code.