Select Page

AUTOMATED DEVOPS APPLICATION SECURITY TESTING 

WHAT IS AUTOMATED DEVOPS APPLICATION SECURITY TESTING?

 

Evolve orchestrates scalable penetration testing environments specifically for the type of penetration test you want to perform. You choose the level of protection and intensity that is right for your business needs with event-driven or daily, weekly and even monthly periodic penetration testing.

No matter where you are on your Startup, SMB or Enterprise journey, integrating automated security testing into your DevOps pipeline is challenging and can takes months of planning and incur significant project costs.

The Evolve “Automated DevOps Application Security Testing” solution helps organizations orchestrate and automate the integration of application security testing into your DevOps pipelines. This helps developers gain faster access to application-layer vulnerabilities for every code deployment. Our new approach prevents vulnerabilities progressing through to production applications, which in turn increases your developers’ security capabilities and seamlessly achieves a security baseline for your applications.

Evolve empowers your development teams to efficiently and effectively reduce risk through the automated integration of application security testing into their standard Business as Usual (BAU) processes and technologies.

Running regular automated and repeatable application security tests help you stay on top of the latest vulnerabilities and manage critical risks throughout the year. Verify remediation actions immediately to ensure their effectiveness and identify any new avenues of attacks.

Register your free Evolve account now 

 

EVOLVE MARKETPLACE

Automated DevOps Application Security Testing is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE

GET STARTED

Our Getting Started Guide will step you through importing and launching your first Automated DevOps Application Security Test. Enhance your specialist security capabilities now MORE

FEATURES

Orchestrated DevOps Pipeline Integration

Automated Selenium Integration

Automated Application Authentication

Automated Business Logic Execution

Automated Application Vulnerability Scanning

JUnit Results Support

OS Command Injection

Server-Side Code Injection

Server Side Include

SQL and NOSQL Injection

Path Traversal

Remote File Inclusion

Directory Browsing

Format String and Buffer Overflow

Header Injection and Response Splitting

Persistent and Reflected Cross Site Scripting

Parameter Tampering

Insecure HTTP Security Headers

Insecure Session Management

Error Handling and Information Disclosure

FLEXIBLE SUBSCRIPTION PRICING

 

Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated DevOps Application Security Testing capability from the Evolve Marketplace to begin your subscription.

 

US$1,500 per month with no lock in contract

OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING

IMPORT USAGE

Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities

SECURITY ZONE USAGE

Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time

WORKFLOW USAGE

Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data

MODULE USAGE

Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions

SERVICE USAGE

Evolve Service usage occurs upon scheduled or on-demand service execution. Minimize usage by reducing service calls

CONTAINER USAGE

When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data

DASHBOARD USAGE

Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers

EVENT USAGE

Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts

FREQUENTLY ASKED QUESTIONS

WHAT IS AUTOMATED DEVOPS APPLICATION SECURITY TESTING?

The Evolve “Automated DevOps Application Security Testing” solution enables organizations to orchestrate and automate the integration of application security testing into your DevOps pipelines.

This helps your developers to gain faster access to application-layer vulnerabilities for every code deployment to prevent vulnerabilities progressing through to production applications, and also increases their security capabilities to seamlessly achieve a security baseline for your applications.

HOW DO I GET STARTED?

The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated DevOps Application Security Testing solution. Simply import this automation workflow into your Evolve Account.

You can follow the Getting Started Guide to then schedule your first Automated DevOps Application Security Test workflow instance. The results will automatically be returned directly back into your corresponding DevOps pipeline solution. 

WHICH DEVOPS PIPELINES DOES EVOLVE SUPPORT?

Evolve Automated DevOps Application Security Testing automatically orchestrates on-demand application security testing environments in real-time within the Evolve Cloud inside your Evolve Security Zone. This means that there are minimal requirements for DevOps pipeline integration.

As long as your DevOps Pipeline server can execute Python code, either locally or on a remote server running Windows or Linux, you can easily integrate the Evolve Automated DevOps Application Security Testing to get up and running within minutes by adding a simple build step into your deployment pipeline.

GETTING STARTED WITH
AUTOMATED DEVOPS APPLICATION SECURITY TESTING

STEP 1: REGISTER AN EVOLVE ACCOUNT

Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.

STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT

Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
 

STEP 3: SETUP YOUR EVOLVE BILLING

Evolve subscriptions and usage-based bills are charged via credit card. You can setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account. Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.

As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments. Your Evolve Account is now setup and you are ready to mature your security.
  

STEP 4: SELECT YOUR EVOLVE REGION

Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs. You can select your Evolve Region in the top right-hand corner of your Evolve Account. Any actions you take will occur within your selected Evolve Region.
  

STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE

The Automated DevOps Application Security Testing workflow is available in the Evolve Marketplace, which you can navigate to under the Marketplace side-menu. Whilst in the Evolve Marketplace, you can locate this workflow by either selecting the “Penetration Testing” category and browsing through the available workflows, or by searching for the keyword “devops”.

By clicking on the Automated DevOps Application Security Testing workflow marketplace item, you can review the overview of the workflow, as well as usage and subscription pricing information. Click the Import button and simply step through the import steps, where you will then be redirected to the Imports page. You may need to use the Reload button to see your newly imported workflow.

