In this article, we will take a look over some of the security tools that you can implement within the CI/CD pipelines testing, in order to early detect flaws or issues before deploying to production. All the tools listed are open-source or free to use.
Why is it important to have security tools within your CI/CD process?
When it comes to Security Software Development Lifecycle (SSDLC), one of its main core concepts states that it is better to identify security vulnerabilities as early as possible within the development process. Applying this concept allows you to save costs a lot, as testing and implementing the fixes earlier is less expensive than doing it while in production.
Next, you will be assured that the shipped project passes some security checks before deployment.
The presented tools within this blog post will allow you to detect the following security points:
- Secrets Hardcoded within the Code
- Vulnerable Versions of Dependencies
- Security Vulnerabilities within the Code (SAST)
- Security Vulnerabilities at Runtime (DAST)
- Mobile Security Checks
- TLS/SSL Security Auditing
Identifying Secrets Hardcoded within the Code
Your project should not contain any hardcoded secrets, such as passwords, private keys, PII, and more. You can use Whispers to scan the entire project for anything like that.
Source: https://github.com/Skyscanner/whispers
Checking Vulnerable Versions of Dependencies
Attackers may exploit vulnerabilities within 3rd party libraries, modules, or frameworks that you are using. In order to prevent those flaws, you can use a tool like OWASP-DependencyCheck.
Source: https://github.com/jeremylong/DependencyCheck/
Identifying Security Vulnerabilities within the Code (SAST)
Static Analysis Security Testing (SAST) allows you to run automated checks against the developed code, in order to find any possible security vulnerabilities. We would recommend implementing SonarQube Community Edition, as it covers most of the programming languages, and it is very efficient.
Source: https://www.sonarqube.org/downloads/
Discovering Security Vulnerabilities at Runtime (DAST)
Dynamic Analysis Security Testing (DAST) allows you to run automated checks against the project/code while it is running, which helps in removing the false positives. For that purpose, you can use a fully-customizable tool like Nuclei.
Source: https://github.com/projectdiscovery/nuclei
Uncovering Mobile Security Flaws (Android & iOS)
If you are looking to check the overall security posture of your Mobile project, you rely on Mobile Security Framework (MobSF). It provides you a full set of scanning methods, including source code analysis, hardening checks, identifying secrets, and more. You can scan both Android and iOS packages through MobSF.
Source: https://github.com/MobSF/Mobile-Security-Framework-MobSF
TLS/SSL Security Auditing
Your project is using TLS/SSL encryption for communications between its components? If yes, then you should ensure that it cannot be broken or taken leverage of by attackers. You can check the security of your TLS/SSL configuration using a tool such as SSLScan.
Source: https://github.com/rbsec/sslscan
All the tools presented above are open-source, and can be implemented within your project’s testing routine. Most of them have integrations for well-known CI/CD platforms.