This week, we ask Automation & Integration Specialist James Hobbs some questions about Application Security Pipelines and achieving Continuous Security in DevOps.
Q1: WHAT IS AN APPLICATION SECURITY (APPSEC) PIPELINE?
An AppSec Pipeline is an automated set of continuous, concurrent and repeatable application security activities that are part of a larger continuous delivery pipeline. The Pipeline ensures that automated application security testing is performed on applications as they move toward production deployment.
Q2: What is the main objective of implementing an AppSec Pipeline?
Implementing an AppSec Pipeline seamlessly includes application security activities in the SDLC,
allowing you to reach security goals faster and more efficiently. A functioning AppSec Pipeline is the first milestone for organizations looking to achieve Continuous Security.
When Continuous Security is fully realized, intelligent security processes are executed automatically in a repeatable and scalable manner – a perfect fit for DevOps environments.
Q3: What are the benefits of creating an AppSec Pipeline?
An effective AppSec Pipeline will increase efficiency and developer buy-in. It also minimizes the resources and costs required to complete application security activities.
Q4: How does an AppSec Pipeline relate to Continuous Integration/ Continuous Delivery (CI/CD)?
Embracing Continuous Integration (CI) and/or Continuous Delivery (CD) is one of the first steps organizations usually take when transitioning to DevOps. An AppSec Pipeline supports Continuous Security by integrating security activities into the organization’s CI/CD system.
Q5: How do I integrate application security tasks into our CI/CD system?
Start by automating tasks that you are performing manually. Dynamic analysis (DAST), static analysis (SAST), interactive analysis (IAST), and dependency checking are examples of activities that can often be automated with minimal investment (depending on existing processes and infrastructure, of course).
Q6: How would an AppSec Pipeline benefit my organization if we are not currently using DevOps?
Automation is often used in development organizations to improve processes, enforce sign-off gates and ensure quality before applications are deployed to production – regardless of whether your organization is using an Agile, Waterfall or another type of SDLC.
By injecting application security activities into these processes, your CI/CD pipeline promises a greater level of software assurance via some level of automated security testing on your applications.
Q7: What tools should be used in an AppSec Pipeline?
Tools will vary from organization to organization. Many organizations start by automating the security tools that they are currently using. We highly recommend evaluating available security tools and considering which meet your organizational requirements most closely. Aspect Security can help you with this evaluation.
This graphic exemplifies an AppSec Pipeline where common tools are tied into the SDLC and carry out application security processes.
This is just one example – the tools in your AppSec Pipeline will vary.
Q8: I have an AppSec Pipeline, but it’s a bottleneck to the speed of my deployment. How can I make my pipeline faster?
Many application security activities, such as dynamic analysis (DAST), can be slow. They perform comprehensive tests that can take hours, or even days, to complete.
It’s important to understand your applications and configure the security tools properly so that only the necessary level of testing is done. As your AppSec Pipeline matures, the security activities should be tailored to meet the requirements of the application.
Need more information about how to secure your DevOps or CI/CD development pipeline? Learn more about our Automation Practice or contact us today.