WHAT IS AUTOMATED DEVOPS APPLICATION SECURITY TESTING?
Evolve orchestrates scalable penetration testing environments specifically for the type of penetration test you want to perform. You choose the level of protection and intensity that is right for your business needs with event-driven or daily, weekly and even monthly periodic penetration testing.
No matter where you are on your Startup, SMB or Enterprise journey, integrating automated security testing into your DevOps pipeline is challenging and can takes months of planning and incur significant project costs.
The Evolve “Automated DevOps Application Security Testing” solution helps organizations orchestrate and automate the integration of application security testing into your DevOps pipelines. This helps developers gain faster access to application-layer vulnerabilities for every code deployment. Our new approach prevents vulnerabilities progressing through to production applications, which in turn increases your developers’ security capabilities and seamlessly achieves a security baseline for your applications.
Evolve empowers your development teams to efficiently and effectively reduce risk through the automated integration of application security testing into their standard Business as Usual (BAU) processes and technologies.
Running regular automated and repeatable application security tests help you stay on top of the latest vulnerabilities and manage critical risks throughout the year. Verify remediation actions immediately to ensure their effectiveness and identify any new avenues of attacks.
Automated DevOps Application Security Testing is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE
Orchestrated DevOps Pipeline Integration
Automated Selenium Integration
Automated Application Authentication
Automated Business Logic Execution
Automated Application Vulnerability Scanning
JUnit Results Support
OS Command Injection
Server-Side Code Injection
Server Side Include
SQL and NOSQL Injection
Remote File Inclusion
Format String and Buffer Overflow
Header Injection and Response Splitting
Persistent and Reflected Cross Site Scripting
Insecure HTTP Security Headers
Insecure Session Management
Error Handling and Information Disclosure
FLEXIBLE SUBSCRIPTION PRICING
Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated DevOps Application Security Testing capability from the Evolve Marketplace to begin your subscription.
Monthly Subscriptions. No lock in contracts.
OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING
Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities
SECURITY ZONE USAGE
Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time
Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data
Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions
Evolve Service usage occurs upon scheduled or on-demand service execution. Minimize usage by reducing service calls
When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data
Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers
Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts
FREQUENTLY ASKED QUESTIONS
WHAT IS AUTOMATED DEVOPS APPLICATION SECURITY TESTING?
The Evolve “Automated DevOps Application Security Testing” solution enables organizations to orchestrate and automate the integration of application security testing into your DevOps pipelines.
This helps your developers to gain faster access to application-layer vulnerabilities for every code deployment to prevent vulnerabilities progressing through to production applications, and also increases their security capabilities to seamlessly achieve a security baseline for your applications.
HOW DO I GET STARTED?
The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated DevOps Application Security Testing solution. Simply import this automation workflow into your Evolve Account.
You can follow the Getting Started Guide to then schedule your first Automated DevOps Application Security Test workflow instance. The results will automatically be returned directly back into your corresponding DevOps pipeline solution.
WHICH DEVOPS PIPELINES DOES EVOLVE SUPPORT?
Evolve Automated DevOps Application Security Testing automatically orchestrates on-demand application security testing environments in real-time within the Evolve Cloud inside your Evolve Security Zone. This means that there are minimal requirements for DevOps pipeline integration.
As long as your DevOps Pipeline server can execute Python code, either locally or on a remote server running Windows or Linux, you can easily integrate the Evolve Automated DevOps Application Security Testing to get up and running within minutes by adding a simple build step into your deployment pipeline.
GETTING STARTED WITH
AUTOMATED DEVOPS APPLICATION SECURITY TESTING
STEP 1: REGISTER AN EVOLVE ACCOUNT
Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.
STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT
Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
STEP 3: SETUP YOUR EVOLVE BILLING
Evolve subscriptions and usage-based bills are charged via credit card. You can setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account. Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.
As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments. Your Evolve Account is now setup and you are ready to mature your security.
STEP 4: SELECT YOUR EVOLVE REGION
Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs. You can select your Evolve Region in the top right-hand corner of your Evolve Account. Any actions you take will occur within your selected Evolve Region.
STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE
The Automated DevOps Application Security Testing workflow is available in the Evolve Marketplace, which you can navigate to under the Marketplace side-menu. Whilst in the Evolve Marketplace, you can locate this workflow by either selecting the “Penetration Testing” category and browsing through the available workflows, or by searching for the keyword “devops”.
By clicking on the Automated DevOps Application Security Testing workflow marketplace item, you can review the overview of the workflow, as well as usage and subscription pricing information. Click the Import button and simply step through the import steps, where you will then be redirected to the Imports page. You may need to use the Reload button to see your newly imported workflow.
Once the import status changes from “Pending” to “Available”, you have successfully subscribed to this security automation workflow and added this specialist security capability to your business.
