Question

DevOps Challenge Day 9⚙️: Security Testing

  • 14 October 2023
  • 3 replies
  • 44 views

Userlevel 7
Badge +2
  • Community Manager
  • 105 replies

Question: Why is it crucial for both testers and developers to incorporate security testing into the DevOps pipeline? 

 

Answer in the comments below. Next task will be live tomorrow on Oct.15


3 replies

Incorporating security testing into the DevOps pipeline aligns with DevSecOps principles and enhances overall application security. It is crucial for both testers and developers, including but not limited to following reasons :

  1. Early detection of security vulnerabilities.
  2. Cost-effective issue resolution.
  3. Promotes a "shift-left" culture of security.
  4. Reduces the risk of breaches, compliance violations, and reputation damage.
  5. Provides continuous feedback for timely adjustments.
  6. Consistent and automated security checks.
  7. Ensures compliance with regulations.
  8. Faster vulnerability remediation.
  9. Fosters collaboration between testers and developers.
  10. Mitigates legal, financial, and reputational risks.
  11. Ongoing protection against evolving threats.
  12. Builds trust with customers and stakeholders.
  13. Educates developers and testers on secure coding practices.
Userlevel 5
Badge +3

There are various reasons (such as improving the company culture, shifting left, reducing the risk etc.), but the main one would probably be the cost-savings. It costs much more to fix the issue while the product is built and (in the worst case scenario) shipped then to fix it while coding. Incorporating various testing tools such as SAST and DAST can save money as well improve the overall quality of the product.

From the pragmatic point of view, it is much easier to incorporate security into each and every stage of a CI/CD pipeline. Imagine you got tasked with putting together an SBOM (Software Bill of Materials) of all the components your product is using. Wouldn't it be easier to just use an SCA tool to perform the scanning and dependency checking during the build phase? It is much easier to check each and every component of a car separately then to investigate the whole car.

Userlevel 6
Badge +4

 

There are several compelling reasons for integrating security into every stage of the CI/CD pipeline, including enhancing company culture, shifting left, reducing risk, and more. However, I have to agree with the above comment, and say that the most significant motivator is likely cost savings.

 

In recent times cyber attack have been more and more often so companies are more aware of the need to implement security in the SDLC. And since the CI/CD pipeline is one of the main areas where you can check the whole code before a deployment having security checks here is key.

Reply