...
How to test security (as part of CI/CD)?
Test Type | Description | Example Tools | LF Provided Tools |
---|---|---|---|
Static Application Security Testing (SAST) | Detects vulnerabilities in the code written by the project team. Some SAST tools provide autofix capabilities. | Snyk Veracode SonarCloud | Snyk |
Software Composition Analysis (SCA) | Detects known CVEs in third party package used by the project team in their code. | Sonatype NexusIQ Veracode Mend | NexusIQ (ONAP only) Snyk |
Dynamic Application Security Testing (DAST) | Detects vulnerabilities in a running application by simulating attacks to all interfaces and examining its running state, and its responses to the simulated attacks. Requires the project team to create a traffic file that can be replayed in the pipeline. | AppScan | ?? |
Container Scanning | Detects vulnerabilities in container base images and open source dependencies used in base images and Dockerfile commands. Some products include autofix capabilities. | Snyk Aqua/Trivy JFrog Xray StackRox | Snyk |
Code Coverage Testing | Verifies and validates code quality by evaluating the amount of code executed by automated tests. | SonarCloud | ?? |
Code Quality | Measures the quality of the code produced by the project team. Code quality measures include maintainability, clarity, testability, portability, robustness, reusability, complexity, safety and security. Never hardcode secrets in code. | SonarCloud | ?? |
How to manage dependencies?
- Direct dependencies are straightforward.
- Upgrade direct dependencies to the latest supported version with each release.
- Prioritize upgrading direct dependencies with effective vulnerabilities.
- An effective vulnerability is one that can be executed by the application containing it.
- Not all vulnerabilities in a package are in code that is used by the application.
- Prioritize upgrading direct dependencies on deprecated versions.
- Prioritize upgrading direct dependencies containing vulnerable dependencies.
- Dependencies with zero-day critical vulnerabilities may require upgrades and emergency releases. A good example is Log4J
- Transitive dependencies are more difficult.
- May be resolved by upgrading to a newer version of the direct dependency containing it.
- Some transitive dependencies can be upgraded independent, but this requires more testing.
- In some cases
- How to automate the mitigation?
- Some container scanning tools can automatically upgrade open source dependencies used in container base images