https://docs.microsoft.com/en-us/azure/devops/migrate/security-validation-cicd-pipeline?view=azure-devops
Reference information
- BinSkim - A binary static analysis tool that provides security and correctness results for Windows portable executables
- Checkmarx - A Static Application Security Testing (SAST) tool
- Manage your open source usage and security as reported by your CI/CD pipeline
- OWASP
- OWASP ZAP VSTS extension
- WhiteSource Software
- Visual Studio Code Analysis and the Roslyn Security Analyzers
https://docs.microsoft.com/en-us/azure/devops/migrate/security-validation-cicd-pipeline?view=azure-devops
CI (Continuous Integration)
The CI build should be executed as part of the pull request (PR-CI) process discussed above and once the merge is complete. Typically, the primary difference between the two runs is that the PR-CI process doesn't need to do any of the packaging/staging that is done in the CI build. These CI builds should run static code analysis tests to ensure that the code is following all rules for both maintenance and security. Several tools can be used for this.
- Checkmarx - A Static Application Security Testing (SAST) tool
- BinSkim - A binary static analysis tool that provides security and correctness results for Windows portable executables
Many of the tools seamlessly integrate into the Azure Pipelines build process. Visit the VSTS Marketplace for more information on the integration capabilities of these tools.
WhiteSource Software vs checkmarx?
One tool to consider for penetration testing is OWASP ZAP. OWASP
Refer to the OWASP ZAP VSTS extension repo for details on how to set up the integration.
In addition to validating the application, the infrastructure should also be validated to check for any vulnerabilities. When using the public cloud such as Azure, deploying the application and shared infrastructure is easy, so it is important to validate that everything has been done securely. Azure includes many tools to help report and prevent these vulnerabilities including Security Center and Azure Policies. Also, we have set up a scanner that can ensure any public endpoints and ports have been added to an allow list or else it will raise an infrastructure issue. This is run as part of the Network pipeline to provide immediate verification, but it also needs to be executed each night to ensure that there aren't any resources publicly exposed that should not be.
Once the scans have completed, the Azure Pipelines release is updated with a report that includes the results and bugs are created in the team's backlog. Resolved bugs will close if the vulnerability has been fixed and move back into in-progress if the vulnerability still exists.
The benefit of using this is that the vulnerabilities are created as bugs that provide actionable work that can be tracked and measured. False positives can be suppressed using OWASP ZAP's context file, so only vulnerabilities that are true vulnerabilities are surfaced.
Reference information
- BinSkim - A binary static analysis tool that provides security and correctness results for Windows portable executables
- Checkmarx - A Static Application Security Testing (SAST) tool
- Manage your open source usage and security as reported by your CI/CD pipeline
- OWASP
- OWASP ZAP VSTS extension
- WhiteSource Software
- Visual Studio Code Analysis and the Roslyn Security Analyzers