Why Doesn’t Your CI Pipeline Have Security Bug Testing?

923
StackHawk
This is not security for security people. Application security for engineering teams.

Software Engineering has Changed with CI/CD

Continuous integration and continuous delivery has changed software engineering. Teams are shipping small change sets often and automation has made the life of an engineer a lot simpler. Automation throughout the CI/CD pipeline has touched nearly everything, with integrations and tooling for linting, unit testing, integration testing, deployment, and more.

Application security, however, has been left behind.

While there are a few exceptions, most application security products are dated technology built for an era before DevOps, CI/CD, and modern software engineering products. These products are also built for the security teams instead of the developers who are close to the code. This is obviously a problem.

Application Security: Super Important and Super Broken

It goes without saying that building secure applications is imperative for any engineering team today. Without baking security into your application, your company opens itself up to leaking sensitive data, degrading user experience, or allowing account takeover. As most companies in the world shift to be software-first, application security will only become increasingly important.

While clearly vitally important, current AppSec models are broken. The traditional approaches to application security prioritize training over tooling and finding over fixing. InfoSec teams are holding onto dated practices of periodic, point in time scans of production. Vulnerabilities are kicked back to the engineering team in long lists or large Jira backlogs, which then sit deprioritized over feature development. If the work is pulled into a sprint, it requires the developer to jump back into code that they likely haven’t touched for weeks or months.

Adding to this problem is the fact that the majority of the security products on the market are legacy enterprise tools. They are built for a different era of software development and continue to serve the technology dinosaurs that have yet to adopt modern DevOps workflow. Features are built for security teams and favor long approval chains and reports rather than enabling the developers who will fix the security bugs to get to the job of fixing found issues.

A shift is needed in both culture, workflows, and tooling.

There is a better way 👇.

The AppSec Future: Application Security Tests in Every CI/CD Build

While shifting security left has been a trade show booth tagline for years now, we are at the advent of that truly becoming a reality. In the same way that many engineers now define and monitor their own infrastructure, developers are learning that they can take security testing into their own hands. Proper tooling and pipeline automation will drive this shift.

So what does application security tests in every build look like?

You’ll want to instrument two types of security testing, commonly known as SAST and DAST. SAST (Static Analysis Security Testing) scans your code base and its associated dependencies for known vulnerabilities. DAST (Dynamic Analysis Security Testing) runs tests against a running version of your application to find externally exploitable security bugs. Both are important, and both can be added to your CI builds.

Then, on every merge, your pipeline can run security testing. When a developer adds a security bug, they will be alerted and can quickly fix. Tests should be instrumented later in the pipeline as well to ensure that new bugs are not introduced – think of it as security integration testing. When a bug is found, fixes can be tested locally before kicking off a new build.

A New Breed of AppSec Tooling

To add application security testing to the CI/CD pipeline, the right tools are needed. As mentioned, the traditional security products on the market are heavy on enterprise sales and light on features for the modern dev shop. Luckily, new tools are hitting the market that are built for developer-first security.

As you look at potential tools, here are a few things to consider:

  • How is The App Scanned: Are your DAST scans scheduled against a production environment, or does the tool assume ephemeral environments and pipeline runs? Does the SAST tool want you to zip up your code and ship it off to them, or does it integrate deeply into your source code repository?
  • Support for Modern Applications: Does the tool support modern development paradigms, such as single page applications, GraphQL, or JAM stack applications? Can it work with OpenAPI spec, or does it simply rely on an HTML spider? Does it simply scan publicly available sites, or can it work with multiple forms of authentication?
  • Noise Management: Traditional security tools are noisy with false positives and assume that fixing all findings is a priority over all else. Does the tool support quieting of noise to ensure that your workflows are not blown up by the addition of your security tool?

Getting Started

Adding application security tests to your CI/CD pipeline can feel like a daunting task, but it is actually easy to get started. Here’s how:

  • Pick Your Tools: Select SAST and DAST tools that you can easily try out and add to your pipeline. Make sure they hit on the new breed criteria above. (Hint: if they don’t let you test without first seeing a demo, they probably aren’t built for developers). I’m a little biased, but StackHawk is really the only DAST tool built for developers. And here at StackHawk, we are big fans of Snyk for SAST.
  • Instrument in Pipeline: After configuring your tooling, add it to your CI/CD pipeline. We recommend starting with non-blocking runs at first while you triage any existing backlog of security issues. Now every build will include application security tests. For more examples of configuring pipeline instrumentation with StackHawk, check out our docs or this blog on instrumenting StackHawk with CircleCI.
  • Roll Out Across Engineering: Application security works best when distributed, with engineers fixing their own security bugs as they build software. This happens with a cultural shift first, but a cultural shift happens a lot easier when the right tooling is in place. One thing that helps drive the culture shift is visibility. At StackHawk, we are big fans of pushing the StackHawk results from a pipeline run into Slack. Another thing that helps the culture shift is putting the fix of new issues in the hands of each engineer, while managing the fix of the existing backlog through a different workstream.

