Gartner recently released its 2022 “Critical Capabilities for Application Security Testing” (AST) report, and I am delighted to see that Black Duck (formerly Synopsys Software Integrity Group) received the highest score across each of the five Use Cases. Let’s look at the Continuous Testing Use Case and dive into how Gartner ranks and rates it, and see why the Black Duck portfolio of offerings is well-suited for organizations that are looking to implement or are currently doing continuous testing.
When it comes to the criteria used to rate the top 14 tools’ ability to deliver continuous testing, Gartner places slightly more weight on a tool’s ability to perform dynamic application security testing (DAST), interactive application security testing (IAST), and API security testing and discovery. It places less or equal weight on a tool’s ability to perform static application security testing (SAST) and software composition analysis (SCA). To understand why, let’s look at the role continuous testing plays in today’s software ecosystem.
First, we need to understand what exactly continuous testing is. As the name implies, continuous testing refers to the execution of automated tests every time code changes are made. These tests are carried out continuously and iteratively across the software development life cycle (SDLC). They are conducted as a part of the software delivery pipeline to drive faster feedback on changes pushed to the code and/or binary repository.
Continuous testing is important especially in an organization’s drive toward DevOps continuous integration / continuous delivery (CI/CD). While CI/CD enables product innovations at lightning speed (which is crucial for businesses to stay ahead of the curve), continuous testing helps build trust in the quality. Continuous testing provides the much-needed peace of mind that the products perform as expected and are reliable and secure. Continuous testing in a delivery pipeline allows the team to introduce any number of quality gates anywhere they want, to achieve the degree of quality that they need.
Although continuous testing is becoming a standard practice today, embedding another layer of security oversight is something not readily undertaken by most organizations. It is simple to understand why.
Implementing continuous testing is already a massive undertaking without adding another layer of security on top of it. For continuous testing to work, both development and QA test teams need to get together to define the tests early, develop the test-driven or behavioral-driven test cases, and ensure good test coverage. To run a successful continuous testing operation, they will also need to have a complete test environment on demand, with dev-friendly tools (such as code, CI/CD integrations, and supported open source) for the various development and test teams’ use. These environments ideally should be ready for the various on-demand needs from unit test to integrated, functional, regression, and acceptance test needs and have the ability to provision the right test data so teams can perform comprehensive tests with production-like data. With continuous testing, the various types of tests are executed seamlessly in the different environments and at each stage of the continuous pipeline and in different environments that it gets deployed to. Tests are triggered automatically by events such as code check-in or code changes. The aim of continuous testing is to ensure prompt feedback to alert the team of problems as quickly as possible.
Continuous testing becomes tougher and longer as it progresses toward the production environment. The depth of testing also progresses as the simulation environment gets closer to production. You need to slowly add more tests and more complicated tests as the code matures and environment complexity advances. Chances are the same test cases developed earlier would not be run throughout the SDLC. The test cases need to be updated each time significant changes are introduced. The automated scripts will need to be updated at the different phases of testing as the code becomes more matured and progresses to a higher level of environment where configurations and infrastructure also advance until it reaches production.
Even the time needed to run the tests increases as the testing progresses toward the release point. For example, a unit test might take very little time to run, whereas some integration tests or system/load tests might take hours or days to run. With the amount of time and effort required to execute end-to-end continuous testing, it’s no wonder automated security tests lag behind other types of automation efforts (e.g., automating build, and release), according to Google’s State of DevOps report.
For organizations that have security test practices and tools built into their continuous testing and delivery pipeline, it’s common to find SAST and/or SCA tools deployed in their automated pipeline. These tools have their own place in the SDLC, and in fact, they are necessary early in the SDLC to help secure proprietary codebases and external dependencies such as open source and third-party code. This may suffice in a controlled environment, with controlled codebases that ensure predictable user experiences.
Unfortunately, the software app development and delivery paradigm has shifted from monolithic to today’s highly distributed computing model. There are innumerable software components and event-driven triggers thanks to technologies such as microservices architecture, the cloud, APIs, and serverless functions in today’s modern, composite-based applications. And some critical vulnerabilities and exploits cannot be anticipated or caught in early development phases—they don’t get triggered until application runtime tests when the various components are integrated. The sheer volume of apps that an organization owns and must manage today—from internal proprietary codebases and applications to third-party components and APIs—contributes to the growth of unanticipated attack surfaces.
Therefore, it’s more critical than ever to incorporate modern DAST approaches to testing, particularly those that can augment the continuous testing and CI/CD pipeline with the least friction.
Black Duck has the broadest and most comprehensive portfolio for your application security needs. Our AST tools provide seamless life cycle integration with end-to-end app security test coverage across the continuous pipeline.
Some key benefits of Black Duck solutions include
Continuous security testing and continuous delivery are processes that can take time to implement successfully. But close collaboration between development, security, and DevOps teams, along with continuous security feedback based on highly accurate data and the right tool set, will help bulletproof your critical applications.