From the latest agile development tools to innovative delivery platforms such as containers, DevOps is changing how people and businesses work.

But the novel software development approach of DevOps can also result in unique challenges, one of the most significant of which is application security testing. How do you balance the need for quick software releases while protecting sensitive customer and company data?

Marrying DevOps and Application Security Testing

As DevOps transforms the way software is developed and delivered, it requires a fresh look at application security. IBM and Black Duck Software are pleased to provide you with our recommendations below.

Our joint webinar outlined the unique application security challenges posed by DevOps and simple steps organizations can take to properly address them. Three of the key steps were to start with automation, customize security gates and test for vulnerabilities.

Starting With Automation

The world of DevOps is agile and fast-paced. To avoid slowing down the process, security testing must be automated within the DevOps environment. A great place to start is by integrating application security testing with continuous integration tools and running your testing at the exact point it’s needed. This enables your DevOps environment to hum along while protecting applications from potential vulnerabilities.

Customizing Security Gates

No two DevOps processes are alike; each application you build has unique development and security needs. Internally facing applications may require less stringent application testing than externally facing ones. In addition, you may be using containers like Docker to deploy your applications.

Know who your applications will serve and the level of data sensitivity associated with each application, and then determine how they’ll be delivered. This will enable you to design the proper application security testing gates at the right points in the DevOps process.

Testing (and Retesting) for Custom and Open Source Vulnerabilities

Applications are increasingly a mix of custom and open source code. Be sure your DevOps and application security teams are testing for both kinds of security vulnerabilities. This means deploying the proper dynamic analysis security testing (DAST), static analysis (SAST), interactive analysis (IAST) and open source (OSS) application security testing tools as part of your DevOps process. In addition, be sure to implement continuous testing to uncover new vulnerabilities as they’re reported.

These three simple steps will have your organization well on its way to making application security a successful component of your DevOps environment.

Learn More

To improve your Application Security Testing DevOps effectiveness, consult our complimentary Forrester Research report, “Secure Applications at the Speed of DevOps.”

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read