At StackHawk, we’re obviously super passionate about this topic. If you want to talk shop, get technical support, or learn more about how we can help here, shoot us a note at hello@stackhawk.com.

StackHawk
This is not security for security people. Application security for engineering teams.
Tools mentioned in article
Open jobs at StackHawk
Solutions Architect
- United States
Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is helping lead this charge with our application security testing software, built for automation in CI/CD. As a Series A startup that is ready to invest in accelerating growth, you’ll be joining at the ground floor. You’ll need to be able to roll up your sleeves and do the work, while also building strategically for the future. The Role: Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is helping lead this charge with our application security testing software, built for automation in CI/CD.   We're seeing rapid growth and looking for a Solutions Architect to partner with the sales team, enable them to engage in technical discussions, and be the primary technical relationship owner with prospects & customers. You will assist folks in configuring the StackHawk scanning engine and instrumenting application security testing in their CI/CD pipeline. This role is key to the success of the conversion of prospects to customers, helping them quickly become successful with the scanning engine, and leveraging the StackHawk platform for triaging and fixing security bugs.    In this role, you’ll have the opportunity to define your success & significantly accelerate your career within a very short period of time. You will be reporting directly to our Head of Sales.
  • Be the technical product expert with the ability and coach, train, and give technical product demonstrations to customers, prospects, and partners
  • Discover customer use cases and their ideal solution using StackHawk's sales methodology
  • Own and drive the technical aspects of the customer journey by providing demonstrations, managing proof of concepts,  and sharing best practices
  • Collaborate with engineering / devops / appsec teams to instrument StackHawk in customer CI/CD pipelines
  • Shape new product decisions and feature enhancements by conveying customers needs and requests to Product and Engineering teams
  • Ability to travel (around 25% estimated) throughout sales territory for meetings with prospects, partners, and events (you know, once this COVID thing is under control)
  • 2+ years of experience in a customer-facing role. Background in sales engineering preferred. 
  • You have excellent written and oral business communication skills and are comfortable presenting complex technical subjects to both highly technical and business audiences
  • Ability to create technical content suitable for a variety of audiences and formats
  • Have a good understanding of the developer and DevOps ecosystems and practices
  • Ability and experience in troubleshooting software products
  • Experience with at least one scripting language. Bash, Python, JavaScript, PHP
  • Familiarity and experience with some or all of the following technologies: RestAPI, GraphQL, Server Side HTML applications, OAuth/OIDC, Docker, JSON, and YAML 
  • Embracer of change – StackHawk is early-stage organization, which may have unpredictable twists and turns. If you're excited by the challenge and the opportunity to build something from scratch, this is the role for you.
  • Self starter – you don’t need a fully baked playbook to do your job. You're excited by the challenge of solving problems, managing your work, and holding yourself accountable.
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work! 
  • Place Where Your Work Matters and You Grow: As a Series A company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Fullstack Engineer
    - United States
    Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is helping lead this charge with our application security testing software, built for automation in CI/CD. As a Series A startup that is ready to invest in accelerating growth, you’ll be joining at the ground floor. You’ll need to be able to roll up your sleeves and do the work, while also building strategically for the future. Are you looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. StackHawk’s Engineering team is growing, and we’re looking for a Fullstack Software Engineer to join our team and help develop our core product. In this role, you will work directly with members of our Product Development team to build core product features and supporting service APIs. You’ll be a key member of a small growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. If you enjoy building services and product features on a modern stack, this is the role for you.
  • Work collaboratively with engineers and stakeholders
  • Design and build core product features and supporting services in a microservices architecture using technologies such as Kotlin, Java, gRPC, React, Postgres, Docker, Kubernetes and Gradle
  • Design and build RESTful APIs for both the UI and customer facing APIs
  • Build integrations with 3rd-party services such as CI/CD platforms, messaging services and project management tools
  • Build command-line tools for developers
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do
  • 3+ years of experience in SaaS software development and design.
  • Proficient in at least one modern programming language, such as Java, Kotlin or other JVM languages, JavaScript, TypeScript, Golang, Rust or Python. 
  • Experience with React or another modern JavaScript framework a plus.
  • Familiarity working in a modern cloud computing environment, such as Amazon AWS.
  • Some experience with microservices architectures, using Docker and container orchestration frameworks like ECS or Kubernetes.
  • Proficient in REST API design principles and tooling such as Swagger and Postman.
  • Some experience with backend web application frameworks, such as Node, Spring, Play, or Express.js.
  • Obsessive about automation and automated testing.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals.
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in.
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others.
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active.
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security.

