Published May 10, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
Static application security testing allows you to identify source code security vulnerabilities and eliminate them before the software development lifecycle is complete. An elaborate application security assurance program should use reliable security tools like Kiuwan to ensure that security is seamlessly integrated into the DevSecOps process. SAST tools automation guarantees sustainability, consistency, adaptability, and efficiency.
When security vulnerabilities are detected early, the application or product being developed can deliver on end-user demands. If you have questions about how SAST is integrated into your DevSecOps process, you have come to the right place. There are several stages involved in the software development lifecycle, especially when you are running SAST tools. The extra effort is, however, worthwhile since security tools enable you to identify vulnerabilities early before the SDLC proceeds too far. When developers clearly understand the steps of integration, they get to achieve a secure, cost-effective and proactive DevSecOps process. With the appropriate level of automation, security tools help you choose the best combination of manual oversight.
1. Application Onboarding
This is the very first step involved in integrating SAST to the DevSecOps process. It is a crucial step since it is a one-time effort that allows the security analyst to scan the source code and audit the results. The development team also removes false positives and automates SAST tools in the DevSecOps process. After subsequent scans, the scan results are merged to find out if there are vulnerabilities that went unnoticed with the first scan.
The scan cycle is done with complete access to binaries and source codes on a clean cache. The main aim is to identify bugs and prioritize them based on complexity. Complete scans are reviewed by uploading the merged source code scan report to the enterprise server to highlight new issues related to security. The new code is only added once the identified vulnerabilities have been taken care of.
Integrating SAST to the DevSecOps process boosts performance by eliminating security weaknesses at each step of the software development lifecycle. Working with a powerful SAST tool like Kiuwan is essential since less powerful tools cause security threats. Since machines don’t have the real-time context of the product or application being developed, some characters might be marked as threats, but the developer does not identify them as bugs. That is why it is recommended that false positives be eliminated before the onboarding process.
Another process that takes place at this stage is rule customization which is basically finding a perfect balance between rule customization and a rule set. This way, accurate results are guaranteed in identification of injection attacks by tracing data sources. Interpretation is usually done after threat elimination to determine where the threat originated from. Security weaknesses can come from different file systems, and powerful SAST tools identify and resolve them.
2. Rule Set Configuration (SAST01)
This step is mainly involved with rolling out the SAST IDE plugin. This way, bugs can be automatically identified as developers introduce new code. The purpose of the SAST tool is guiding developers through code generation. All common security weaknesses are eliminated, and false positives are minimized as well. Below are rules configured by developer’s IDE;
- SQL injections
- Hard-code credentials
- Configuration reviews
- Cross-site scripting (stored and reflected)
- Resource leaking
Successful SAST implementation guarantees careful rule configuration.
3. Client’s Top 10 Issues (SAST02)
This step involves running the SAST tool further into the DevSecOps process after checking code in a version control repository. With an automated SAST tool, you can run the client’s top ten issues automatically. This process takes no more than five minutes with a powerful SAST tool like Kiuwan. In this stage, the static application software testing tools run the same rules as in SAST01 except for configuration review which is run differently. The only additional rule is session management.
4. OWASP Top 10 Issues (SAST03)
This step is specific to web applications or mobile apps and products that use web services. Automatically running open web application security projects takes much longer than activities that come before it. It is at this stage that you run customized rules created for applications using web services. There are SAST tools that might not have comprehensive rules for customized frameworks. Some of the rules run in this stage include;
- Malicious file execution
- Insecure direct object reference
- Information leakage and error handling
- Command injection
- Weak encryption
- Denial of service
- Path manipulation
- Insecure cryptographic storage
5. Comprehensive Ruleset (SAST04)
This is the final phase in integrating static application software testing to your development, security and operation process. In this stage, scans are performed with comprehensive rulesets. A developer combines SAST03 and SAST04, and the process takes about 60-90 minutes. Alternatively, the security analyst can break the rules to run further; using the divide and conquer approach. Below are comprehensive rulesets run in this final stage;
- XML injection
- XPath injection
- XML external entity
- Open redirect
- DOM XSS
- Cookie injection
- Expression language (EL) injection
- Header injection
- LDAP injection
Since a broad set of rules are configured in this phase, the process will take longer. When all SAST rules are comprehensively covered, you can be assured that the software will be void of security weaknesses. Because a one-fits-all approach does not exist when it comes to securing applications and products, ensure you customize the SAST integration based on coding language, architecture, framework and the technology you used. The willingness of a developer to write custom rules increases the efficiency of the whole process.
Integrating static application security testing tools into the development, security and operation process allows developers to be more aware of security weaknesses that arise as the software development lifecycle proceeds. Using powerful security tools like Kiuwan allows the security team to speed up SAST integration into the DevSecOps process without sacrificing the performance of the product or application. Developers are advised to write custom rules to increase the efficiency, sustainability, and adaptability of the SAST integration. When security weaknesses are eliminated at each stage in the software development lifecycle, developers don’t have to spend a lot of money and time mitigating vulnerabilities once the application has been deployed.