Delivering Secured Software is very important as the modern world has the risk of potential attacks in various ways. To mitigate them, we need to embed certain security testing procedures in our Software Development Lifecycle. Fortunately, With DevOps, we have a systematic process called CICD and we are going to add certain Security Testing in the respective stage of the CICD process. AS the first step, in this article, we will discuss How to Implement Security Testing In IDE or in Development Environment.
Table of Contents
We have discussed couple of Security Testing methods and tools to implement the same in one of our previous article.
Now, in this article, we will see how to implement the same with simple example.
For the same, we can refer the below diagram which will show the step by step process of CICD and different Security testing Methodology involved.
So, as we talked in the introduction, we will How to Implement Security Testing In IDE or in Development Environment.
At Development Environment
Development Environment Testing is also another form of Unit test with some security preliminary test procedures. There are many source code analysis tool that comes with Security scanning. For example, Synopsys Code Sight. It is available as a plugin in many IDEs which helps developers identify the vulnerability before even committing it into the Version Control System.
In this article, we will discuss how this Code Sight can be integrated with IntelliJ IDEA Community version IDE and discuss what are the different vulnerabilities and bugs findings coming out of this Code Sight Plugin.
Install the Plugin
That’s it. The plugin is installed and configured. Now, we will see how this plugin is working.
Scanning the Source Code
Before getting into Scanning the source code, we will have to get the code inside the IDE. So, get it ready. For learning purposes, OWASP is providing a vulnerable project called OWASP WebGoat.
So, once you opened the project, you can see the Code Sight Panel with Issues and status. This means the plugin will automatically start scanning the code for vulnerabilities. As shown in the screenshots.
So, these Code Analysis are in two parts.
- Coverity connect – Which is for on Premises Centralized Analysis System
- Coverity On Polaris – This is for On Cloud Centralized Analysis System
Source Code Analysis (Black Duck)
When you click the respective Black Duck issue. All these Black Duck issues will be prefixed with “Component:”, it will give you the details of the code analysis. It will show you:
Static Application Security Testing (SAST)
Now, Let see the Coverity Analysis Tool results.
Basically, the issue can be dismissed If the DecSecOps leads instruction is to not consider the issue.
Advanced Source Code Analysis (SCA) tools are offering with a Centralized Analysis system. Say in Code Sight, we have Black Duck for the SCA and Coverity Analysis for Static Application Security Testing (SAST) tool and Synopsys Code Sight has its Centralized Analysis System.
What is Centralized Analysis system.
The centralized analysis system is the common server with data collection and Analysis Engines which will collect the vulnerabilities and Bus from the various level of SDLC and CICD process.
The above image explains how the Security scanning from IDE is being tracked using the central Analysis System. So,
As the first step of the Integrating Security Testing in the CICD pipeline, we have discussed how to add the Tools that are collecting and pushing the Vulnerability to the CICD process. This article is on how to Implement Security Testing in IDE or Development Environment. In our upcoming article, we will discuss more on DevSecOps Maturity modeling (DSOMM), Code Analysis in the CICD process, Detailed Penetration Testing process, and more. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.