SEC11-BP02 Automate testing throughout the development and release lifecycle
Automate the testing for security properties throughout the development and release lifecycle. Automation makes it easier to consistently and repeatably identify potential issues in software prior to release, which reduces the risk of security issues in the software being provided.
Desired outcome: The goal of automated testing is to provide a programmatic way of detecting potential issues early and often throughout the development lifecycle. When you automate regression testing, you can rerun functional and non-functional tests to verify that previously tested software still performs as expected after a change. When you define security unit tests to check for common misconfigurations, such as broken or missing authentication, you can identify and fix these issues early in the development process.
Test automation uses purpose-built test cases for application validation, based on the application’s requirements and desired functionality. The result of the automated testing is based on comparing the generated test output to its respective expected output, which expedites the overall testing lifecycle. Testing methodologies such as regression testing and unit test suites are best suited for automation. Automating the testing of security properties allows builders to receive automated feedback without having to wait for a security review. Automated tests in the form of static or dynamic code analysis can increase code quality and help detect potential software issues early in the development lifecycle.
Common anti-patterns:
-
Not communicating the test cases and test results of the automated testing.
-
Performing the automated testing only immediately prior to a release.
-
Automating test cases with frequently changing requirements.
-
Failing to provide guidance on how to address the results of security tests.
Benefits of establishing this best practice:
-
Reduced dependency on people evaluating the security properties of systems.
-
Having consistent findings across multiple workstreams improves consistency.
-
Reduced likelihood of introducing security issues into production software.
-
Shorter window of time between detection and remediation due to catching software issues earlier.
-
Increased visibility of systemic or repeated behavior across multiple workstreams, which can be used to drive organization-wide improvements.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
As you build your software, adopt various mechanisms for software testing to ensure that you are testing your application for both functional requirements, based on your application’s business logic, and non-functional requirements, which are focused on application reliability, performance, and security.
Static application security testing (SAST) analyzes your source code for anomalous security patterns,
and provides indications for defect prone code. SAST relies on static inputs, such as
documentation (requirements specification, design documentation, and design specifications)
and application source code to test for a range of known security issues. Static code
analyzers can help expedite the analysis of large volumes of code.
The NIST Quality Group
Complement your static testing with dynamic
analysis security testing (DAST) methodologies, which performs
tests against the running application to identify potentially
unexpected behavior. Dynamic testing can be used to detect
potential issues that are not detectable via static analysis.
Testing at the code repository, build, and pipeline stages allows
you to check for different types of potential issues from entering
into your code.
Amazon Q Developers
The
Security
for Developers workshop
As you progress through your SDLC, establish an iterative process that includes periodic application reviews with your security team. Feedback gathered from these security reviews should be addressed and validated as part of your release readiness review. These reviews establish a robust application security posture, and provide builders with actionable feedback to address potential issues.
Implementation steps
-
Implement consistent IDE, code review, and CI/CD tools that include security testing.
-
Consider where in the SDLC it is appropriate to block pipelines instead of just notifying builders that issues need to be remediated.
-
Automated Security Helper (ASH)
is an example for open-source code security scanning tool. -
Performing testing or code analysis using automated tools, such as Amazon Q Developer
integrated with developer IDEs, and Amazon CodeGuru Security for scanning code on commit, helps builders get feedback at the right time. -
When building using AWS Lambda, you can use Amazon Inspector to scan the application code in your functions.
-
When automated testing is included in CI/CD pipelines, you should use a ticketing system to track the notification and remediation of software issues.
-
For security tests that might generate findings, linking to guidance for remediation helps builders improve code quality.
-
Regularly analyze the findings from automated tools to prioritize the next automation, builder training, or awareness campaign.
-
To extract SBOM as part of your CI/CD pipelines, use Amazon Inspector SBOM Generator to produce SBOMs for archives, container images, directories, local systems, and compiled Go and Rust binaries in the CycloneDX SBOM format.
Resources
Related best practices:
Related documents:
Related videos:
Related examples: