Implement Security Testing In IDE

How To Implement Security Testing In IDE.

Delivering Secured Software is very important as the modern world has the risk of potential attacks in various ways. To mitigate them, we need to embed certain security testing procedures in our Software Development Lifecycle. Fortunately, With DevOps, we have a systematic process called CICD and we are going to add certain Security Testing in the respective stage of the CICD process. AS the first step, in this article, we will discuss How to Implement Security Testing In IDE or in Development Environment.

So Far!

We have discussed couple of Security Testing methods and tools to implement the same in one of our previous article.

Now, in this article, we will see how to implement the same with simple example.

For the same, we can refer the below diagram which will show the step by step process of CICD and different Security testing Methodology involved.

Security Testing in CICD Process
Security Testing in CICD Process

So, as we talked in the introduction, we will How to Implement Security Testing In IDE or in Development Environment.

At Development Environment

Development Environment Testing is also another form of Unit test with some security preliminary test procedures. There are many source code analysis tool that comes with Security scanning. For example, Synopsys Code Sight. It is available as a plugin in many IDEs which helps developers identify the vulnerability before even committing it into the Version Control System.

In this article, we will discuss how this Code Sight can be integrated with IntelliJ IDEA Community version IDE and discuss what are the different vulnerabilities and bugs findings coming out of this Code Sight Plugin.

Install the Plugin

  • First Open the IntelliJ Idea IDE and Click File -> Settings -> Plugins -> Search “Code Sight”. You will get the Popup of the marketplace where you can install plugins. Click the Install button to install it.
  • Then, the IDE will ask you the restart. Restart it once and you will have the plugin installed.
  • After that, you will see the Tab called “Code Sight” at the bottom of the IDE. Click it and open the panel. Here you can see Black Duck (SCA) and Coverity Analysis (DAST) tools which are performing the scanning process.
  • Then, either click the respective install button or click the Code sight Preference Button at the top right of the panel to configure the Centralized Analysis account. Remember, it is a paid service.

That’s it. The plugin is installed and configured. Now, we will see how this plugin is working.

Scanning the Source Code

Before getting into Scanning the source code, we will have to get the code inside the IDE. So, get it ready. For learning purposes, OWASP is providing a vulnerable project called OWASP WebGoat.

So, once you opened the project, you can see the Code Sight Panel with Issues and status. This means the plugin will automatically start scanning the code for vulnerabilities. As shown in the screenshots.

Synopsys Code Sight
Synopsys Code Sight

So, these Code Analysis are in two parts.

  • Black Duck – Which will do Source Code Analysis (SCA) which can be Both On-premises and Cloud.
  • Coverity Analysis – This will do the Static Application Security Testing (SAST). This will be basically configured as two types.
  • Coverity connect – Which is for on Premises Centralized Analysis System
  • Coverity On Polaris – This is for On Cloud Centralized Analysis System

Source Code Analysis (Black Duck)

When you click the respective Black Duck issue. All these Black Duck issues will be prefixed with “Component:”, it will give you the details of the code analysis. It will show you:

  • “How to resolve” block which will give you the detail of how to fix this issue.
  • List of Security Vulnerabilities underlining with the Current Issue.
  • These Security Vulnerabilities will be coming in from the National Vulnerabilities Database and from the Black Duck Security Advisory.
  • And by clicking each Security Vulnerability, it will show you the detail of the Issue.

Static Application Security Testing (SAST)

Now, Let see the Coverity Analysis Tool results.

  • When you click the issue, which is not prefixed with “Component:” that will show you the issue detail page.
  • It will show you the file name and line number of the issue found.
  • We will also get the category of the issue which will help us resolve in priority.
  • Then, It will give you the category of the issue and the code from the National Vulnerabilities Database. And Tips to solve the issue.

Basically, the issue can be dismissed If the DecSecOps leads instruction is to not consider the issue.

Advanced Source Code Analysis (SCA) tools are offering with a Centralized Analysis system. Say in Code Sight, we have Black Duck for the SCA and Coverity Analysis for Static Application Security Testing (SAST) tool and Synopsys Code Sight has its Centralized Analysis System.

What is Centralized Analysis system.

The centralized analysis system is the common server with data collection and Analysis Engines which will collect the vulnerabilities and Bus from the various level of SDLC and CICD process.

Central Security Analysis System

The above image explains how the Security scanning from IDE is being tracked using the central Analysis System. So,

  • The Central Analysis System will have managed services for all SCA, SAST, DAST, IAST, and RASP processes. Which mean, the Security test in the respective phase of the CICD or SDLC will be tracked and monitored using the Central Managed Services which is incorporated with Central Analysis System
  • The Collected Information will keep monitoring all the results and findings of the respective environment (In current case: IDE).
  • Then, it will have the report defined by the user in order to make the collected data useful.
  • And, the Alert system will finally send the notification or email to let the team know about the findings.
  • The same Centralized Analysis System will also be integrated with the CICD process so that it can co-exist with the entire SDLC process.

Conclusion

As the first step of the Integrating Security Testing in the CICD pipeline, we have discussed how to add the Tools that are collecting and pushing the Vulnerability to the CICD process. This article is on how to Implement Security Testing in IDE or Development Environment. In our upcoming article, we will discuss more on DevSecOps Maturity modeling (DSOMM), Code Analysis in the CICD process, Detailed Penetration Testing process, and more. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.

Leave a Reply