The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Shifting everywhere: The importance of continuous testing in the software development life cycle

Fred Bals

Dec 04, 2023 / 3 min read

“Shifting left” is the philosophy of pushing security testing as early as possible in the development process. When the idea was first popularized, the only viable tool-based option was to run static analysis during coding, and then perform penetration testing before the application went live. Today “shifting everywhere” means automated, continuous testing throughout the software life cycle.

By validating changes quickly and preventing faulty code from reaching production, automated, continuous testing is crucial in continuous integration/continuous deployment (CI/CD) pipelines, where rapid and frequent code changes are being continually deployed. CI/CD enables software development at lightning speed, and continuous testing helps build trust in—and verification of—the quality and security of software.


Application security testing priorities

There are three fundamental priorities for application security testing (AST) that form the foundation of DevSecOps.

  • Detecting weak or insecure coding practices in proprietary code, and doing so as early as possible (ideally at development) to accelerate remediation and avoid downstream issues
  • Identifying known vulnerabilities in open source components, including transitive dependencies that may be added into a project during a build
  • Verifying the security of data and application functions at runtime, and detecting potentially malicious activity in running compiled assets

But risk detection is only half of what is required to establish security—you also need effective risk remediation. Historically, risk detection was the responsibility of AppSec teams, and remediation was performed by development teams. In DevSecOps, these responsibilities intermingle, with AST becoming a continuous event shared among development, security, and DevOps teams as issues are prioritized for remediation and resolved. Doing this efficiently requires testing tools and security processes to be incorporated throughout the software development life cycle, CI pipelines, and other DevOps workflows.

Data from the “Global State of DevSecOps 2023” report indicates that the more mature an organization’s security practices are, the more its DevSecOps teams value integrating security testing into CI/CD pipelines and toolchains. In fact, continuously monitoring applications in production for security incidents and anomalies was cited by 30% of the report’s respondents as a major security practice in their organizations.

Continuous testing in action

For continuous testing to work, organizations need end-to-end AppSec test coverage across their CI/CD pipelines. For example, developers who want to identify and triage security defects early and continuously need a solution such as Code Sight™, which can address security defects in real time directly in the integrated development environment, using static application security testing (SAST) and software composition analysis (SCA). Organizations looking for a SaaS-based continuous testing solution should explore the Black Duck Polaris™ Platform , which uses the same powerful SAST and SCA engines as Code Sight.

For real-time analysis of security vulnerabilities in web-based applications, an interactive application security testing (IAST) solution such as Seeker® IAST can continually monitor and provide feedback on the security issues it discovers.

Continuous testing can also provide data and insights to help organizations improve their security practices. For example, managers with oversight of security initiatives want to understand how effectively their AppSec tools are working and need complete visibility into process and performance across teams. Development and operations teams want a centralized view of issues so they can identify the security activities that have the most impact. Those whose focus is on security want to cut through the noise to prioritize critical issues quickly.

An interesting data point in the DevSecOps report is the growing use of application security orchestration and correlation (ASOC), now more commonly referred to as application security posture management (ASPM). According to Gartner, implementing ASPM should be a priority for any organization that uses multiple development and security tools, which, in today’s world, is every organization.

An ASPM solution such as Software Risk Manager continuously manages application risks from development to deployment. Software Risk Manager ingests data from multiple sources and then correlates and analyzes findings for easier interpretation, triage, and remediation. It also acts as a management and orchestration layer for security tools, enabling controls and the enforcement of security policies. And by providing a consolidated perspective of application security findings, Software Risk Manager offers a comprehensive view of security and risk status across an entire application or system.

Report

Global State of DevSecOps 2024

Continue Reading

Explore Topics