Pushing Left, Like a Boss — Part 8: Testing
This series, and my blog, has moved! Check it out!
Published in
2 min readSep 23, 2019
This article is part of a series, and the previous article was Part 7: Code Review and Static Code Analysis.
It is my belief that testing should be done throughout the development lifecycle, and not only during the testing phase. We want feedback as soon as possible, to ensure we make a high-quality product that customers actually want. Below I will lay out some strategies for security testing.
- Provide developers with security scanning software (such as OWASP Zap), teach them to use it, and ask them to fix everything it finds before sending it to QA.
Add automated security testing into your pipeline, specifically:
- VA scanning of infrastructure (missing patches/bad config — this is for containers or VMs, but you use different tools to scan them)
- 3rd party components and libraries for known vulnerabilities
- Dynamic Application Security Testing (DAST) — only do a passive scan so that you don’t make the pipeline too slow
- Static Application Security Testing (SAST) — do this carefully, it can be incredibly slow, you can only scan for one type of bug at a time and if it’s still too slow then do it outside the pipeline
- Security Hygiene — verify you encryption status, that you are using appropriate security headers, HTTPS is forced, etc.
- Anything else you can think of, as long as it’s fast. If you slow the pipeline down a lot you will lose friends in the Dev team.
