Why Doesn’t Your CI Pipeline Have Security Bug Testing?

939
StackHawk
This is not security for security people. Application security for engineering teams.

Software Engineering has Changed with CI/CD

Continuous integration and continuous delivery has changed software engineering. Teams are shipping small change sets often and automation has made the life of an engineer a lot simpler. Automation throughout the CI/CD pipeline has touched nearly everything, with integrations and tooling for linting, unit testing, integration testing, deployment, and more.

Application security, however, has been left behind.

While there are a few exceptions, most application security products are dated technology built for an era before DevOps, CI/CD, and modern software engineering products. These products are also built for the security teams instead of the developers who are close to the code. This is obviously a problem.

Application Security: Super Important and Super Broken

It goes without saying that building secure applications is imperative for any engineering team today. Without baking security into your application, your company opens itself up to leaking sensitive data, degrading user experience, or allowing account takeover. As most companies in the world shift to be software-first, application security will only become increasingly important.

While clearly vitally important, current AppSec models are broken. The traditional approaches to application security prioritize training over tooling and finding over fixing. InfoSec teams are holding onto dated practices of periodic, point in time scans of production. Vulnerabilities are kicked back to the engineering team in long lists or large Jira backlogs, which then sit deprioritized over feature development. If the work is pulled into a sprint, it requires the developer to jump back into code that they likely haven’t touched for weeks or months.

Adding to this problem is the fact that the majority of the security products on the market are legacy enterprise tools. They are built for a different era of software development and continue to serve the technology dinosaurs that have yet to adopt modern DevOps workflow. Features are built for security teams and favor long approval chains and reports rather than enabling the developers who will fix the security bugs to get to the job of fixing found issues.

A shift is needed in both culture, workflows, and tooling.

There is a better way 👇.

The AppSec Future: Application Security Tests in Every CI/CD Build

While shifting security left has been a trade show booth tagline for years now, we are at the advent of that truly becoming a reality. In the same way that many engineers now define and monitor their own infrastructure, developers are learning that they can take security testing into their own hands. Proper tooling and pipeline automation will drive this shift.

So what does application security tests in every build look like?

You’ll want to instrument two types of security testing, commonly known as SAST and DAST. SAST (Static Analysis Security Testing) scans your code base and its associated dependencies for known vulnerabilities. DAST (Dynamic Analysis Security Testing) runs tests against a running version of your application to find externally exploitable security bugs. Both are important, and both can be added to your CI builds.

Then, on every merge, your pipeline can run security testing. When a developer adds a security bug, they will be alerted and can quickly fix. Tests should be instrumented later in the pipeline as well to ensure that new bugs are not introduced – think of it as security integration testing. When a bug is found, fixes can be tested locally before kicking off a new build.

A New Breed of AppSec Tooling

To add application security testing to the CI/CD pipeline, the right tools are needed. As mentioned, the traditional security products on the market are heavy on enterprise sales and light on features for the modern dev shop. Luckily, new tools are hitting the market that are built for developer-first security.

As you look at potential tools, here are a few things to consider:

  • How is The App Scanned: Are your DAST scans scheduled against a production environment, or does the tool assume ephemeral environments and pipeline runs? Does the SAST tool want you to zip up your code and ship it off to them, or does it integrate deeply into your source code repository?
  • Support for Modern Applications: Does the tool support modern development paradigms, such as single page applications, GraphQL, or JAM stack applications? Can it work with OpenAPI spec, or does it simply rely on an HTML spider? Does it simply scan publicly available sites, or can it work with multiple forms of authentication?
  • Noise Management: Traditional security tools are noisy with false positives and assume that fixing all findings is a priority over all else. Does the tool support quieting of noise to ensure that your workflows are not blown up by the addition of your security tool?

Getting Started

Adding application security tests to your CI/CD pipeline can feel like a daunting task, but it is actually easy to get started. Here’s how:

  • Pick Your Tools: Select SAST and DAST tools that you can easily try out and add to your pipeline. Make sure they hit on the new breed criteria above. (Hint: if they don’t let you test without first seeing a demo, they probably aren’t built for developers). I’m a little biased, but StackHawk is really the only DAST tool built for developers. And here at StackHawk, we are big fans of Snyk for SAST.
  • Instrument in Pipeline: After configuring your tooling, add it to your CI/CD pipeline. We recommend starting with non-blocking runs at first while you triage any existing backlog of security issues. Now every build will include application security tests. For more examples of configuring pipeline instrumentation with StackHawk, check out our docs or this blog on instrumenting StackHawk with CircleCI.
  • Roll Out Across Engineering: Application security works best when distributed, with engineers fixing their own security bugs as they build software. This happens with a cultural shift first, but a cultural shift happens a lot easier when the right tooling is in place. One thing that helps drive the culture shift is visibility. At StackHawk, we are big fans of pushing the StackHawk results from a pipeline run into Slack. Another thing that helps the culture shift is putting the fix of new issues in the hands of each engineer, while managing the fix of the existing backlog through a different workstream.

