Static Code Analysis (SAST)
Dynamic Code Analysis (DAST)
Library dependencies vulnerability checks
Docker Image vulnerabillty checks
Runtime container anomalies
Runtime dependency security vulnerabilities
Defining all security checks and controls as code help a step forward to have a common base with development teams.
Considering security is included in the DoD(Definition of Done),
- Pair programming
should be in place to enable the most shift-left!
There are several tools and practices for dependency checks on your code. Based on the tool capabilities, security checks, and instant feedback can be provided to developers by using the plugins on Development IDEs. Here are the common tools that we support for dependency controls:
We are suggesting those tools based on the evidence of their community and the wide support on the CI/CD pipeline.
Static Application Security Testing (SAST) consists of code-level security checks. Although there are several programming language-specific OpenSource free or commercial tools, Sonarqube seems to gain a wider acceptance from the developer community and is accepted by developer teams.
Dynamic Application Security Testing (DAST) is related to analyzing actual flows in the code runtime. Integrating such solutions on DevOps pipeline also means applying shift-left with tools such as Fortify WebInspect.
Containers and their orchestration platform Kubernetes should also be a part of several security measures, controls and checks.
"Shift-left" approach for Docker containers and Kubernetes is related to analyzing the security risks on Dockerfile level and Kubernetes cluster-wide and application-specific declarative definitions. At Kloia, we are benefiting from several OpenSource and commercial tools, as well as internal practices, to identify such risks. We also have a "Kubernetes Audit" Solution where we check the Kubernetes clusters in four dimensions, including the Security. We also refer to CIS Kubernetes Benchmarks as a reference guide.
Regarding the runtime security, although we have tried out the alternatives, Prisma Cloud(formerly Twistlock) became the Kloian choice with its wider support, especially for runtime security. However, it has wider features including Public-Cloud and dependency checks which also means it's playing a wider role in that security domain.