Security scanning automation with DevOps

by in Security

Guest post by Kruthi Srinivasa, Fortify technical support

More and more enterprises are adopting DevOps as their IT culture to deliver quality software at lower cost with higher speed. In fact, 99% of those surveyed by the Software Security Research (SSR) team at Micro Focus agreed that DevOps is an opportunity to improve application security. Enterprises frequently use different tools and technologies to automate the DevOps process but tend to ignore security aspects.

Security scanning automation with DevOps.jpgEven when organizations do consider security, they tend to think about integrating and implementing static code analyzers to catch the security issues early. However, this is not sufficient to find security vulnerabilities associated with end-to-end scenarios and configuration of software post-deployment. It is imperative in the DevOps culture to ensure all the operational processes, including dynamic application security testing (DAST), are incorporated into the DevOps and Continuous Integration and Delivery (CI/CD) pipeline.

Micro Focus Fortify provides the complete application security solution for enterprise software with both static (Static Code Analyzer - SCA) and dynamic (WebInspect) testing. It is a common practice to run Fortify products on standalone environment using GUI (Graphical User Interface). However, higher value can be derived from these products using the Fortify product APIs and seamlessly integrating into the choice of DevOps and CI/CD tools such as Jenkins and implementing enterprise security policies across the entire application portfolio. The benefit of such approach is that security policies can be enforced consistently, repeatedly, across the enterprise with minimal operations error.

A typical way this works is as follows: As part of the CI/CD workflows, the tools can be configured to run static code analyzers followed by application deployment steps and then execute Selenium scripts as part of QA testing. Funneling all the traffic from Selenium through a WebInspect proxy triggered by a Python script or using open source tools like WebBreaker save them into workflow macros. Later, leveraging the Swagger API definitions, creates WebInspect scans using those macro files and capturing the data in a repository such as Fortify Software Security Center. Vulnerabilities/findings can then be extracted and sent as tickets to issue tracking systems like JIRA or Bugzilla. As a part of the next build enhancements, developers can address the tickets generated by WebInspect scan or operations, fix the configuration issues, and make this part of continuous software development, deployment and operations process automatically. 

Check out WebInspect Automation for more information. You’ll see more about Custodela’s App in-a-box approach, Target’s WebBreaker, a Maven Plugin, and automation for QA and cloud. 


Application security