DevSecOps

DevSecOps Pitfalls

Despite marketing claims, most Software Security automation tools don’t deliver results as advertised.

Dynamic security scanners, static security code analysis tools, and web app firewalls lack human context awareness necessary to be effective.

Generally, a Software Security intern with 3 months of training can find many more true-positive vulnerabilities than worlds-best security scanners – and way cheaper as well.

DevSecOps Automation that works

At SoftSeq, we recognize both shortcomings and advantages of Security Automation, and only offer solutions that truly bring value.

Our purpose-built, as well as free and open-source software tools, custom-configured for your product, free your budget from expensive license fees while delivering real results.

Tailored automation

  • Dynamic Security Regression Testing
  • Static Security Regression Testing
  • 3rd-party Component Security
  • Cloud Security Patch Management

Dynamic Security Regression Testing

Security Regression testing verifies that previously found and fixed vulnerabilities don’t get re-introduced in the future.

One of the most effective types of automation, it requires Security Engineers to:

  • integrate SoftSeq’s Regression Testing Framework with customer’s CI/CD stack
  • find a vulnerability
  • write exploit code to re-create the manual steps Security Engineer took
  • link exploit to SoftSeq’s Regression Testing Framework

Security regressions happen often, mostly because of code refactoring, roll-backs, feature changes, 3rd-party component changes, or naive optimization removing security safeguards.

From our experience, with 120 regression-tested security vulnerabilities, between 5 and 10 issues reappear monthly.

Static Security Regression Testing

Unlike it’s dynamic sibling, Static Security Regression testing relies on Static Code Analysis engine to search application’s code for signs of security vulnerabilities according to predefined security rules.

Static Security Regression Testing requires Security Engineers to:

  • set up Static Code Analysis tools and integrate with CI/CD stack for nightly re-testing
  • find vulnerabilities
  • write generic code-checking security rules, able to spot similar patterns in other parts of the app
  • analyze new rule’s findings, weeding out false- and true-positive issues

 

Compared to Dynamic Security Regression Testing, it’s “pros” are:

  • ability to identify similar issues anywhere in the code, not the single issue that’s regression-tested

and “cons” are:

  • relative fragility in response to code refactoring and 3rd-party component changes.

3rd-party Component Security

While prohibitively labor-intensive to perform manually, with hundreds of 3rd-party libraries are relied upon by a typical web app, it’s an important aspect of Software Security – as Equifax and its customers learned the hard way.

We utilize OWASP dependency checking solution, as well as custom-built tools, fitting projects developed with any language or framework.

Component security checking is performed against databases of known-vulnerable component versions, running daily to raise a timely alert.

Cloud Security Patch Management

Like with hundreds 3rd-party Components used by an app directly, numerous servers in the cloud run hundreds of stand-alone programs.

Verifying that all of them have latest security patches applied, keeping your production environment free of security holes, is absolutely integral.

Once an aspect of Network Security, with rapidly grown numbers of Internet-facing applications, it has become one of the most important areas to secure.

FAQ

  • What software exactly do you use?

    Aside from our own, custom automation solutions, we use

    • – OWASP Dependency Check for 3rd party software component security verification
    • – SonarQube for Static Code Analysis
    • – OpenVAS for Patch Management
  • What if we've already purchased a license for a security tool, and we like it?

    We can integrate with it.

    We’re not biased against any vendors, but efficiency of certain classes of automated Software Security solutions is overstated.

    Upon request, we can do an efficiency study for currently deployed solutions, identifying KPIs, and calculating value per dollar the current solution delivers so it can be put into perspective.

  • Can you suggest a good web application security scanner?

    No.

    Unfortunately, from our experience, web application security scanners don’t work. Due to a lack of human context awareness, they can barely scratch the attack surface of a web application.

    Extremely low numbers of true-positive findings make cost per vulnerability detected unjustifiably high.

Have questions?

We have answers. Write us at security@softseq.com

Your message has been sent!

We'll get in touch shortly