Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be 30 minutes or less, interview-style series speaking with some of the top Security Testing experts in the field.
The latest episode of the TestGuild Security Podcast features Tanya Janca. Tanya Janca is an Application Security and Cloud Security Consultant. She specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs, and community events.
I highly suggest you carve out 30 minutes to give this podcast a listen. Until then, here are some key takeaways I found intriguing during one of my favorite interviews so far!
Security as part of the SDLC
“The main thing is making sure security is part of the software development lifecycle, that it's formalized as part of it. And if you're doing DevOps, agile or a very long, slow waterfall, all of those follow a methodology and you add security into each part of the methodology. So, if you're doing DevOps, they love pipelines. I love pipelines. So, add security checks into the pipeline.
“I'm building a little pipeline on this video show that I have on my open source project with Nicole, Francisco, Vandana, and Nancy. There's a whole bunch of us and basically, I'm just adding different security tools in and doing basic tests right now. So, developers could push their code and then it does a bunch of basic tests and then I'm gonna get more aggressive as time goes on. But the point is, that if you have developers following a process, you want to weave the security into that process. If you are doing waterfall then when they are doing requirements, you need a security person to make sure they add security requirements. I guess the idea is, as each thing the developers are doing, you need to figure out how you can be a part of it, and especially if at all possible, at the same speed that they are moving.”
3rd Party Component Scanning
“Another thing which I think is like the easiest bang for your buck is to do third party component scanning. So, when we write an app like 60, 70, 80, even 90 percent of it is actually libraries. And then those things have vulnerabilities in them. So, for instance, I'm using jQuery in my little open source project. And just very recently a big vulnerability came out in it. And so, my third-party component scanning thing was like, right, right. So, then I need to update that, theoretically this weekend in my free time so that then I'm not vulnerable to that risk. So, when you scan your third-party components it’ll tell you immediately if a new thing has come out or if you've added something and it's a bad idea.”
When to run security scans
“I totally have advice on this. OK, so I have this crazy idea that we should put critical types of scans in the CI/CD pipeline that go out to publish. But then you can make another loop, sort of like a circle and you just put every hardcore security check that's ever happened and then it just goes back to dev and stops or it's just like a dead end and it just stops. Developers could run this on a Friday afternoon or something and it just goes off on its own and runs that stuff. Then the security team can look at all those results and then they can find mediums and lows and other things that are still things you want to fix, but you don't need to break the build over.
“So, for instance, for my third-party components, I think I allow myself to have mediums and lows, but no highs. Then I run it through SSL labs, which is another thing that people should consider doing, which checks that you're using the right security headers and also that you are using a certificate. Checking that your certificate hasn’t expired and all of that.
"I would strongly suggest setting your breaking of build really low to begin with and then slowly work your way up, rather than the other way around. And if you're going to do static code analysis, for instance, just look for injection and cross-site scripting and don't look for every other thing."
Hear the full interview, where Tanya discusses her thought around security testing and how to shift your efforts left like a boss.
About Micro Focus Fortify
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.