The term DevSecOps is a contraction of developer, security and operations. Despite the buzzword hype, it does have positive implications for improving the quality, security and functional safety of embedded software applications. Many organizations have adopted DevOps over the past years and integrated their continuous integration and deployment processes. However, in many cases, security has been left out of this integrated pipeline only to cause issues in production environments which are then costly and time-consuming to fix. In DevSecOps, companies are aiming to put security as a primary concern into the everyday processes by addressing security throughout software development life cycle (SDLC).
This post looks at the role of static application security testing (SAST) solutions such as GrammaTech CodeSonar, and how testing, process and pipeline integrations are key to success with DevSecOps.
Importance of Static Application Security Testing (SAST)
Today, many SAST products are designed to integrate well with just about any software automation tool chain and development methodology and process. This is mainly due to the fact they can be used locally by developers at their desktop for instantaneous feedback and used to analyze a complete build whether that’s done hourly, or whenever it is scheduled. In addition, SAST products can be used completely autonomous and require no interaction with testers or developers. Commercial SAST products like CodeSonar use advanced static analysis to:
- Validate coding standards and best practices such as helping to enforce safe and secure coding standards like MISRA, JPL, CERT-C, etc.
- Static verification using formal method concepts to find complex defects such as buffer overrun and unchecked external data (tainted data), among many others.
- Detecting API misuse using heuristics based on comparing analyzed code to correct usage collected from a vast code corpus.
- Alert developers to suspicious behavior such as dead code, uninitialized and unused variables.
Security isn’t intentionally ignored but unless it’s part of the development culture, baked into product requirements and supported by all levels of the organization, it often gets ignored. Which leads software teams to delegate security testing to the end of the development effort, attempting to ‘tack on’ security at the end. Most software teams understand this isn’t optimal, but the cost of not building-in security needs to be better communicated to them. Leaving security to the end is a “pay now, or much more later” scenario.
In addition, a key reason to build security into Agile processes and CI/CD pipelines, is to build upon the knowledge that accumulates over the project. It’s not reasonable to expect software teams to fully understand their product’s attack surface at the beginning of the project. Over time, threat modeling is improved by building security into day-to-day operations and accumulating expertise and knowledge. Starting early is the key.
Security is no longer a “nice to have” product feature, it’s now a requirement and your customers expect your software to be secure. The market place is demanding it and, for many embedded development organizations, it’s closely tied to their commitment to safety and high quality. In some cases, products are required to meet industry standards with good engineering practices and due diligence in design, development and testing and documentation. Embedded developers have all the business reasons, the “why” for security but often lack the “how.”
Shift Security Left
What does it mean to “shift left” security? The goal is to start analyzing and testing code as soon as possible – moving it closer to the beginning of the project which is the left side of the software development life cycle (SDLC). The motivation for this is to find and fix defects as early as possible, the sooner they are found, the cheaper and easier they are to fix. Security vulnerabilities found later in development or worse, in a delivered product, are much more expensive to fix, up to 100 times more expensive (excluding further unforeseen costs such as loss of business, recalls, and reputation impact.)
The Importance of SAST in DevSecOps
Static analysis products like GrammaTech’s CodeSonar provide support to DevSecOps by ensuring continuous code quality, greatly reducing the costs and risks of security and reliability issues in software. With SAST, you find and fix security issues during development not later, while enforcing best practices and coding standards to prevent software weaknesses and future vulnerabilities that can negatively impact security and functional safety of the final product.
Benefits of SAST in DevSecOps
In addition, to the benefits listed above, SAST solutions provide further advantages in the context of DevSecOps:
Seamless Integration into Software Development Life Cycle: Seamlessly integrate SAST into your CI/CD workflow so it becomes a native process for your development team. This ensures secure coding and compliance with secure safety coding standards.
Security by Design (Shift Left): Detect errors/vulnerabilities early when they are easier to remediate. Reduce the risk and cost associated with fixing vulnerabilities. Prevent software weaknesses with secure coding standards.
Better Apps, Faster: Automation is the key to a proper running DevSecOps pipeline. SAST provides automated security testing – quicker, deeper, and more accurate than manual testing. This enables you to accelerate application development and deliver higher quality and more secure and safe code.
