close search bar

Sorry, not available in this language yet

close language selection

Bridging the security gap in continuous testing and the CI/CD pipeline

Kimm Yeo

Jul 24, 2022 / 7 min read

Gartner recently released its 2022 “Critical Capabilities for Application Security Testing” (AST) report, and I am delighted to see that Synopsys received the highest score across each of the five Use Cases. Let’s look at the Continuous Testing Use Case and dive into how Gartner ranks and rates it, and see why the Synopsys portfolio of offerings is well-suited for organizations that are looking to implement or are currently doing continuous testing. 

When it comes to the criteria used to rate the top 14 tools’ ability to deliver continuous testing, Gartner places slightly more weight on a tool’s ability to perform dynamic application security testing (DAST), interactive application security testing (IAST), and API security testing and discovery. It places less or equal weight on a tool’s ability to perform static application security testing (SAST) and software composition analysis (SCA). To understand why, let’s look at the role continuous testing plays in today’s software ecosystem.

Continuous testing in application security

First, we need to understand what exactly continuous testing is. As the name implies, continuous testing refers to the execution of automated tests every time code changes are made. These tests are carried out continuously and iteratively across the software development life cycle (SDLC). They are conducted as a part of the software delivery pipeline to drive faster feedback on changes pushed to the code and/or binary repository.

Continuous testing is important especially in an organization’s drive toward DevOps continuous integration / continuous delivery (CI/CD). While CI/CD enables product innovations at lightning speed (which is crucial for businesses to stay ahead of the curve), continuous testing helps build trust in the quality. Continuous testing provides the much-needed peace of mind that the products perform as expected and are reliable and secure. Continuous testing in a delivery pipeline allows the team to introduce any number of quality gates anywhere they want, to achieve the degree of quality that they need.

Bridging the security gap in continuous testing

Although continuous testing is becoming a standard practice today, embedding another layer of security oversight is something not readily undertaken by most organizations. It is simple to understand why.

Implementing continuous testing is already a massive undertaking without adding another layer of security on top of it. For continuous testing to work, both development and QA test teams need to get together to define the tests early, develop the test-driven or behavioral-driven test cases, and ensure good test coverage. To run a successful continuous testing operation, they will also need to have a complete test environment on demand, with dev-friendly tools (such as code, CI/CD integrations, and supported open source) for the various development and test teams’ use. These environments ideally should be ready for the various on-demand needs from unit test to integrated, functional, regression, and acceptance test needs and have the ability to provision the right test data so teams can perform comprehensive tests with production-like data. With continuous testing, the various types of tests are executed seamlessly in the different environments and at each stage of the continuous pipeline and in different environments that it gets deployed to. Tests are triggered automatically by events such as code check-in or code changes. The aim of continuous testing is to ensure prompt feedback to alert the team of problems as quickly as possible. 

Continuous testing becomes tougher and longer as it progresses toward the production environment. The depth of testing also progresses as the simulation environment gets closer to production. You need to slowly add more tests and more complicated tests as the code matures and environment complexity advances. Chances are the same test cases developed earlier would not be run throughout the SDLC. The test cases need to be updated each time significant changes are introduced. The automated scripts will need to be updated at the different phases of testing as the code becomes more matured and progresses to a higher level of environment where configurations and infrastructure also advance until it reaches production.

Even the time needed to run the tests increases as the testing progresses toward the release point. For example, a unit test might take very little time to run, whereas some integration tests or system/load tests might take hours or days to run. With the amount of time and effort required to execute end-to-end continuous testing, it’s no wonder automated security tests lag behind other types of automation efforts (e.g., automating build, and release), according to Google’s State of DevOps report.

For organizations that have security test practices and tools built into their continuous testing and delivery pipeline, it’s common to find SAST and/or SCA tools deployed in their automated pipeline. These tools have their own place in the SDLC, and in fact, they are necessary early in the SDLC to help secure proprietary codebases and external dependencies such as open source and third-party code. This may suffice in a controlled environment, with controlled codebases that ensure predictable user experiences. 

Unfortunately, the software app development and delivery paradigm has shifted from monolithic to today’s highly distributed computing model. There are innumerable software components and event-driven triggers thanks to technologies such as microservices architecture, the cloud, APIs, and serverless functions in today’s modern, composite-based applications. And some critical vulnerabilities and exploits cannot be anticipated or caught in early development phases—they don’t get triggered until application runtime tests when the various components are integrated. The sheer volume of apps that an organization owns and must manage today—from internal proprietary codebases and applications to third-party components and APIs—contributes to the growth of unanticipated attack surfaces.

