How do you integrate web application security scanning into your development and deployment process?

In my experience, when selecting a web application security scanning tool, consider its coverage and accuracy, integration capabilities, vulnerability detection abilities, and reporting and remediation features. Prioritize tools that detect common and emerging vulnerabilities and provide clear and actionable results.

There are several different types of scans, and their relevant tools, as well that are each more or less relevant at different stages of the development lifecycle. Early in development, security focused unit tests are very effective at identifying early gaps or vulnerabilities in small snippets of new code. As the code reaches later stages, there are static code analysis tools (that analyze raw source code), dynamic code analysis tools (that analyze active functionality and code in action), and full vulnerability scanning tools (that scan the complete application).

At MTECH, we prioritize security from the outset of our development cycle. We employ Continuous Integration tools to automate security scans with every code push, ensuring vulnerabilities are identified early. Additionally, both Static and Dynamic Application Security Testing are integrated into our process. Before deployment, our applications undergo rigorous environment-specific scans to ensure a secure and robust final product. Best regards, Dexter McGriff President & CEO, MTECH

Please kindly elaborate on how web application scanning can be integrated with the development pipeline. GitHub has code scanning tools but I have not come across a web scanning tool so eager to learn.

During development, your scanning focus should be on security-based unit testing and source code analysis. Unit testing is usually driven by the developers while source code analysis tools, such as Veracode or Checkmarx, can integrate directly with a developer's tools and development processes. OWASP provides a long list of both commercial and free static code analysis tools for various coding languages and frameworks.

This is often overlooked, but even in the best development programs, there are often subtle configuration differences between environments that can hide or reveal security issues.

Never shame developers who introduce security issues with this feedback. Even on the best teams with the best developers, security issues can sneak in because of tight deadlines, forced shortcuts, or just a general lack of awareness. Building a secure development culture means helping and guiding with your feedback.

All scan results and vulnerabilities need to be only shown as a need to know. Strict control of these is critical to avoid those weaknesses being leaked to the wrong people. A scan is just a test and we only get better with feedback. Developers are not necessarily cyber experts and will appreciate a professional service.

As part of the Canadian Standard, CyberSecure Canada, we use Owasp top 10 as a starting point, and recommend that they should implement regular testing. Ideally, a proper pen-test should be done, but at least do something. What we look for is making sure that the windows are closed, the doors are locked. Doing something is always better than nothing and waiting for the inevitable to happen and the fix the problem. #cyberSecurecanada #cybersecuritycanada

The article is very good. But we can enhance the security by performing continuous penetration testing, setup key process for promoting the code to other branches. Also it can further be enhanced by performing real time scanning/threats on running/deployed apps.

You mentioned web application as part of the GitHub process. Could you recommend some ? secure Code analysis tools like CodeQL is available but I am not aware of any as part of GitHub

Code scanning, and security in general, can too often be an after-thought when it comes to application development, but the earlier in the development process that security issues are identified, the cheaper and less time consuming they are to fix. Even a small amount of proactive planning and scanning can save an enormous amount of trouble.