Shifting Security Left - For Real!
Inclusion of application validation right from product inception is a critical element of Agile product development. Integrating various test scenarios within the development pipeline leads to an increase in the overall quality and functionality of the code. However, these tests are largely focused on functional or performance aspects of an application. Security Testing (as we know it) is often performed as an end-of-the-chain (penetration testing) activity, which negates the true benefit of agile development. The solution is in having a low-distraction and highly scalable application security testing checkpoint, built using existing product development tools and platform, that truly works on the “Find Early, Fix Early” model.
AUTOMATION - RIGHT FROM WHEN THE CODE IS CHECKED IN
we45 helps you in extending the product engineering's development, release management, bug management and security tooling components to build a Application Security Tooling framework. This system is typically designed around Continuous Integration / Deployment platforms such as Jenkins, to perform security checks right from when the code is checked in. The core of the framework involves bringing together existing commercial DAST / SAST tool-sets alongside their relevant open-source counterparts bringing in the much needed “Kitchen Sink” effect derived from the force-multiplier result of using multiple tools run with appropriate scan policies. Leveraging functional automation scripts created by QA groups, DAST scanners can be made to "walk-through" specific sections of the application / APIs resulting in a faster and more focused scan to yield efficient results.
THE ORCHESTRON TOUCH
we45’s Application Vulnerability Correlation engine - Orchestron helps security and DevOps teams in eliminating the “noise” in the pipeline by combining vulnerability data sets from security tools on a single pane of glass. Its powerful correlation and prioritisation engine contextually merges, de-duplicates and merges vulnerability information across DAST and SAST results to present a normalised result set across applications.
Orchestron's built in integrations with bug tracking platforms (such as JIRA) helps in feeding unique and correlated vulnerabilities back to the engineering pipeline, thereby practically prioritising a vulnerability into a defect.