Light Dark
May 24, 2016 By Constantine Grancharov
Mike Pittenger
2 min read
Application Security

From the latest agile development tools to innovative delivery platforms such as containers, DevOps is changing how people and businesses work.

But the novel software development approach of DevOps can also result in unique challenges, one of the most significant of which is application security testing. How do you balance the need for quick software releases while protecting sensitive customer and company data?

Marrying DevOps and Application Security Testing

As DevOps transforms the way software is developed and delivered, it requires a fresh look at application security. IBM and Black Duck Software are pleased to provide you with our recommendations below.

Our joint webinar outlined the unique application security challenges posed by DevOps and simple steps organizations can take to properly address them. Three of the key steps were to start with automation, customize security gates and test for vulnerabilities.

Starting With Automation

The world of DevOps is agile and fast-paced. To avoid slowing down the process, security testing must be automated within the DevOps environment. A great place to start is by integrating application security testing with continuous integration tools and running your testing at the exact point it’s needed. This enables your DevOps environment to hum along while protecting applications from potential vulnerabilities.

Customizing Security Gates

No two DevOps processes are alike; each application you build has unique development and security needs. Internally facing applications may require less stringent application testing than externally facing ones. In addition, you may be using containers like Docker to deploy your applications.

Know who your applications will serve and the level of data sensitivity associated with each application, and then determine how they’ll be delivered. This will enable you to design the proper application security testing gates at the right points in the DevOps process.

Testing (and Retesting) for Custom and Open Source Vulnerabilities

Applications are increasingly a mix of custom and open source code. Be sure your DevOps and application security teams are testing for both kinds of security vulnerabilities. This means deploying the proper dynamic analysis security testing (DAST), static analysis (SAST), interactive analysis (IAST) and open source (OSS) application security testing tools as part of your DevOps process. In addition, be sure to implement continuous testing to uncover new vulnerabilities as they’re reported.

These three simple steps will have your organization well on its way to making application security a successful component of your DevOps environment.

Learn More

To improve your Application Security Testing DevOps effectiveness, consult our complimentary Forrester Research report, “Secure Applications at the Speed of DevOps.”

 |  |  | 
Constantine Grancharov
Product Manager, Application Security at IBM Security
Mike Pittenger
Vice President of Product Strategy, Black Duck Software

More from Application Security
October 10, 2023

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

August 10, 2023

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature