Aspect Security's AppSec Blog

Using an Application Security Pipeline to Achieve Continuous Security in DevOps (Q&A)

Posted by Kerry Jo Richards


JamesHobbs2_high.jpg

Last week, we discussed the concept of an AppSec Pipeline in our blog post, Secure DevOps with aApplication Security Pipeline.

This week, we ask Automation & Integration Specialist James Hobbs some questions about Application Security Pipelines and achieving Continuous Security in DevOps.


Q1: WHAT IS AN APPLICATION SECURITY (APPSEC) PIPELINE?

An AppSec Pipeline is an automated set of continuous, concurrent and repeatable application security activities that are part of a larger continuous delivery pipeline. The Pipeline ensures that automated application security testing is performed on applications as they move toward production deployment.


Q2: What is the main objective of implementing an AppSec Pipeline?

Implementing an AppSec Pipeline seamlessly includes application security activities in the SDLC,

SecureDevOps.transparent.png

 allowing you to reach security goals faster and more efficiently.  A functioning AppSec Pipeline is the first milestone for organizations looking to achieve Continuous Security.

When Continuous Security is fully realized, intelligent security processes are executed automatically in a repeatable and scalable manner – a perfect fit for DevOps environments.


Q3: What are the benefits of creating an AppSec Pipeline?

An effective AppSec Pipeline will increase efficiency and developer buy-in.  It also minimizes the resources and costs required to complete application security activities. 


Q4: How does an AppSec Pipeline relate to Continuous Integration/ Continuous Delivery (CI/CD)?

Embracing Continuous Integration (CI) and/or Continuous Delivery (CD) is one of the first steps organizations usually take when transitioning to DevOps. An AppSec Pipeline supports Continuous Security by integrating security activities into the organization’s CI/CD system.


Q5: How do I integrate application security tasks into our CI/CD system?

Start by automating tasks that you are performing manually. Dynamic analysis (DAST), static analysis (SAST), interactive analysis (IAST), and dependency checking are examples of activities that can often be automated with minimal investment (depending on existing processes and infrastructure, of course).


Q6: How would an AppSec Pipeline benefit my organization if we are not currently using DevOps?

Automation is often used in development organizations to improve processes, enforce sign-off gates and ensure quality before applications are deployed to production – regardless of whether your organization is using an Agile, Waterfall or another type of SDLC.

By injecting application security activities into these processes, your CI/CD pipeline promises a greater level of software assurance via some level of automated security testing on your applications.


Q7: What tools should be used in an AppSec Pipeline?

AppSec Pipeline
click to enlarge

Tools will vary from organization to organization. Many organizations start by automating the security tools that they are currently using. We highly recommend evaluating available security tools and considering which meet your organizational requirements most closely. Aspect Security can help you with this evaluation.

This graphic exemplifies an AppSec Pipeline where common tools are tied into the SDLC and carry out application security processes.

This is just one example – the tools in your AppSec Pipeline will vary.


Q8: I have an AppSec Pipeline, but it’s a bottleneck to the speed of my deployment. How can I make my pipeline faster?

Many application security activities, such as dynamic analysis (DAST), can be slow. They perform comprehensive tests that can take hours, or even days, to complete.

It’s important to understand your applications and configure the security tools properly so that only the necessary level of testing is done. As your AppSec Pipeline matures, the security activities should be tailored to meet the requirements of the application.


Need more information about how to secure your DevOps or CI/CD development pipeline? Learn more about our Automation Practice or contact us today. 

Contact Our Automation Services Team

Topics: Application Security, Automation, Continuous Integration, DevOps, Secure DevOps, AppSec Pipeline, Continuous Delivery, Continuous Security