Functional testing has gone through a paradigm shift from an afterthought in the waterfall model to being Agile and moved early and testing often as possible by the shift-left process. We strive to get feedback early, often and continuously. However, application security has been mostly an afterthought still, and awaits for 'vulnerability assessment' and 'penetration testing' towards the end of the app life cycle, just before releasing.
Including Security as a part of your DevOps process is a revolutionary shift, and it carries 3 main aspects - culture, process, and tools.
In this talk, we will focus on the ‘tools’ aspect, especially in a CI/CD pipeline. And a demonstration of setting up a build pipeline, with the ideal layers at which security testing should be added. There are vast open communities which strive towards bringing security to everyone's hands, and thus make the digital space safe. Thanks to them, and the ever-growing need of defensive security, there are a lot of tools available which a developer/QA can put in their pipelines to get appropriate feedback. I will share my experience in analyzing the diverse sets of such tools, what they do, why they are important, and by what parameters should you measure the right tool for your project.
The categories we will talk about will include SAST, DAST, Dependency checking, Container scanning, and Secret scanning.