At StackHawk, we’re obviously super passionate about this topic. If you want to talk shop, get technical support, or learn more about how we can help here, shoot us a note at hello@stackhawk.com.

StackHawk
This is not security for security people. Application security for engineering teams.
Tools mentioned in article
Open jobs at StackHawk
Technical Support Engineer
- United States
StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk recently announced its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2022 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. This role is an exciting hybrid of technical and customer-facing tasks. It gives you the chance to use both skill sets as you help StackHawks customers and prospects solve issues they might encounter configuring or using our product. You’ll get exposure to stakeholders in security, DevOps, and engineering as well as the opportunity to learn all the inner workings of application development, CI/CD, APIs and application security. Support is a truly integral part of how we develop our product – and your feedback and day-to-day contributions will be a key part of our growth.
  • Respond to technical support requests from customers and prospects
  • Assist customers and prospects in configuring and using the StackHawk product and navigate a breadth of different technology configurations, environments, and application architectures
  • Triage and troubleshoot technical issues to help identify the root cause and advise customers on how to resolve issues
  • Work closely with Product and Engineering teams to better understand the product, provide feedback and suggestions for possible product enhancements, and escalate issues and bugs when necessary
  • Work closely with Sales and Customer Success teams to enable customers and prospects to be successful with the StackHawk product
  • Provide an excellent level of customer service
  • You’re excited about getting into the weeds to directly support StackHawk Users and solve their problems
  • You may have 2+ years of tech support experience in SaaS, or may have just graduated from a coding boot camp or university
  • You thrive in an ambiguous, fast-moving startup environment
  • You have a passion for providing excellent customer service and support
  • Have excellent written and verbal communication skills
  • Have a high degree of empathy and a desire to help people solve problems
  • Strong troubleshooting skills, which require curiosity, persistence, patience and logical reasoning ability
  • Demonstrated technical skills - such as familiar working in a Unix/Linux command line, familiarity with Docker, basics of how web applications work, shell scripting, familiarity with API protocols such as REST, SOAP or GraphQL
  • Ability and interest to learn complex technical concepts, retain and apply learnings
  • Strong organizational skills
  • Can operate in a self-directed manner
  • You may be interested in growing your career in support, solutions architecture, or engineering
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work! 
  • Place Where Your Work Matters and You Grow: As a Series B company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Front End Engineer
    - United States
    StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk recently announced its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2022 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. Are you a skilled front-end engineer, looking for an opportunity to build awesome tools for developers? Can you get excited about revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. StackHawk’s Engineering team is growing, and we’re looking for a talented Front End Engineer to join our team and help develop our core product. In this role, you will work directly with members of our skilled Product Development team to build front-end product features on our innovative tech stack. You’ll be a key member of a growing team that is revolutionizing application security by reducing complexity, providing actionable recommendations, and empowering software engineers to take control of their application security. This position will directly contribute to StackHawk’s goal of identifying and remediating app vulnerabilities in the CI/CD pipeline. If you enjoy the challenge of building compelling, easy-to-use functionality for developers on a modern stack, this is the role for you.
  • Work collaboratively with engineers, UX designers, product managers and other stakeholders
  • Build web-based product features using technologies such as React, Redux, TypeScript, Storybook, Jekyll, Gatsby, Contentful, RESTful APIs, Kotlin and Kubernetes
  • Build front-end interfaces in a modern, cloud-based microservices architecture
  • Build automated tests to ensure high quality
  • Help set standards and coding practices for web application development
  • Impress your friends with your newfound knowledge of application security concepts, such as Remote OS Command Injection
  • We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do
  • 3-5+ years of experience in SaaS front-end or web application development
  • Expert in Javascript and/or Typescript
  • Proficient in modern UI frameworks like Angular, React, VueJS, etc.
  • Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less
  • Experience with UI testing frameworks and technologies such as Jest, React Testing Library, Mocha, Jasmine, Selenium, Cypress, Playwright, etc.
  • Experience using and updating REST APIs
  • Experience building both desktop and mobile-friendly web interfaces
  • Obsessive about automation
  • Interest in growing your leadership skills as opportunities arise
  • Excellent communicator. Has experience presenting technical concepts and demos to a non-technical audience.
