Why Bright

Product

Resources

Blog

Upcoming Events

Webinars

AppSec Championships

Datasheets

Whitepapers

Videos

Success Stories

Docs

Bright Demo

DAST
Guide to DAST (Dynamic Application Security Testing)

Application Security Testing
Your primer for application security testing.

Penetration Testing
We explain the concept of penetration testing.

Vulnerability Management
Comprehensive overview of vulnerability management.

DevSecOps
All the necessary knowledge to get started with DevSecOps

API Security
We take a deeper look into securing & protecting your APIs!

Unit Testing
All you need to know about keys of unit testing & best practices.

Fuzzing
We explore fuzzing and evaluate if it's the next big thing in cybersec.

Company

Partners

Contact

Free Trial Login

Resource Center > Blog

DevSecOps Tooling Best Practices

Publication:

November 27, 2020

Author:

Oliver Moradov

Type:

AppSec Testing

DevOps teams have become successful in releasing code at speed, whether for webapps or APIs, but with the lack of testing automation, are releasing vulnerabilities at speed too.

To achieve DevSecOps, you need to bake security into your rapid-release cycles, requiring the adoption of effective tools and practices, to unify your teams across application development, QA testing, and of course your security teams, under a common DevSecOps methodology.

Below are some key aspects to consider when implementing tooling to your DevSecOps pipelines:

1. ‘Develop’ a Culture of Security…

Not really specific to tooling, but one of the main pillars that is critical to achieving DevSecOps – security culture; once you have management buy-in, it’s about collaboration between your development and security teams, breaking down the silos and creating champions for this change. These champions can serve as the go between that speaks the different languages of the pipeline itself

2. Empowering your teams to scale security testing, at speed

When adopting DevSecOps, you are shifting security testing left, i.e. into the hands of your developers, who need to be the first line of defense, enabling them to detect, prioritise and treat security defects like they do with functional defects, to fix them early.

To do this however, developers need tools they can actually use…not another tool built for security professionals that is going to be disabled and join your other shelfware. For modern development environments, you need a modern DAST with a Dev First security approach, that is simple and intuitive to use where you dont need to be a cyber security expert to configure the tests and understand the output.

Having a DAST that tests both your WebApps and APIs will give you that single pane of glass, additional buy-in from your teams and longevity, reducing your TCO.

3. Security feedback loop

With scale and speed comes automation, requiring a DAST tool to detect your vulnerabilities early. You need to provide your developers with the ability to scan every build / commit from their dashboard and to then automatically raise tickets with GitHub or Jira for example, into a feedback loop, so that each security player in your team has visibility, from your developers, QA / security team, to the CISO.

4. Accuracy of and Trust in the Tooling

Having a tool that is easy to use and integrated into your pipeline is great, but if it is setting off false alerts (false positives) and your builds are failing because of these, then your developers will soon make their feelings felt. The results need to be accurate and deliver actionable results with remediation guidelines for your developers to remediate early. The manual validation of vulnerabilities is slow and expensive and so a tool that removes these is essential to maintain the speed of DevOps while delivering security compliance. If you are a CISO, how can you effectively evaluate your risk, on demand, when your results are skewed with these false positives and are draining your internal security team as they scramble to manually validate the findings..?

Achieving DevSecOps with Bright

Bright enhances DevSecOps at its core, with a Dev First approach to test your WebApps and APIs

Key features of our technology include:

Shallow learning curve: to establish a culture of security testing across your pipelines
Built for Developers: We empower developers to detect and fix vulnerabilities on every build, enabling them to leverage multiple discovery methods to initiative a scan, including:
- Crawling – for full automation
- HAR files – generated per build/commit for scope defined testing or by QA Automation
- OpenAPI (Swagger) files or Postman Collections – to test APIs or Single Page Applications
Smart Scanning functionality: leveraging sophisticated algorithms to carry out the right tests against the target, removing complexity for developers whilst ensuring scans are automatically optimised to maximise speed and prevent development drag
Built for Modern Technologies: Microservices, Single Page Applications, APIs (SOAP, REST, GraphQL) are all supported
0 (Zero) False Positives: The only tool with fully automated validation of every vulnerability detected, freeing up valuable time for your security team and saving a considerable amount money, to release fast and be secure by design
Seamless Integration: Rest API, CLI for developers, or with common tools such as CircleCI, Jenkins, Jira, GitLab, Github, AzureDevOps and more

To find out how you can leverage our technology to achieve DevSecOps for your WebApps and APIs, please do get in touch or request a demo here.

The practice of running DAST in production environments presents multiple risks and challenges that can actually hinder your security goals. Here’s why you should think twice before running DAST scans on a live production system.

What Are Vulnerability Assessment Tools? Vulnerability assessment tools are specialized software designed to identify, classify, and prioritize vulnerabilities in computer