  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Developer Advocate
    - United States
    Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is helping lead this charge with our application security testing software, built for automation in CI/CD. As a Series A startup that is ready to invest in accelerating growth, you’ll be joining at the ground floor. You’ll need to be able to roll up your sleeves and do the work, while also building strategically for the future. You will engage with developer communities in a variety of ways, including online discussion, content creation, and speaking at events. You should be comfortable flexing between the high level reasons why and the nitty gritty technical details of how it all works. This is a rare opportunity to be the public face of a fast growing developer tool that is shifting how engineering teams are delivering secure applications.
  • Carry the Application Security Testing Torch. You will be a leading voice on the new model of application security testing (automated in CI/CD and built for developers). You’ll be advocating for this, sharing examples, and amplifying thought leaders in the community.
  • Engage in Community Discussion. Be a part of the conversation where it is happening, and help create conversation in relevant communities. Twitter, online forums, Slack channels, and more. Get out there to join and create conversation.
  • Speak at Events. Become part of the speaker circuit for developer, DevOps, and security events. Build compelling talks and deliver them at events around the world.
  • Build Content. Build blogs, videos, webinars, docs, sample applications, and more. Share why application security is shifting left and how to make it happen. These should vary from high level to technical details.
  • Share Learnings into StackHawk. Bring your learnings from the community back into StackHawk to help shape where the product and company are headed.
  • 5+ years as a kick-ass developer, DevOps, or automated test engineer
  • Experience with or ability to learn both StackHawk and Zed-Attack-Proxy (ZAP) technology
  • Experience in or ability to learn CI/CD security test automation
  • Demonstrated existing involvement in developer communities
  • Experience creating content and speaking at events
  • Belief in the need for application security to shift left
  • Self-starter who can roll up your sleeves and make it happen
  • Willing to travel as needed for speaking at events
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed. 
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Front End Engineer
    - United States
    Application security is shifting left, with software engineering teams taking ownership over the security of their applications. StackHawk is helping lead this charge with our application security testing software, built for automation in CI/CD. As a Series A startup that is ready to invest in accelerating growth, you’ll be joining at the ground floor. You’ll need to be able to roll up your sleeves and do the work, while also building strategically for the future. Are you a skilled front-end engineer, looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. The Role StackHawk’s Engineering team is growing, and we’re looking for a talented Front End Engineer to join our team and help develop our core product. In this role, you will work directly with members of our skilled Product Development team to build front-end product features on our innovative tech stack. You’ll be a key member of a growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. If you enjoy the challenge of building compelling, easy-to-use functionality for developers on a modern stack, this is the role for you.
  • Work collaboratively with engineers, UX designers, product managers and other stakeholders
  • Build web-based product features using technologies such as React, Redux, TypeScript, Storybook, Jekyll, Gatsby, Contentful, RESTful APIs, Kotlin and Kubernetes
  • Build front-end interfaces in a modern, cloud-based microservices architecture
  • Build automated tests to ensure high quality
  • Help set standards and coding practices for web application development
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do
  • 3-5+ years of experience in SaaS front-end or web application development
  • Expert in Javascript and/or Typescript
  • Proficient in modern UI frameworks like Angular, React, VueJS, etc.
  • Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less
  • Experience with UI testing frameworks and technologies such as Jest, Mocha, Jasmine, Selenium, Cypress, Playwright, etc.
  • Experience using and updating REST APIs
  • Experience building both desktop and mobile-friendly web interfaces
  • Obsessive about automation
  • Interest in growing your leadership skills as opportunities arise
  • Excellent communicator. Has experience presenting technical concepts and demos to a non-technical audience.
  • Experience partnering with product managers and designers, and working on a collaborative, cross-functional agile team.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! Get a great at home equipment setup, a fun team to collaborate with, and other great perks.
  • Place Where Your Work Matters and You Grow: As a seed stage company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Verified by
    Co-Founder & COO
    You may also like