WHITEPAPER Accelerating DevSecOps With Containers and Continuous Testing PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing DevSecOps represents a shift in software development processes that stresses collaboration between end users, developers, and IT professionals. Software test automation can enhance these connections and help organizations achieve desired secure software development acceleration. Software test automation plays an important role but it’s just one piece of the DevSecOps puzzle. Testing is often one of the greatest constraints in the software development life cycle (SDLC) so optimizing security processes that allow testing to begin earlier, as well as shrink the amount of testing required, has a significant impact on the security of the software and development efficiency. Containers play an important role in the secure deployment of software, providing a standardized, lightweight, and reproducible execution environment for applications in a DevSecOps pipeline. Containers are also becoming helpful in development as containerized development and testing environments are providing benefits like those in deployment. There is an important role for containers to play in modern DevSecOps development as containers can help shift-left security processes in software development. Adopting a continuous testing process (more than just automated tests running regularly) helps promote all of the core pillars of DevSecOps: » Collective responsibility » Collaboration and integration » Pragmatic implementation » Compliance and development » Automation and measurement » Monitoring and reporting This paper looks at the role of containers in development and testing as part of a DevSecOps pipeline in the context of a continuous testing regimen for achieving both quality and security. 2 PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing CONTAINERS FOR SECURE DEPLOYMENT Containers as an execution and deployment approach is well established. They provide lightweight isolation for applications and (micro)services. Unlike more heavyweight options such as virtual machines, containers virtualize the operating systems and are considered more portable and efficient. Containers are a perfect fit with continuous integration (CI) and continuous deploy (CD) pipeline. They support rapid deployment with portability across different host environments with support for version control. They are also important for security since it’s possible to provide a reproducible application environment with built-in security controls. For example, controlling and arbitrating the communication between components, referred to as the side car pattern, is recommended as part of the DoD Enterprise DevSecOps initiative. MANAGING COMPLEX DEV ENVIRONMENTS Containerized deployments of development tools are becoming popular with development teams. Although containers were initially developed to solve problems with the deployment of microservices and web-based applications, they recently gained popularity with software teams to standardize and manage their complex toolchains. This becomes especially useful in embedded software development where toolchains are complex and must support multiple target environments. When it comes to managing complex development environments, teams usually struggle with the following challenges. » Synchronizing upgrades for the entire team to a new version of a tool like a compiler, build toolchain, and so on. » Dynamically reacting to a new security patch for the library or software development kit (SDK), and the like. » Assuring consistency of the toolchain for all team members and the automated infrastructure (CI/CD). » Ability to version the development environment and restoring it to service the older version of the product. » Onboarding and setting up new developers. Containers for development environments are also suitable for SAST (static application security testing) and test automation tools. In fact, it’s possible to create a standardized, easily deployable development and test environment using containers. This ensures every developer works from the same versions of tools with the same configurations. 3 PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing CONTAINERS SHIFT-LEFT SECURITY IN DEVSECOPS The drive to shift-left security in the SDLC comes from the desire to find and fix bugs and security vulnerabilities as early as possible. Issues are much easier, cheaper, and less risky to fix early, not later. Common sense, but the software industry is full of examples where critical defects caused catastrophic results. Figure 1: Finding and fixing security vulnerabilities early is cheaper and less risky. Source: Applied Software Measurement, Capers Jones. The essential requirements to shift-left security center around the need to incorporate security into any and all applications at the very beginning. Security can’t be added on, it must be built in. Here are some of the steps you can take to shift-left security in the DevSecOps pipeline and provide the necessary platform for continuous testing. Use SAST as early as possible. Modern SAST tools find deep reliability and security issues hidden within the code that are often overlooked by human inspection or dynamic testing. Part of the adoption process should focus on a relevant coding standard. For regulated industries, coding standards (MISRA C 2012 or AUTOSAR C++14) are already defined for safety critical applications. For other types of applications, it's a good idea to consider coding standards focused on secure code development. The popular options are SEI CERT, OWASP Top 10, and CWE Top 25 and On the Cusp. Introduce unit testing early. In the early stages of development, it's important to start unit testing and adoption of continuous testing practices. A foundation of unit tests ensures that code is functional, well designed and meets requirements, including security requirements. The emphasis should be on proactively using unit testing from the beginning, which results in better code that is easy to maintain, debug, and regression test. Unit testing is the ultimate shift-left component to focus the use of tools and test automation. Equally important is understanding how tests correlate back to the original work items. In other words, the requirements traceability to understand which functionality is tested and validated. 4 PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing Focus on API testing. Early end-to-end testing of the assembled application can be done earlier and more effectively with API testing. These tests can be deployed in virtual or production environments via containers as appropriate. Using functional test automation, it is possible to validate the application at the API level, whether it is REST APIs, web services, or any other protocol message level testing. API level testing provides the ability to test system functionality with more reusability, shorter execution times and less impact from changes at the UI level. Maintain a centralized view of security and quality. Combining several test automation techniques results in a lot of quality information. This data is useful, but the sheer volume makes it difficult to gain insight into the security and quality of your deliverables and make decisions about the release or changes in the development process. To support decision making this data must be aggregated into a centralized view of quality. Graphical dashboards provide a top-level view of testing progress and correlating quality and security data to your requirements and user stories provide true bidirectional traceability so you can assess the business risk and impact of gaps in your testing practices. 5 PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing CONTAINERIZED DEVELOPMENT ENVIRONMENT Containers in the development context support these goals in several ways, most importantly, by providing a repeatable, versioned, and lightweight development environment. The containerized development environment includes all the necessary tools with the same version and configuration for each developer. The development environment can include the correct versions and configurations of SAST, unit test, build toolchain, and other tools as needed. Team leads and security analysts provide the necessary tools and configurations for these environments based on observed results and feedback from the continuous processes, illustrated below. Policy Improvements Dev Stream SAST IDE QA/Integration Security Deploy Build Unit Test Code traceability Containerized Development Environment provides root- cause analysis This feedback loop is critical to the success of continuous development and DevSecOps. Containerized environments boost this by providing Figure 2: Containers can be used for a known starting point for improvement. Removing the possible build, SAST analysis, and unit and API testing among others. Security policies differences each developer may have in their desktop environment and improvements are fed back into the removes the possibility of errors of tool version mismatches. The development environment. containerized development environment can be deployed on a regular basis, updated with new configurations, and redeployed. 6 PARASOFT.COM Accelerating DevSecOps With Containers and Continuous Testing CONTINUOUS TESTING TO ACCELERATE SECURITY IN DEVSECOPS Modern DevSecOps initiatives require the ability to assess the risks associated with a release