Effective security testing is hard. It has become apparent that finding occurrences of vulnerabilities requires several types of testing activities to be included in the Continuous Integration (CI)/Continuous Delivery (CD) or Deployment (CD) pipeline. Security activities such as Static Analysis Security Testing (SAST), Dynamic Analysis Security Testing (DAST), Software Composition Analysis (SCA) are performed at different stages in the CI/CD pipeline to ensure adequate coverage of both the code, binaries, deployment environment and the security issues we wish to eradicate. Each security activity has its own cost, strengths, weaknesses, constraints, and time to run the tool that will influence how often you can deploy to your staging or production environment.
Building security automation into the DevOps pipeline is a key pain point for many organisations. A risk-based, intelligent, adaptive DevOps pipeline can close the gap between DevOps and security teams, helping DevOps teams accelerate deployment to production without compromising security. Implementing risk-based, adaptable, intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing continuous intelligent feedback, continuous learning, continuous metrics and continuously supporting organisations as they scale their security testing activities.
Key Learnings