Automated Security Testing Using CI Tools

With evolution of DevOps and CI/CD tools, security testing does not need special treatment. Using tools like Jenkins Security testing can be automated. Many security open source tools can be integrated as plug-in into CI tools to perform code scans and scan target URL’s.

OWASP ZAP proxy is an open source web application security testing tool that can used to identify the know OWASP to 10 security issues.

Reference: https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin

Ideally automated security scans must be automated into the software development lifecycle process. Every time the code is checked into the source code repository the CI tools must invoke the scan on the source code and if any issues are identified the developers and security team must be notified about the issues. This creates and quick feedback loop which would eventually create security awareness amount the development teams. Also, give the security team to verify and work with the developers proactively rather than in the final stages of the project lifecycle.

One scan per day is a good baseline and the developers would get feedback in early hours of the day where they could fix the issues and check-in the code.

Automated Security Testing into the Development Life-cycle is not hard when planned and implemented correctly.

Study Shows Few Organizations Achieving “Full DevOps” Maturity

Excerpt: “According to the results of a new global study, commissioned by CA Technologies (NASDAQ:CA), only 20 percent of organizations that have attempted to implement DevOps have fully deployed it. The research also found that these “advanced” DevOps adopters were more likely to report that their digital initiatives contributed to competitiveness, customer retention and top- and bottom-line results”

http://www.infosecisland.com/blogview/24692–Study-Shows-Few-Organizations-Achieving-Full-DevOps-Maturity.html