登录查看更多内容

How can you ensure security testing is included in every stage of continuous delivery?

由人工智能和领英社区提供技术支持

Security testing is an essential part of ensuring the quality and reliability of software products. However, it can be challenging to integrate security testing into continuous delivery, a process that aims to deliver software faster and more frequently. How can you ensure security testing is included in every stage of continuous delivery? Here are some tips and best practices to help you achieve this goal.

此文章中的业界达人

由社区从 6 条内容中精选。了解更多

Priscila Caimi ??

Software Engineering | Embaixadora WTM e Cantinho das QAs | Youtube Creator | +4 mil alunos no Mundo
udhaya karthick

Lead QA Analyst
?? Ardit D

Q? ???? @?????? | Q? ?????????? | Cybersecurity

1 Plan security testing upfront

Security testing should not be an afterthought or a separate phase in continuous delivery. It should be planned and designed from the start, along with the functional and non-functional requirements of the software. You should identify the security risks, threats, and vulnerabilities that your software may face, and define the security objectives, criteria, and metrics that you want to achieve. You should also select the appropriate security testing tools, techniques, and frameworks that suit your software and your continuous delivery pipeline.

添加您的观点

?? Ardit D

Q? ???? @?????? | Q? ?????????? | Cybersecurity
举报内容
The most important steps of this phase is : - Get the exact info on the budget and project requirements which will be keys to define the security standards, goals, etc and generally what you want to achieve with the project setting realistic expectations - the early bird, gets the worm... get involved early to help achieve the project security goals ( especially for the software architecture, implementing secure coding standards, etc). Doing this later is often not affordable cost wise. - A thorough risk assessment should be done to identify the security threats, vulnerabilities and most common attack vectors, prioritizing the most important assets / components.

已翻译

赞
udhaya karthick

Lead QA Analyst
举报内容
Quality is everybody's responsible and so is the security. Dedicated penetration testing teams may test application when basic testing is done and handed over to pen testing teams. Identifying security bug and resolving it will be costly as it will go again to one more round of testing. Hence security testing must be plan upfront to accommodate the start of testing parallel to the functional testing.

已翻译

赞

2 Integrate security testing into the pipeline

Security testing should be integrated into every stage of the continuous delivery pipeline, from code development to deployment and monitoring. You should automate as much as possible, using tools that can perform static, dynamic, and interactive security testing on your code, dependencies, configurations, and artifacts. You should also run security tests in parallel with other tests, such as unit, integration, and performance tests, to reduce the feedback time and the risk of errors. You should also implement security gates, checkpoints, and feedback loops that can alert you to any security issues and prevent the deployment of insecure software.

添加您的观点

?? Ardit D

Q? ???? @?????? | Q? ?????????? | Cybersecurity
举报内容
- As with any software, before integrating it it should be tested extensively and build after manual testing and considerations (also the efficiency and performance). - Cross referencing is very important especially if you rely on tools , using at least 2 tools that do the same thing (whenever possible) saves allot of time with false positives and improper reports.

已翻译

赞

3 Adopt a shift-left approach

Shift-left is a concept that means moving security testing to the earlier stages of the software development lifecycle, rather than waiting until the later stages. This can help you detect and fix security issues faster, cheaper, and easier, as well as improve the quality and security of your software. You can adopt a shift-left approach by involving security experts, testers, and developers in the planning and design of the software, by educating and training them on security best practices and standards, and by using tools and methods that can enable security testing in the development environment, such as code analysis, code reviews, and threat modeling.

添加您的观点

?? Ardit D

Q? ???? @?????? | Q? ?????????? | Cybersecurity
举报内容
The most important thing here imho is Communication, because it takes two to tango. If you don't manage to build the appropriate culture for a two way bridge the shift-left approach will be a pipe dream practically speaking. Education shouldn't be a monologue but a dialogue.

已翻译

赞

4 Follow a DevSecOps culture

DevSecOps is a culture that emphasizes the collaboration and communication between the development, security, and operations teams, as well as the integration of security into the entire software delivery process. DevSecOps can help you ensure security testing is included in every stage of continuous delivery, by fostering a shared responsibility and accountability for security, by aligning the security goals and objectives with the business and customer needs, and by promoting a continuous learning and improvement mindset for security. DevSecOps can also help you create a feedback-driven and agile security testing process, that can adapt to the changing requirements and risks of your software.

添加您的观点

5 Monitor and improve security testing

Security testing is not a one-time activity or a final destination. It is a continuous and iterative process that requires constant monitoring and improvement. You should collect and analyze the data and results from your security testing activities, such as the number and severity of security issues, the coverage and effectiveness of security tests, and the time and cost of security testing. You should also use this data to identify the gaps, weaknesses, and opportunities for improvement in your security testing process, and to implement the necessary changes and actions to enhance your security testing performance and outcomes.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Priscila Caimi ??

Software Engineering | Embaixadora WTM e Cantinho das QAs | Youtube Creator | +4 mil alunos no Mundo
举报内容
Com certeza incluir n?o só os testes de seguran?a mas todos de requisitos n?o funcionais em uma pipeline garante a execu??o e gerenciamento simplificados pelo time.

已翻译

赞
udhaya karthick

Lead QA Analyst
举报内容
My own experience, when doing testing a new product/API/feature in early stage of development cycle has performed few security checks. This was not necessary to be a tool or automatic tools but by learning from the defects logged by Pen testing on the products I qualified. With this approach testers can add extra value and reduce the cycle time in product development.

已翻译

赞

Software Testing

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you ensure security testing is included in every stage of continuous delivery?

1

2

3

4

5

6

1 Plan security testing upfront

2 Integrate security testing into the pipeline

3 Adopt a shift-left approach

4 Follow a DevSecOps culture

5 Monitor and improve security testing

6 Here’s what else to consider

Software Testing

给文章评分

感谢您的反馈

更多Software Testing相关文章

更多相关阅读内容

How can you ensure security testing is included in every stage of continuous delivery?

1

2

3

4

5

6

1 Plan security testing upfront

2 Integrate security testing into the pipeline

3 Adopt a shift-left approach

4 Follow a DevSecOps culture

5 Monitor and improve security testing

6 Here’s what else to consider

Software Testing

给文章评分

感谢您的反馈

查看其他技能