DevOps is becoming more prevalent within the software industry and continuous delivery (CD) pipelines are continuing to raise the number of deployments organisations can accomplish each day. These high velocity environments continue to raise questions around how to best handle security commitments to customers whilst still being able to react to their needs quickly.
The high rate of code change associated with DevOps can increase the risk of security issues creeping through the usual security processes. This is due to slow security processes unable to keep up with the rate of change. Security testing can often take days or weeks depending on the size of the organisation. This is where SecDevOps and tools such as BDD-Security can help.
What is BDD-Security?
BDD-Security is a security testing framework which uses a natural language to allow users to define security-as-code. These security tests can be run in the same way as unit/integration tests and can therefore be implemented as part of the CI/CD pipeline.
Using a security testing framework provides a number of benefits:
• Can be integrated to the CI/CD pipeline
• Allows teams to fail fast
• Natural language allows all key stakeholders to understand what tests are performed
• Provides easy to read reports
By default, the tool provides the following tests:
How to use it
Implementing BDD-Security requires you to clone their repository using GitHub’s git clone:
By default, BDD-Security is configured to work with the example RopeyTasks application for demo purposes. To integrate this application into your system, configuration must be modified to:
• Provide the selenium steps required to login to your application
• Provide the location to SSLyze
• Provide Nessu authentication details
You can find out more about how to edit the necessary files here. Once the configuration has been modified the security tests can be run using the following command:
Or, if you want to run only security tests which match specific tags use:
./gradlew -Dcucumber.options="--tags @host_config"
Host configuration test
Running the host_config test will perform a port scan to ensure no ports are open except 80 and 443. Due to the natural language used for creating security-as code, it is easy to understand and modify this test. For example, adding additional allowed ports.
Traditionally this test would be manually carried out by the security team. By automating this process, the test can be carried out in under 4 seconds. Within this time we have been able to determine that a disallowed port is open (Port 22). This information could be used to fail the pipeline and notify the development team of a security issue.
Upon testing completion a report is produced to show the outcome of each individual test along with a summary of results. These reports are available in numerous formats:
• Pretty HTML using cucumber-reporting project
In addition to this summary more detailed information can be seen on individual tests within each section. These indicate any failures along with reasons for failure.
If you’re interested in finding out how ECS Digital can help you implement SecDevOps in your business, please get in touch. We’d love the chance to discuss how we can help you in your adoption of DevOps.