  • Experience partnering with product managers and designers, and working on a collaborative, cross-functional agile team.
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together.
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work!
  • Place Where Your Work Matters and You Grow: As a Series B company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Front End Engineer - WWW
    - United States
    StackHawk helps software developers find and fix security vulnerabilities before they deploy code to production. Every modern software development organization has shifted from quarterly releases to daily or hourly releases, incorporating Continuous Integration and Continuous Delivery (CI/CD). In the modern world of FinTech, HealthTech, cloud analytics and AI platforms, customers are entrusting their most critical data to software providers. Periodic manual security testing by an external team is simply too risky. Because of this, modern software development organizations are extending CI/CD to encompass Continuous Application and API Security Testing. This way, security can “shift left,” meaning vulnerabilities can be detected while the developer is actively working on the code. StackHawk recently announced its Series B fundraise, and with this funding, will continue to invest in maintaining the market-leading position in developer-first API security testing, and support rapid customer and employee growth. Application and API security is an exciting market, where more than 43% of global decision makers are looking to implement dynamic application security testing during software development, and where companies will spend more than $3B in 2022 on application security testing products - which represents a massive opportunity for StackHawk. StackHawk is building out a team of leaders and team members that will capitalize on market pull, and enable growth-phase scale of the business. Are you a skilled front-end engineer, who is collaborative and talented? Can you get excited about contributing to revolutionizing application security? Are you willing to tolerate ridiculous bird puns? If you answered “yes!” to all of these questions, you should keep reading about an exciting opportunity at StackHawk. StackHawk is growing, and we’re looking for a talented Front End Engineer to join our team and help support and enhance our corporate website. In this role, you will work closely with our talented Product Development team as well as members of our Marketing team to build front-end components and enable our content creators to enhance and optimize our corporate website. Our corporate website is built for results -  built with Contentful CMS, Gatsby.JS and React, it is not your average static website. You’ll be the key person who will support this important communication and lead-generation tool, which is powering the growth of our company.
  • Work collaboratively with engineers, UX designers, marketers and other stakeholders
  • Build beautiful and compelling web UIs using technologies such as React, Redux, TypeScript, Storybook, Gatsby, and Contentful
  • Build front-end interfaces in a modern, cloud-based architecture
  • Continue to build self-service features for content creators
  • Optimize the site for SEO
  • Build automated tests to ensure high quality
  • Collaborate with our talented engineering team
  • 2+ years of experience in SaaS front-end or web application development
  • Expert in Javascript and/or Typescript
  • Expert at building UIs with the React framework. Other frameworks like Angular, VueJS are nice to have.
  • Proficient in modern web app technologies HTML5 and CSS and its preprocessors Sass and Less
  • Experience with CSS frameworks such as Bootstrap, preferred
  • Experience with content management platforms such as Contentful, preferred
  • Experience with static website frameworks such as Gatsby.JS, preferred
  • Some experience with UI testing frameworks and technologies such as Jest, React Testing Library, Mocha, Jasmine, Selenium, Cypress, Playwright, etc.
  • Experience building both desktop and mobile-friendly web interfaces
  • Exposure to delivering content over CDNs, such as CloudFront
  • Obsessive about delivering exceptionally beautiful UIs and working closely with designers
  • Excellent communicator, with experience presenting technical concepts and demos to a non-technical audience.
  • Experience partnering with product managers and designers, and working on a collaborative, cross-functional agile team
  • Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals
  • Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in
  • Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others
  • Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active
  • Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals. Knows that security is a supporting function of any business and the difference between binary security and scale security
  • Competitive Compensation: Earn a competitive salary and get an equity stake in the company that we are building together. 
  • Solid Benefits: Health, dental, and vision insurance 100% paid for employees and dependents. Other benefits include life insurance, AD&D, and 401K.
  • Time to Recharge Encouraged: Take what you need vacation plus ten paid holidays! Unplug, recharge, and come back refreshed.
  • Fun Team and Perks: We do great work and have fun doing it! We take care of our employees… We’ll contribute to your WFH setup and hook you up with occasional at-home perks. Plus, work with a team that loves to have fun while doing our work! 
  • Place Where Your Work Matters and You Grow: As a Series B company, your work shapes the product that we are building. Nothing beats arriving at work every day knowing that your work deeply matters, and there is no better opportunity to grow in your career.
  • Verified by
    Co-Founder & COO
    You may also like