Integrating Static Analysis Security Testing (SAST) Into Your DevSecOps Pipeline Using Github Actions
Watch the full webinar here.
What is DevSecOps
To fully understand DevSecOps, it helps to learn about the evolution of software development speed and why the DevSecOps practice exists today.
Traditionally, Waterfall methodology broke down software development projects into linear, sequential phases, where each phase depends on the delivery of the one before it. It could take months if not years to complete all phases of waterfall development.
Then came Agile Development, originally adopted mainly by startups in the early 2000s, Agile development didn’t always welcome security with open arms, as any agile development workflow was meant to speed up software development and the client feedback loop. Agile essentially took what existed in the Waterfall methodology and implemented the phases into 1 to 4 week sprints.
As Agile development processes became mainstream, and code found its way into production faster, a shift happened. Cloud computing gained mass adoption and it became easier and less expensive to push code to production. With this shift, however, came a disconnect between Developers and Operations that still kept software teams from deploying at their desired speed.
DevOps is the combination of cultural philosophies, practices, and tools that increase an organization’s ability to deliver applications and services continuously. By automating this process, the developers check in their code, then push this code through a pipeline of automated checks, similar to many of the traditional phases of the software development lifecycle. Continuous Integration and Continuous Delivery (CI/CD) is a common DevOps implementation practice that encourages development teams to deliver code changes more frequently and reliably.
Continuous integration (CI) is the practice of automating the integration of code changes from multiple contributors into a single software project. The version control system is also supplemented with other checks like automated code quality tests, syntax style review tools, and more.
Continuous delivery is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time and, when releasing the software, doing so manually. It aims at building, testing, and releasing software with greater speed and frequency.
DevSecOps is the result of collaboration between Development, Ops, and Security teams to push security left in an automated, consistent and measurable way. DevOps practices made it easy and manageable to integrate security with every single step of the software development process.
What DevSecOps is not
- A specific process, tool or framework
- A One-Size-Fits-All Approach
- A different way of playing police
- Siloed dev, sec, ops activities
What does your pipeline look like?
What does your pipeline look like?
We’ve identified 4 key activities your pipeline needs at minimum:
- Static Analysis Scanning
- Dynamic Analysis Scanning
- Git Secrets Testing
- 3rd Party Vulnerability Testing
However, these activities mean nothing if they aren’t helping you make informed decisions about your software development. If you do not implement gates, leverage metrics, or understand the issues that need to be fixed, there is little value in having a pipeline.
Intro to GitHub Actions
GitHub Actions is an API for cause and effect on GitHub. It enables you to create custom software development life cycle (SDLC) workflows directly in your GitHub repository. It also allows you to easily create a secure DevSecOps (CI) pipeline.
How it works
- Triggers on a Git workflow action (commit, pull request, etc)
- A CI/CD platform that runs on any cloud.
- Supports Linux, Windows and MacOS
- Supports Node.js, Python, Java, PHP, Ruby, C/C++, .NET, Android, and iOS
GitHub Actions Configuration
Want to check your projects for free?
Integrating Static Code Analysis
What is SAST?
Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing.
What to watch for in a SAST tool
- Cloud vs desktop
- Language coverage
- Vulnerabilities covered
- Speed of the tool
- Integrations into your dev and CI tools
- Developer support
- Developer education