Series: QA in Agile SDLC (#3)
QA and application security!
Help teams shift left the security practices.
Before reading this article, I would recommend you to read Part 1 and Part 2 of this series, which talk about the onset of my QA journey and my experience with performance testing respectively.
In this part, I will talk about application security.
Generally for software applications, a penetration testing cycle is carried out right before the release. Once high priority/severity issues are found, they need to be fixed and a second round of penetration testing is carried out. All of this needs meticulous planning so that the release date is not at risk. Knowing this, one of my projects focused on shifting security practices to the left in SDLC, thus reducing this turnaround time. Some of my learnings based on that are :
Performing iterative threat modelling goes a long way into building security in.
Additionally, automating some security practices can be helpful. If done during the project setup, we will reap more benefits and reduce the testing cost. Next 5 points can help you get started with it:
- Dependency checkers (in the pipeline) to look for CVEs (Common Vulnerabilities and Exposures) in project dependencies.
- Tools like Hawkeye as a pre-commit hook to avoid pushing secrets into the repositories.
- Using SAST (Static Application Security Testing) / DAST (Dynamic Application Security Testing) tools for identifying latest vulnerabilities.
- Setting up secure pipelines.
- Tools to analyse container security.
All of these will put us on the right track of improving our status from an application security standpoint. Of course this is a giant field too and we can take informed steps further as per project requirements.
In the final chapter of this series, I will be sharing my learnings of infrastructure setup & maintenance.
