Versions Compared

Old Version 6

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version 7

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How to test security (as part of CI/CD)?

Test TypeDescriptionExample ToolsLF Provided Tools
Static Application Security Testing (SAST)Detects vulnerabilities in the code written by the project team. Some SAST tools provide autofix capabilities.

Snyk

Veracode

SonarCloud

Snyk

Software Composition Analysis (SCA)Detects known CVEs in third party package used by the project team in their code.

Sonatype NexusIQ

Veracode

Mend

NexusIQ (ONAP only)

Snyk

Dynamic Application Security Testing (DAST)

Detects vulnerabilities in a running application by simulating attacks to all interfaces and examining its running state, and its responses to the simulated attacks.

Requires the project team to create a traffic file that can be replayed in the pipeline.

AppScan??
Container Scanning

Detects vulnerabilities in container base images and open source dependencies used in base images and Dockerfile commands.

Some products include autofix capabilities.

Snyk

Aqua/Trivy

JFrog Xray

StackRox

Snyk
Code Coverage Testing

Verifies and validates code quality by evaluating the amount of code executed by automated tests.

SonarCloud??
Code Quality

Measures the quality of the code produced by the project team. Code quality measures include maintainability, clarity, testability, portability, robustness, reusability, complexity, safety and security.

Never hardcode secrets in code.

SonarCloud??

How to manage dependencies?

  • Direct dependencies are straightforward.
    • Upgrade direct dependencies to the latest supported version with each release.
    • Prioritize upgrading direct dependencies with effective vulnerabilities.
      • An effective vulnerability is one that can be executed by the application containing it.
      • Not all vulnerabilities in a package are in code that is used by the application.
    • Prioritize upgrading direct dependencies on deprecated versions.
    • Prioritize upgrading direct dependencies containing vulnerable dependencies.
    • Dependencies with zero-day critical vulnerabilities may require upgrades and emergency releases. A good example is Log4J
  • Transitive dependencies are more difficult.
    • May be resolved by upgrading to a newer version of the direct dependency containing it.
    • Some transitive dependencies can be upgraded independent, but this requires more testing.
    • In some cases 
  • How to automate the mitigation?
    • Some container scanning tools can automatically upgrade open source dependencies used in container base images