Skip to content

SDLC

IaC

Continuous Security within the lifecycle

The lifecycle of Infra as Code and security

Testing

Component Description
SAST (Static Application Security Testing)
  • Run static code analysis on the codebase for known code-level security vulnerabilities
  • Here is a list of scanners from OWASP to choose from, and some other ones
  • Identify specific classes of vulnerabilities you care about most, and start with just those
    • Focus on eliminating false positives and enabling velocity with the goal of only producing real issues that can be directly consumed by a developer themselves
    • Once completed, add one or two more vulnerabilities classes
    • Examples:
      • Rather than trying to start with static analysis for XSS, SQLi, Directory Traversal, Command Execution, etc all at once, pick one (system)
      • Identify use of certain primitives that should initiate a conversation with the security team rather than just be blocked (encryption)
  • Keep dependencies up to date (requires.io)
    • Run automated dependency scanners to check that we are using the latest, most secure version of our code dependencies
    • It can be a pain to keep things up-to-date, but OWASP is a lifesaver
DAST (Dynamic Application Security Testing)
  • Spin up the service and attached resources in a pseudo test mode and point automated penetration bots at the running containers and see what happens
  • If the scanners come back with warnings, then we reject the build
  • A great tool that makes this possible is zaproxy
  • Ensuring that security policies are being enforced (TLS ciphers)
  • Ensuring previous vulnerabilities aren’t accidentally regressed back in to the application (we had an XSS in this parameter before, always check it with this specific payload to ensure the protection didn’t get accidentally rolled back)
IAST (Interactive Application Security Testing) Helpful at the testing and integration phase of your lifecycle, as part of other software or functional testing
RASP (Runtime Application Security Protection) Looks at how the system is used in runtime and prevents actions that are malicious
SCA (Software Composition Analysis) Identifies vulnerabilities in open source software that the system depends on or uses

  1. A Guide to Improving Security Through Infrastructure-as-Code 

  2. Secure development: Bringing security testing into your SDLC