Security is no longer an afterthought, it’s an integral part of our continuous integration and delivery (CI/CD) pipeline. While DevOps practices focus more on agility and speed, DevSecOps ensures security is embedded tightly in the delivery pipeline. The competition is fierce, and customers demand new features fast. It is up to the organization's skill set and the tools they use that decide how quickly the new software and features are released to customers.
With so many tools, it can sometimes be overwhelming to determine how to integrate security into your DevOps toolchain. Today, we will show you how to integrate security tools, suites and frameworks of your choice into your CI/CD pipeline using the Harness platform.
CI/CD is a process where you build and deploy code automatically as soon as a new commit is made. The process usually involves building code, running test cases, executing static code analysis, and finally deploying the application. There are many tools that run on top of a CI/CD pipeline and help companies automate their workflow. To automate security testing in your CI/CD pipeline, you will need an automated way to run security scans against your code. This can be done by integrating different security tools into your CI/CD pipeline.
Manual testing is a time-consuming process and does not scale. While it’s good practice to do some manual testing before each release, it should be automated wherever possible. Testing can be automated by following these steps:
Running multiple security tests in parallel is a good practice, and we will demonstrate the same in this tutorial. Let us see some examples of test suites and tools we will be using.
Let us go through one by one and see what they are.
Assertible ensures the uptime and availability of your APIs and websites and the correctness of your data.
Snyk finds open-source vulnerabilities and license issues in your applications.
PM2 is a production process manager for Node. js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime and to facilitate common system admin tasks.
Sonarqube reports the code quality of your application.
BrowserStack does cross-browser testing of your application.
AppSignal does error tracking and performance monitoring of your application.
Harness integrates with over 40 of the most popular application security scanners available today.
Harness integrates well with all major tools, and the pipeline can be customized accordingly by choosing various tools and platforms at different stages of CI/CD. Similarly, when it comes to testing, the CI (Harness CI in our case) tool can be integrated with different tests to find bugs and vulnerabilities. Let us see how to configure Harness CI with all the above-mentioned security tests.
Start by forking the sample Node.js application:https://github.com/pavanbelagatti/harness-ci-example
Create the project and configure the “Build & Test” stage.
Under ‘‘Build & Test”, you can configure your different custom test suites. Use the “Run” step to configure as below.
You can configure all the different test suites using the “Run” step. Once all the tests are configured, save and run the pipeline. All the tests can be easily configured and the pipeline can be run with a single click. You should see the successful execution of the pipeline and all the tests passing. If there are any vulnerabilities, bugs, or mistakes found, the pipeline doesn’t move forward and halts there itself.
You can see all the tests passing.
CI/CD is a process that helps teams build, test, and deploy code faster and more efficiently. Since engineers must perform manual testing, there are more chances of error. As automation is becoming the centre of DevOps best practices, a tool carrying out security testing automation is preferred more. No doubt, security testing is a critical part of CI/CD and can be automated to save time and effort. In addition, it can reduce the risk of deploying unsafe code when done correctly.
Many tools can help you automate your CI/CD pipeline security testing. They include vulnerability scanners, code coverage analyzers, code review tools, static code analysis tools, post-failure tools, etc. All you need is a platform like Harness with CI/CD and security testing capabilities to ensure your deployments are 100% safe.
If you're interested in learning more about using Harness and intelligent software delivery, try it for free and check out our Developer Hub for more step-by-step tutorials, videos, and reference docs.
Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.