Once the import status changes from “Pending” to “Available”, you have successfully subscribed to this security automation workflow and added this specialist security capability to your business.
  

STEP 6: LAUNCH YOUR SECURITY ZONE

Evolve Security Zones are isolated environments that provide scalable compute and storage to execute your Evolve Workflows. Security Zones can be launched in different configurations for different purposes.

We are going to launch the following type of Security Zone:

  • Scalable Security Zone with NAT Gateway, which provides transparent scalability for the Automated DevOps Application Security Testing workflow and a static outbound IP address to whitelist the source of your attacks

Select the Security Zones side menu item and click the New Security Zone button. Set a useful name for your Security Zone, such as “DevOps_Application_Security_Testing_Security_Zone”, and click the Next button, which will take you to the Security Zone Size page. For most use cases to execute Automated DevOps Application Security Testing workflows, a Medium Security Zone should be sufficient. For larger applications with more pages, a Large Security Zone may want to be considered. Click the Next button once your Size has been selected.

The Configuration page allows you to specify the settings of your Security Zone:

  • The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. The default size should be sufficient for Automated DevOps Application Security Testing.
  • The Scalable setting configures the Security Zone to automatically scale up as the number of modules to be executed in parallel increases, whilst also automatically scaling down to nothing whilst the Security Zone is not being used in order to natively optimize usage charges. The Scalable setting should be selected for Automated DevOps Application Security Testing. It should be noted that a time delay may be experienced for Scalable Security Zones as they automatically scale up the environment. If fast application security testing is required, then a Non-Scalable Security Zone can remain running to speed up application scanning launch times, but will incur the corresponding usage costs.
  • The NAT Gateway should be set to our NAT Gateway that we previously launched, which means that the Security Zone nodes will pass all of their traffic through the Evolve NAT Gateway to utilize a static public IP addresses.
  • The VPN Gateway can be left as blank since our use-case does not need to access your organization’s internal systems. If your application is only accessible on your internal network, then you can use an Evolve VPN Gateway to enable your Evolve DevOps Application Security Testing workflow to access your internal applications. See the Getting Started Guide for Evolve Internal Infrastructure Penetration Testing for instructions on setting up your Evolve VPN Gateway and Client.

Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes.

You should wait for the Security Zone state to change from “Pending” to “Available” before moving onto the next step.

  

STEP 7: ADD THE EVOLVE BUILD STEP TO YOUR DEVOPS PIPELINE

Evolve integrates into your DevOps Pipeline using the Evolve Command Line Interface (Evolve CLI). The Evolve CLI and the corresponding DevOps wrapper scripts can be downloaded from the Settings page within the Evolve Console, which are available in Python and Powershell for Linux and Windows environments.

These wrapper scripts along with the Evolve CLI simply need to be placed onto your DevOps Pipeline server, or deployed as a part of a package depending upon your pipeline and setup, and your Evolve API Key setup on your server for remote API access to Evolve.

You can then simply add the wrapper script as a build step in your DevOps Pipeline. The wrapper script takes a number of parameters including an Evolve Input and Output Container IDs, which we will generate next, and also the location of your Selenium functional test scripts.

Thats it. Your DevOps Pipeline is setup and integrated with Evolve.

  

STEP 8: LAUNCH A WORKFLOW INSTANCE

You have imported the Automated DevOps Application Security Testing Workflow, which can be thought of as your development team’s application security capability. You now need to launch a Workflow Instance to be orchestrated and executed each time your corresponding code deployment occurs.

Select the Workflows side menu item to list your available workflows. You will find a series of buttons alongside your Automated DevOps Application Security Testing Workflow where you will need to click the button called “Create Instance”. Set a useful name for your workflow instance and click the Next button, which will take you to the Parameters page where you provide your application details.

Click the Next button to go to the Configuration page where you select the default location for modules will be executed. You should select the DevOps Application Security Testing Security Zone that you created for this workflow. Leave the Agent and Agent Device not selected since we do not want this workflow to run via an Evolve Agent for this use-case.

Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Automated DevOps Application Security Testing workflow instance, including all Module Instances and Containers, using the configurations that you specified for your application.

When selecting your workflow instance, in the Resources Tab you will find the workflow instance Input Container and Output Container IDs. These are the IDs to use in the previous step when setting up your DevOps Pipeline build step.

Your workflow will be automatically launched by Evolve every time a new code deployment is made via your DevOps Pipeline to ensure you stay up to date with your latest application security vulnerabilities before they make it into production.
  

STEP 9: REVIEW YOUR RESULTS

The Automated DevOps Application Security Test workflow will automatically return the application security testing results back to your DevOps Pipeline where they can be automatically imported in JUnit format.

This allows your development team to use their native development tools to manage and resolve your application security flaws whilst also learning about security vulnerabilities to increase your baseline application security posture.

More advanced users may also want to be notified when your application security test is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Output Container for real-time ChatOps notifications.

SECURITY BUDGET
OPTIMISATION WITH EVOLVE

Facebook Twitter LinkedIn Youtube

Facebook Twitter LinkedIn Youtube

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437 | Register Account | Terms & Conditions | Privacy Policy

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437 | Register Account | Terms & Conditions | Privacy Policy