From the latest agile development tools to innovative delivery platforms such as containers, DevOps is changing how people and businesses work.

But the novel software development approach of DevOps can also result in unique challenges, one of the most significant of which is application security testing. How do you balance the need for quick software releases while protecting sensitive customer and company data?

Marrying DevOps and Application Security Testing

As DevOps transforms the way software is developed and delivered, it requires a fresh look at application security. IBM and Black Duck Software are pleased to provide you with our recommendations below.

Our joint webinar outlined the unique application security challenges posed by DevOps and simple steps organizations can take to properly address them. Three of the key steps were to start with automation, customize security gates and test for vulnerabilities.

Starting With Automation

The world of DevOps is agile and fast-paced. To avoid slowing down the process, security testing must be automated within the DevOps environment. A great place to start is by integrating application security testing with continuous integration tools and running your testing at the exact point it’s needed. This enables your DevOps environment to hum along while protecting applications from potential vulnerabilities.

Customizing Security Gates

No two DevOps processes are alike; each application you build has unique development and security needs. Internally facing applications may require less stringent application testing than externally facing ones. In addition, you may be using containers like Docker to deploy your applications.

Know who your applications will serve and the level of data sensitivity associated with each application, and then determine how they’ll be delivered. This will enable you to design the proper application security testing gates at the right points in the DevOps process.

Testing (and Retesting) for Custom and Open Source Vulnerabilities

Applications are increasingly a mix of custom and open source code. Be sure your DevOps and application security teams are testing for both kinds of security vulnerabilities. This means deploying the proper dynamic analysis security testing (DAST), static analysis (SAST), interactive analysis (IAST) and open source (OSS) application security testing tools as part of your DevOps process. In addition, be sure to implement continuous testing to uncover new vulnerabilities as they’re reported.

These three simple steps will have your organization well on its way to making application security a successful component of your DevOps environment.

Learn More

To improve your Application Security Testing DevOps effectiveness, consult our complimentary Forrester Research report, “Secure Applications at the Speed of DevOps.”

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today