CI/CD is the technology backbone of DevOps organizations. A CI/CD pipeline is a software development process that moves software through the stages of coding, building, testing, and deploying a finished product. By automating the process, organizations can increase development velocity, minimize human error, and maintain a consistent process for every release.
Tools included in a CI/CD pipeline include build servers, unit testing, code analysis, infrastructure as code (IaC) systems, and deployment automation tools. For containerized environments, this pipeline also includes packaging code into images that are deployed in container clusters across one or more data centers.
What is Static Application Security Testing (SAST)?
Static application security testing (SAST) tools analyze application source code to find security weaknesses or vulnerabilities that malicious actors can exploit. Software developers use SAST to find and fix flaws in application source code during the early phases of the software development life cycle (SDLC) before releasing the application to production.
SAST tools use a white box approach to testing—analyzing the application from the inside. These tools examine source code, binaries, and byte code for design and coding flaws while the application is inactive. The scan does not require a working application or deployed code, which is why you can use it during early development phases.
SAST scans offer real-time feedback to ensure developers can resolve issues before code is passed to the next SDLC phase. However, you need to use SAST tools regularly to ensure you catch vulnerabilities whenever the application goes through a new build or releases new code. You can use SAST for web and mobile applications as well as embedded systems.
How Can SAST Help Integrate Security into the CI/CD Pipeline?
SAST is one of the automated tools that enables the transition from DevOps to DevSecOps—the convergence of development, security, and operations. SAST is one of many checks in an application security program. Together, these automated checks aim to mitigate a majority of security vulnerabilities early in the development process.
Integrating SAST tools into a DevSecOps process is critical to building sustainable projects. SAST must be automated, and must be integrated into the existing CI/CD toolset, to improve efficiency, consistency, and early detection.
SAST can be applied at all stages of the software development lifecycle, and can catch both unintentional bugs and malicious tampering. Here is how SAST can contribute to each stage of development:
Initial build—SAST can ensure that developers follow coding best practices, use safe components, and do not accidentally create vulnerabilities in a software build. It provides pre-release warnings and allows developers to proactively address issues before they are promoted in the pipeline and become visible to other stakeholders.
Staging and acceptance testing—SAST can help team members responsible for reviewing code for security issues. Instead of having security experts review all the code, which is impractical in a true CI/CD pipeline, SAST helps identify and troubleshoot problems. Both developers and security experts can focus only on problematic aspects of the code with assurance that the rest of the code is safe.
Production deployment—even after a software release, there are still opportunities to test and improve the code. Every release ships a small portion of code which is added or changed in the original software projects. SAST can be used to validate every change to detect errors and security weaknesses that slipped past earlier stages of the pipeline. This enables teams to continuously improve security.
Deploying SAST in an organization with a large application portfolio and multiple CI/CD pipelines can be challenging. Here are a few steps that can help implementation:
Ensure language support—the SAST tool should support all programming languages and frameworks used across your software portfolio.
Deploy SAST in your data center—purchase the required licenses, set up access controls and authorizations, and ensure the necessary resources (such as servers, databases, and storage systems) are available.
Customize the tool—most SAST tools are customizable and you can tailor them to your specific needs. For example, you can create new rules or update existing rules to reduce false positives or check for additional vulnerabilities. Use the SAST tool’s APIs to integrate it with your build environment.
Share results—create dashboards to track scan results, and create custom reports for management, internal auditors, and compliance requirements.
Onboard applications—gradually add SAST for use with CI/CD pipelines for your portfolio applications. Start with high-risk applications first, and after proving the value of SAST, expand uses to all other applications. Ensure every application is scanned regularly, at least as part of the initial build process.
Governance and education—create a governance policy for scanning tools and their use by development teams. Ensure development, operations, and security teams know how to use the SAST tool and have clear policies for operating it effectively.
In this article, I explained the basics of SAST and showed how SAST can be instrumental in helping your organization transition from DevOps to DevSecOps. Specifically, I showed how SAST can promote security at every stage of the SDLC:
Build—scanning a new version of a software project at early stages to discover coding errors, code quality issues and vulnerabilities.
Testing/staging—helping developers, testers, and security staff hone in on problematic areas of the code and resolve issues faster.
Deployment—scanning the “delta”, code added or changed in a new release, to make sure no security flaws made their way to production.
I hope this will be useful as you work security into your CI/CD pipelines.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.