The introduction to DevSecOps that I had written in my previous article, had highlighted the need for collaboration between the developers and the solution ops so that the security requirements are followed in a sustainable way. Indeed, the DevOps logic has shortened the delivery cycles in order to avoid the tunnel effect, a period during which the technical design no longer allows users to have visibility of the solution delivery. The resulting acceleration of application deliveries, combined with the increase in cyberattacks, results in the need to automate security processes. Among these, the code security review is one of the keys to a successful DevSecOps approach.
SAST vs DAST
The industrialization of development languages and associated frameworks have seen a multitude of tools develop to scan code for security. These SAST (Static Application Security Testing) tools analyze the source code of an application or service to identify potential security vulnerabilities resulting from insecure development practices.
Best practice is to use SAST tools during the coding and/or testing phase to identify vulnerabilities early in the development process. Such tools can certainly generate false positives, but the results are crucial in assessing the security of the application.
As their name suggests, the analysis of these tools is above all static. It could be dynamic by creating end-to-end test scenarios, in particular to test webservices. The use of DAST (Dynamic Application Security Testing) is comparable but the need is different and requires greater maturity of the teams in terms of security. This is particularly true for teams performing application testing, who often have to go into the code to write dynamic tests that exploit the full potential of DAST solutions. The challenge here is not to make a comparison of each type of solution. For simplicity, this article focuses on SAST solutions.
Panel of possible solutions
How to choose an efficient SAST solution adapted to your needs?
It is first necessary to understand the DevOps process within the company to associate the security component with it. The code hosting tools, which are sometimes also used to deploy the application, greatly condition the uses. Let us mention here the Github platform acquired in 2018 by Microsoft and constituting a de facto industry standard for hosting application code, its analysis and its collaboration tools offered to developers.
On Github, multiple SASTs exist for free, freemium (i.e. partially paid) or fully paid.
Solution | URL |
---|---|
AppThreat | https://github.com/AppThreat/sast-scan |
Betterscan | https://github.com/marcinguy/betterscan-ce |
HCL App Scan | https://github.com/marketplace/actions/hcl-appscan-codesweep |
Horusec | https://github.com/ZupIT/horusec |
ShiftLeftSecurity | https://github.com/ShiftLeftSecurity/sast-scan |
SemGrep | https://github.com/returntocorp/semgrep |
The table above is not comprehensive but constitutes a representative panel of solutions in 2022.
Among all these solutions that I have been able to test, one solution stands out due to its versatility, the quality of its reports and the fact that it is free in November 2022. This is ShiftLeftSecurity.
Focus on ShiftLeftSecurity
Open-source solution under GPL v3.0, ShiftleftSecurity has many advantages including:
- The ability to scan more than a dozen languages including Python, Java, Go or Terraform.
- The architecture (in the form of a Docker container) is well thought out and can be industrialized.
- The documentation is rich and up to date.
- Finally, the report generation is done in several formats Bash, HTML, Json or even SARIF (this last format is particularly suitable for an IDE such as Visual Studio).
Launching a scanner from the command line is easy:
sh <(curl https://slscan.sh)
The command above just invokes the docker run command below.
docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan --build
The solution using Docker is therefore modular and scalable. The results are also well formatted. Below is an example of a scan result to get a better idea.
Industrialization of SAST on Github
ShiftLeftSecurity is actually a security scanner meta-engine, which allows you to orchestrate several analyzes via a script that industrializes the process.
In this same vein of industrialization, it is possible to benefit from Github Actions – these events allowing the automation of continuous integration / continuous deployment tasks – to automate the security scanner on a code directory.
Below is an example of Github Action automatically launching the security scan after each pull-request and uploading the reports to an AWS S3 directory.
# This workflow integrates ShiftLeft Scan with GitHub's code scanning feature # cf. https://slscan.io/en/latest/integrations/github-actions/. name: SAST tool through Shiftleft # This section configures the trigger for the workflow. on: pull_request: #branches: [ main ] jobs: Scan-Build: name: Scan-Build runs-on: self-hosted steps: - uses: actions/checkout@v1 - name: Perform ShiftLeft Scan uses: ShiftLeftSecurity/scan-action@master env: WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SCAN_AUTO_BUILD: true with: output: reports #Generate and commit the baseline file for your master/main branch scans. Subsequent feature branch scans would use only the new findings for breaking the builds. #cf. https://docs.github.com/en/actions/learn-github-actions/contexts - name: Update scan baseline on main branch if: ${{ github.ref == 'refs/heads/main' }} run: | cp reports/.sastscan.baseline . git config --global user.name "scan+github-actions[bot]" git config --global user.email "scan+github-actions[bot]@users.noreply.github.com" git add .sastscan.baseline git commit -m "Update scan baseline" git push #Upload the generated reports on AWS S3 bucket - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-west-1 - name: Upload report on S3 Bucket run: | aws s3 cp reports/ s3://security/${{ github.repository }}/ --recursive
In summary, this example of security scanner automation under Github demonstrates the current trend aimed at automating security in code. If the principle may seem very attractive, it is however necessary to underline several elements which come to reduce the positive impacts of such an approach:
- First, security scanners (SAST) are tending to become more professional and therefore to become chargeable. It is not certain that the use of a solution such as ShiftLeftSecurity will remain free in the long term.
- In addition, the security reports generated must be analyzed and patched by the developers. This requires a workload that cannot be automated.
“Automation: a system that simplifies the work so much that we will end up needing an electronic brain to twiddle our thumbs.”
Noctuel