Therefore, it’s more critical than ever to incorporate modern DAST approaches to testing, particularly those that can augment the continuous testing and CI/CD pipeline with the least friction.

How Synopsys helps build continuous security in your pipeline

Synopsys has the broadest and most comprehensive portfolio for your application security needs. Our AST tools provide seamless life cycle integration with end-to-end app security test coverage across the continuous pipeline.

  • Code Sight™ provides a natural extension for developers who want to identify and triage their security defects early, right in their IDE, continuously with each iteration and without having to switch context or break their current workflow.
  • Seeker® IAST enables modern web, API, cloud, serverless and microservices-based security testing.
  • WhiteHat™ Dynamic, coupled with application security orchestration and correlation (ASOC) solutions like Intelligent Orchestration and Code Dx®, enable teams to easily prioritize and orchestrate incremental tests and triage and remediate without any frictions or disruption to their continuous pipeline.

Some key benefits of Synopsys solutions include

  • Concurrent application runtime security testing that augments continuous testing and CI/CD with no additional scans, expert resources, or cycles needed
    • Modern, purpose-built Seeker IAST performs runtime security testing and monitoring in the background, and doubles as a security test, without need for any manual human intervention or additional scans. It will continuously detect, auto verify (powered by its patented active verification engine), and alert of critical findings in real time. Development and QA teams can carry out their normal workload with no disruptions to their test workflows.
  • Support for modern software architectures such as microservices, the cloud, APIs, and serverless deployments
    • Seeker IAST can help increase test coverage for the application under test (AUT). It automatically collects OpenAPI (also known as Swagger) specifications from applications that expose them and uses those specifications to automatically test the API endpoints with no extra configuration required. There is no need to provide the API specs—Seeker can find them, download them from the AUT, and piggyback on any normal traffic using testing to send extra requests to crawl the API.
    • Seeker can discover and inventory all APIs and inbound and outbound endpoints including tested and untested URLs, and supports other modern development and deployment frameworks such as GraphQL, and serverless function calls such as AWS Lambda and Azure functions.
    • Seeker’s patented active verification engine automatically validates findings and reduces false positives to near zero.
  • Dynamic visualization of exploits and vulnerabilities during the various stages of the application under test
    • Seeker IAST provides a visual mapping of the sensitive dataflow from source to sink. This is particularly crucial in today’s highly distributed computing model where there’s no way to trace the hundreds of inbound/outbound endpoints and at the same time, quickly pinpoint potential vulnerabilities. The interactive dataflow map also helps to cut pen testing time and effort, as well as aids in threat modeling.
    • Development teams can gain real-time, actionable insights into app security risk as their fully automated and continuous testing takes place—from the application level down to binary software composition analysis with detailed line-of-code information that speeds up triaging and remediation.
    • For corner cases (or sensitive apps) that require expert resources to perform further business logic assessment, our DAST solutions can perform preproduction and production safe testing with minimal disruption to the test workflow.
  • Developer empowerment through integrated eLearning
    • In addition to providing developers with detailed remediation guidance, Synopsys AST tools come with contextual eLearning that provides both development and QA teams with on-the-job training on how to fix issues as they code and test, without leaving the IDE, and during critical QA test stages.
  • Application security orchestration and correlation that provides continuous insights for timely triaging and remediation
    • Code Dx provides a comprehensive view of security risk across apps, teams, and AST tools. It helps aggregate, normalize, and correlate the hundreds of findings from diverse AST tools (SAST, SCA, DAST, IAST) used in the organization. Teams can easily review risks, automatically triage, and plan remediation activities holistically without bringing down their continuous pipeline.
    • Intelligent Orchestration automatically runs the right incremental test at the right time and stage of the pipeline, as dictated by the business’s needs, risks and security policy.

Continuous security testing and continuous delivery are processes that can take time to implement successfully. But close collaboration between development, security, and DevOps teams, along with continuous security feedback based on highly accurate data and the right tool set, will help bulletproof your critical applications.

Get your free copy of Gartner’s 2022 “Critical Capabilities for Application Security Testing” (AST) report

Continue Reading

Explore Topics