Support DevSecOps Principles: SAST products support DevSecOps principles such as improving teamwork and collaboration with a focus on automation and development enablement. Testing results can be shared among development teams to encourage continuous improvement.
CodeSonar SAST Solution
CodeSonar is a multi-language static analysis platform supporting C/C++, C#, Java, Android, and Intel-32/64, ARMv7, ARMv8 instructions sets for binary analysis. It provides a developer-friendly interface with clear explanation of warnings and error trace information. By seamlessly integrating into DevSecOps and CI/CD warning tracking systems with suppression capabilities, CodeSonar delivers deep analysis results within CI/CD platforms such as GitLab, GitHub and Jenkins.
Introducing CodeSonar into DevSecOps
The following are steps that we recommend for a smooth integration of CodeSonar into DevSecOps:
- Introduce static application security testing to the organization is such a way as to emphasize the benefits and advantages of using SAST in your current workflows. Part of this is running an initial baseline analysis on applications under development to establish the current state of security.
- Review and address high priority findings based on the most important vulnerabilities and filtering or deferring less important warnings. It’s easy for initial users to get caught up in the minutiae of those first analysis reports. CodeSonar provides a useful warning score to highlight the most severe bugs to investigate first.
- Optimize build processes and configuration to narrow down the warnings your organization is most interested in. These could be specific coding standard rules and types of software weaknesses to detect. It’s better to have a narrow focus on high-impact high-severity vulnerabilities early on.
- Integrate into CI/CD pipelines by integrating CodeSonar with one of the popular orchestration tools such as GitHub, GitLab or Jenkins. Plug ins are available from GrammaTech that integrate CodeSonar analysis with various triggers such as merge or pull requests or for scheduled builds.
- Roll out to developers in stages. At first, it makes sense to get developers to tackle new, high severity warnings. As comfort with the tool improves, the backlog of security warnings can be introduced. It’s important to avoid the desire to tackle more warnings that developers can manage.
- Automate in merge requests by adding SAST analysis with every request. In this way, security analysis is done in real time helping to prevent or detect vulnerabilities before they make it into product.
DevSecOps Tech Stack & CodeSonar Integrations
CodeSonar offers a rich set of integrations in all parts of the DevSecOps stack. On the development side of the stack there are integrations with IDEs such as Eclipse and Visual Studio and development repositories in GitHub and GitLab. CodeSonar can supports Docker container environments for scalability and portability. Integration extends to the CI/CD workflow and orchestration tools such as GitLab, GitHub and Jenkins.
CodeSonar DevSecOps technology stack integration
CodeSonar CI/CD Integration – GitLab example
To illustrate the type of integration that CodeSonar provides, consider our GitLab integration. CodeSonar is invoked during the automated and build phase of the continuous integration process in a GitLab workflow. As with most developer code changes, a new branch is created and fixes or new features are added. During the build phase, CodeSonar analysis is done at the same time. Errors and warnings from the build and CodeSonar are provided to developers in their familiar interface. Upon completion, a merge request is used to push those changes into the main branch.
CodeSonar is triggered during the automated build and test phase in GitLab.
The developer workflow remains unchanged and developers remain in the tools and UI they are familiar with.
Example warnings from CodeSonar in the GitLab UI
CodeSonar: Built-in Security Reports
Another important aspect of CodeSonar integration into DevSecOps is the ability to create reports specifically for industry standards such as OWASP Top 10 (2017), SANS/CWE Top 25 (2020). A comprehensive report displaying which application security risks have been found in the analysis with specific CodeSonar warning class that has been reported. An OWASP Top 10 violation report is shown below.
An example OWASP Top Ten violation report from CodeSonar
SAST plays an important role in improving quality, security and safety, and it is imperative that it becomes part of every DevSecOps development pipeline. SAST helps build better applications quicker but shifting quality and security earlier in the development cycle. CodeSonar is designed to integrate seamlessly with industry standard IDEs and CI/CD orchestration tools to make it a natural part of the DevSecOps process. Developer can improve the security of their code incrementally as tool expertise grows while continuing to work in their familiar development environment.
Request a CodeSonar demo to learn how you can “shift left.”