Dynamic Security Regression Testing
Security Regression testing verifies that previously found and fixed vulnerabilities don’t get re-introduced in the future.
One of the most effective types of automation, it requires Security Engineers to:
- integrate SoftSeq’s Regression Testing Framework with customer’s CI/CD stack
- find a vulnerability
- write exploit code to re-create the manual steps Security Engineer took
- link exploit to SoftSeq’s Regression Testing Framework
Security regressions happen often, mostly because of code refactoring, roll-backs, feature changes, 3rd-party component changes, or naive optimization removing security safeguards.
From our experience, with 120 regression-tested security vulnerabilities, between 5 and 10 issues reappear monthly.
Static Security Regression Testing
Unlike it’s dynamic sibling, Static Security Regression testing relies on Static Code Analysis engine to search application’s code for signs of security vulnerabilities according to predefined security rules.
Static Security Regression Testing requires Security Engineers to:
- set up Static Code Analysis tools and integrate with CI/CD stack for nightly re-testing
- find vulnerabilities
- write generic code-checking security rules, able to spot similar patterns in other parts of the app
- analyze new rule’s findings, weeding out false- and true-positive issues
Compared to Dynamic Security Regression Testing, it’s “pros” are:
- ability to identify similar issues anywhere in the code, not the single issue that’s regression-tested
and “cons” are:
- relative fragility in response to code refactoring and 3rd-party component changes.
3rd-party Component Security
While prohibitively labor-intensive to perform manually, with hundreds of 3rd-party libraries are relied upon by a typical web app, it’s an important aspect of Software Security – as Equifax and its customers learned the hard way.
We utilize OWASP dependency checking solution, as well as custom-built tools, fitting projects developed with any language or framework.
Component security checking is performed against databases of known-vulnerable component versions, running daily to raise a timely alert.
Cloud Security Patch Management
Like with hundreds 3rd-party Components used by an app directly, numerous servers in the cloud run hundreds of stand-alone programs.
Verifying that all of them have latest security patches applied, keeping your production environment free of security holes, is absolutely integral.
Once an aspect of Network Security, with rapidly grown numbers of Internet-facing applications, it has become one of the most important areas to secure.