Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be 30 minutes or less, interview-style series speaking with some of the top Security Testing experts in the field.
The latest episode of the TestGuild Security Podcast, Do your Pipelines Remember, features James Rabon, a Senior Product Manager at Micro Focus Fortify. He shares his tips to incorporate static analysis tools in your CI/CD pipelines and best practices to adopt for successful SAST integration. He also expands on how machine learning can help us predict the future based on our past. Here’s a summary of his main points:
What we mean by CI/CD, DevSecOps
“Essentially with CI, developers are integrating changes back into a main branch as often as possible. They're validating these changes by creating a build, running a set of automated tests.”
“CD is slightly less common. […] not everyone is doing continuous deployment. Obviously, there are a number of challenges with continuous deployment. But you need to ensure automation, and you have to be quite certain of the quality of your automation testing to be able to deploy your applications automatically.”
“DevSecOps, […] we're just talking about building security testing into the development process. Static analysis tools are probably the most popular to automatically detect software weaknesses or vulnerabilities in code because they can detect issues without actually executing the code.”
Why Incorporate Static Analysis Tools in CI/CD Pipelines?
“We all know that fixing security issues early in the lifecycle of an application is significantly less than fixing these software vulnerabilities later in the lifecycle”
“The challenge with static is on the auditing side. Static analysis issues. […] These results require developer time or security auditor attention. They may often require application security expertise. They require understanding the security context that an application fits in. So, the easiest part of this whole thing is adding a static analysis tool into a build. And the hardest part is dealing with all of the results.”
Best Practices for Successful CI/CD in SAST
“Your pipelines must remember any contextual decision to prevent false positives from triggering automation. You can't build automation around bad data. The better quality of your data, the more contextually relevant it is for the application that you're standing. The better off you're going to be. We talked about CI/CD and builds occurring in a branch and then being tested before they're checked in the main. They must have access to that persistence layer of remembrance. It's going to do no good to run a static scan that is not merged with the baseline scan that has all of the contextually related decisions because you're going to get bad data.”
“Complex logic is required to keep track of issues that have been audited and as new issues introduced because code is a living, breathing thing.”
“If we can group those past audit decisions into the correct application context buckets, internally facing applications, externally facing applications, whatever your risk profiles are for your application, we can leverage that data. And then using basic machine learning algorithms like Random Forest, we can provide a confidence value based on past data that in the exact same situations as what you're looking at, based on the data set right that you use to train, a classifier used with random floras, you could potentially predict with context. And that's something that really hasn't been done before.”
“The result can be better quality data at which to build automation. So, it is about persisting and remembering all of our past audit decisions and then scaling that to include application contextually specific decisions in your result set.”
What’s in it for Me?
“Every single audit decision is a cost. A cost in either an application security order or a developer or something to look at that issue, determine if it's a vulnerability and move on. That has to be persistent and it has to be checked against every single scan, regardless of whether it's a scan of main or in the branch. If we want to find these vulnerabilities early and we don't want to waste developers time with a bunch of garbage. We need to query the persistence layer and we need that full context and we need all of our past audit decisions.”
Check out the full interview, Do your Pipelines Remember with James Rabon.
About Micro Focus Fortify
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.