Integrating Security into Continuous Testing

Integrating Security into Continuous Testing

All of us understand and accept the necessity to have adequate security testing for our applications. The question we will delve into here is “is it possible to automate security testing as part of an application’s continuous integration cycle? If so, what are the benefits of doing so?”

In an agile environment, it is common to have a continuous integration (CI) process in place to merge developer code into a common repository. Each code merge is then verified by an automated build process to detect code integration issues. CI makes the development process faster and drastically cuts down the time to market. But this rush does not bode well for security testing. It can leave vulnerabilities in the code undetected.

CI is a good point in the development cycle to detect security vulnerabilities in the new code as it gives the team the advantage of early detection and fixing of issues. Static code analysis tools and code evaluation tools like StyleCop can point out coding issues that can result in poor code security.

Three things to keep in mind while planning security testing

1. Decide what to look for

Security testing may cover a broad spectrum of vulnerabilities, all of which cannot be included in the continuous integration cycle. It is better to focus more on coding best practices from a security perspective and on detecting issues like authentication and authorization, data leaking, security mis-configurations, unvalidated redirects and forwards, invoking components with known vulnerabilities etc.

2. Give separate attention to security tests

Do not combine security test cases with unit or functional tests. The objective of these tests is to discover functional issues, which does not do justice to the scope and intent of security testing. Instead combining security with the continuous integration process ensures the testing is more holistic and aimed at detecting security issues alone.

3. Automate tests

Automate security tests, wherever possible, and then integrate them into the CI pipeline to ensure they are done for each and every code merge without fail. There are many tools and scanners available that will look for commonly known vulnerabilities. Most of these tools allow integration to a CI tool like Jenkins. But be sure to choose the right tool for your application.

Security testing in the cloud:

While the cloud brings in scalability and low operating costs, it also brings in concerns on security. One reason is you don’t own the infrastructure. Another is a general lack of standards and defined processes for testing in cloud, specifically in the public cloud.

With continuous security testing in the cloud, the focus could be more on threats related to authentication & authorization, fuzzing and social engineering. Your cloud based application may communicate to your data center using API calls. Security testing should focus on restricting unauthorized access to this data.

Advantages of security testing as part of the continuous integration cycle

Below are the advantages of including security testing in the continuous integration process:

  • You get immediate feedback on any security issues in your code. Fixing these issues after more functionality has piled on is complex and costly
  • Security testing is automated, hence it is faster and more accurate. And since it is performed on every new piece of code, it ensures overall security of your system
  • Security testing does not get pushed to the end where it may get compromised due to lack of time. Instead, focus is on ensuring security right from the beginning
  • Security testing is repeatable, reliable and efficient.

Secure your applications with security testing from Gallop Solutions

Gallop’s security testing adheres to international standards like OWASP and the latest testing methodologies to guarantee the security of your applications. Contact us to know more on how we can help you with your security testing.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.