STEP 6: LAUNCH YOUR SECURITY ZONE
Evolve Security Zones are isolated environments that provide scalable compute and storage to execute your Evolve Workflows. Security Zones can be launched in different configurations for different purposes.
We are going to launch the following type of Security Zone:
- Scalable Security Zone with NAT Gateway, which provides transparent scalability for the Automated DevOps Application Security Testing workflow and a static outbound IP address to whitelist the source of your attacks
Select the Security Zones side menu item and click the New Security Zone button. Set a useful name for your Security Zone, such as “DevOps_Application_Security_Testing_Security_Zone”, and click the Next button, which will take you to the Security Zone Size page. For most use cases to execute Automated DevOps Application Security Testing workflows, a Medium Security Zone should be sufficient. For larger applications with more pages, a Large Security Zone may want to be considered. Click the Next button once your Size has been selected.
The Configuration page allows you to specify the settings of your Security Zone:
- The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. The default size should be sufficient for Automated DevOps Application Security Testing.
- The Scalable setting configures the Security Zone to automatically scale up as the number of modules to be executed in parallel increases, whilst also automatically scaling down to nothing whilst the Security Zone is not being used in order to natively optimize usage charges. The Scalable setting should be selected for Automated DevOps Application Security Testing. It should be noted that a time delay may be experienced for Scalable Security Zones as they automatically scale up the environment. If fast application security testing is required, then a Non-Scalable Security Zone can remain running to speed up application scanning launch times, but will incur the corresponding usage costs.
- The NAT Gateway should be set to our NAT Gateway that we previously launched, which means that the Security Zone nodes will pass all of their traffic through the Evolve NAT Gateway to utilize a static public IP addresses.
- The VPN Gateway can be left as blank since our use-case does not need to access your organization’s internal systems. If your application is only accessible on your internal network, then you can use an Evolve VPN Gateway to enable your Evolve DevOps Application Security Testing workflow to access your internal applications. See the Getting Started Guide for Evolve Internal Infrastructure Penetration Testing for instructions on setting up your Evolve VPN Gateway and Client.
Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes.
You should wait for the Security Zone state to change from “Pending” to “Available” before moving onto the next step.
STEP 7: ADD THE EVOLVE BUILD STEP TO YOUR DEVOPS PIPELINE
Evolve integrates into your DevOps Pipeline using the Evolve Command Line Interface (Evolve CLI). The Evolve CLI and the corresponding DevOps wrapper scripts can be downloaded from the Settings page within the Evolve Console, which are available in Python and Powershell for Linux and Windows environments.
These wrapper scripts along with the Evolve CLI simply need to be placed onto your DevOps Pipeline server, or deployed as a part of a package depending upon your pipeline and setup, and your Evolve API Key setup on your server for remote API access to Evolve.
You can then simply add the wrapper script as a build step in your DevOps Pipeline. The wrapper script takes a number of parameters including an Evolve Input and Output Container IDs, which we will generate next, and also the location of your Selenium functional test scripts.
Thats it. Your DevOps Pipeline is setup and integrated with Evolve.
STEP 8: LAUNCH A WORKFLOW INSTANCE
You have imported the Automated DevOps Application Security Testing Workflow, which can be thought of as your development team’s application security capability. You now need to launch a Workflow Instance to be orchestrated and executed each time your corresponding code deployment occurs.
Select the Workflows side menu item to list your available workflows. You will find a series of buttons alongside your Automated DevOps Application Security Testing Workflow where you will need to click the button called “Create Instance”. Set a useful name for your workflow instance and click the Next button, which will take you to the Parameters page where you provide your application details.
Click the Next button to go to the Configuration page where you select the default location for modules will be executed. You should select the DevOps Application Security Testing Security Zone that you created for this workflow. Leave the Agent and Agent Device not selected since we do not want this workflow to run via an Evolve Agent for this use-case.
Click the Next button, review your settings, and then click the Create button. This will automatically orchestrate your Automated DevOps Application Security Testing workflow instance, including all Module Instances and Containers, using the configurations that you specified for your application.
When selecting your workflow instance, in the Resources Tab you will find the workflow instance Input Container and Output Container IDs. These are the IDs to use in the previous step when setting up your DevOps Pipeline build step.
Your workflow will be automatically launched by Evolve every time a new code deployment is made via your DevOps Pipeline to ensure you stay up to date with your latest application security vulnerabilities before they make it into production.
STEP 9: REVIEW YOUR RESULTS
The Automated DevOps Application Security Test workflow will automatically return the application security testing results back to your DevOps Pipeline where they can be automatically imported in JUnit format.
This allows your development team to use their native development tools to manage and resolve your application security flaws whilst also learning about security vulnerabilities to increase your baseline application security posture.
More advanced users may also want to be notified when your application security test is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Output Container for real-time ChatOps notifications.