Crashtest Security Blog

An Overview of Security Testing Tools in DevOps

Nov 20, 2020 10:00:00 AM / by Sudip Sengupta

We've previously looked at how Microservices are vulnerable and susceptible to attack vectors, and how implementing a DevSecOps model is always a sensible approach to ensure security best practices. 

Strategically, security testing tools blend into a DevOps workflow, essentially forming a DevSecOps model while improving production efficiency and minimising software development costs. Such tools allow you to include testing and remediation of potential vulnerabilities throughout the Software Development Lifecycle (SDLC) as well as post-delivery Run & Maintain phases. Enabling a DevSecOps model ensures developers to adopt a secured development and delivery cycle without lagging productivity and attributing ‘security’ at the bottom of the SDLC. 

 

 

How a typical DevSecOps cycle may look

 

The DevSecOps paradigm continues to evolve, and with the emergence of distinct Security Tools, organizations can now test and secure different stages of software development and delivery. DevSecOps security tools are most commonly categorized into Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) methodologies. In this article, we'll look at the prominently used security tools and approaches.

Static application security testing (SAST)

 

SAST models on a multiform of Source Code Analysis, Binary Analysis, and White Box Testing Techniques. At a glance, SAST tools examine an application’s source code for security vulnerabilities, usually before the code is pushed to production. A SAST Source Code Analysis involves testing static code for vulnerable defects as race conditions, input validation, numerical errors, and more. On the other hand, Binary Analysis requires testing for these defects in code that has been built and compiled. With a vast number of SAST tools, some test only the source code, some test the compiled code,  while some test both source and compiled code. 

Below are a few notable SAST tools:

LGTM.com

LGTM is an open-source platform that checks code for Common Vulnerabilities and Exposures (CVEs) through variant analysis, and is known to support major programming languages, including: C/C++, Go, Java, JavaScript/TypeScript, C#, and Python. Primarily, LGTM uses CodeQL technology to identify an issue, fix it, and scan for similar code patterns to avoid further threats. Using open-source projects on various repository systems, LGTM performs an automated code review, identifying exposures in the source code.

Being an open-source platform, LGTM leverages the knowledge of security experts as contributors who use data science and semantic code search to write queries that detect existing and new code vulnerabilities. 

 

SonarQube

SonarQube is one of the most prominent static code analysis tools designed to clean and secure DevOps workflows and code. Through continuous analysis of code quality, SonarQube performs periodic reviews to detect bugs and security susceptibilities. SonarQube claims to scan code written in 27 programming languages, including Java, Python, C#, C/C++, Swift, PHP, COBOL, and Javascript, which essentially makes it perfect for teams with varying programming backgrounds or apps that run on multiple platforms. More so, SonarQube can analyze your code in repositories like GitHub, Azure DevOps, and BitBucket, giving you instant feedback during code review.

The SonarQube community edition is free and open-source, and is popularly considered perfect for entry-level CI/CD Secure DevOps. On the other hand, its Developer, Enterprise and Datacenter editions feature increasing sophistication levels for larger deployments.

Reshift 

Reshift was designed to bring security to the attention without slowing down development, ideally making it one of the flag bearers of promoting a DevSecOps model. Reshift integrates with an integrated development environment (IDE), making it near perfect for identifying vulnerabilities and fixing them in real-time. As one of its key features, Reshift gives you the option to secure your applications during code review, compile-time, and as part of continuous integration. Without requiring security expertise for usage, Reshift is considered a perfect lightweight DevOps Security Testing solution for SMBs and growing software companies looking to integrate security into their Software Development Lifecycle.

 

Insider CLI 

Insider is another open-source SAST tool designed on OWASP Top 10 to ease security automation for various programming languages, including .NET framework, Javascript (Node.js), Java (Android and Maven), Swift, and C#. The Insider Source Code Analysis tool is a community-driven security tool that supports agile and easy software development by scanning for vulnerabilities at source code level. 

With Insider Application Security, you can secure your code directly on the GitHub directory using a free, integrated and frictionless GitHub action, making it easy to secure your source code contained directly in your GitHub directory. 

 

NPM Audit

The Node Package Manager(NPM) Audit platform provides a large and growing registry of tools and hosts the largest number of shared Javascript packages globally. Due to its extensive support of platforms and varied packages, NPM is considered optimal if you are looking to secure DevOps pipelines supported by a remote, distributed team. The NPM CLI allows you to configure your packages, audit real-time application’s source code, while accessing repositories for improved functionality. This solution essentially identifies and manages conflicts in dependencies automatically, helping you fix vulnerabilities in real-time. 

Dynamic application security testing (DAST)

DAST tools are also commonly referred as Black Box Testing or Vulnerability Scanning tools. These tools test an application from an outsider’s perspective with limited to no knowledge of the written source code. DAST tools simulate the action of an attack vector, testing the application during runtime to uncover potential security loopholes. These tools run without human intervention, automating the testing process with little to no manual intervention. Vulnerabilities explored by DAST tools are reasonably broad, including memory corruption, cross-site request forgery, remote file inclusion, buffer overflow and denial-of-service. 

 

Crashtest Security

The Crashtest Security Suite is a vulnerability scanning tool with advanced crawling to detect vulnerabilities in web applications. By seamlessly integrating into the development pipeline scans can be automated to be part of the standard build and deployment process

Crashtest Security is built with modern applications and development teams in mind. That means we balance enterprise grade scans with a user-friendly interface, meaning you don't have to be a security specialist to use Crashtest Security. You can read about the full features of Crashtest Security here.

 

OWASP ZAP

The Open Web Application Security Project (OWASP) provides the Zed Attack Proxy (ZAP) as a free and open-source penetration-testing tool designed to test web applications. ZAP acts as a ‘man-in-the-middle’ attacker, mimicking an interception of communication between the tester’s browser and the web app. ZAP can be installed on all major Operating Systems and Dockers, and is known to increase the functionality of your security testing by installing a wide variety of add-ons available from the ZAP marketplace. 

 

Arachni

Arachni is a free, high-performance testing tool based on the Ruby framework. Its distribution comes in multiple portable packages, which lets you instantly deploy to evaluate your application’s security. You may deploy it as a Ruby Library, CLI Scanner, WebUI, or Distributed system, as required. Through REST API, Arachni easily integrates with most modern platforms and comes with an abundance of vulnerability analysis checks that offer the highest levels of resilience, accuracy, and reliability. Arachni scans for vulnerabilities as NoSQL injection, Code Injection, XSS, and File Inclusion variants alongside provisioning additional tracing optimizations for web applications based on the Javascript frameworks. This makes Arachni a highly automated, distributed penetration testing platform with multiple functions.

 

Closing Thoughts 

Integrating security testing into DevOps requires an approach that not only secures pipelines but is also scalable across multiple business levels. With the right security testing tools, automated analysis of source code and compiled code helps development teams address vulnerabilities by adopting security as an essential facet within the SDLC. The right tools enable collaboration, pipeline management, and automated testing, thereby eliminating defects without sacrificing performance, time, and overhead. Like an additional topping, integrating security testing into DevOps also brings down software development costs by reducing the amount of coding required in remediation. 

 

There are plenty more great tools on offer, think we've missed something? Let us know

 

Sudip Sengupta

Written by Sudip Sengupta

Sudip is a Norwich, UK based Technical Writer with more than 15 years of working experience as a Solution Architect. He holds a Masters Degree in Computer Applications and specializes in writing articles on Cloud, DevOps, and SaaS.

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics