The Value of Web Application Security Testing Through Continuous Integration

Websecurify Cohesion is the first in the world automated, black-box, web application security assessment platform designed to function and perform within Continuous Integration environments.

Continuous Integration (CI) is a software engineering technique extensively used to apply continuous quality control for software projects. Simply put, CI ensures that errors, bugs and deviations from the baseline are spotted early and frequently, which generally results into better quality code.

The mechanics behind CI are rather simple. As soon as we check-in/commit changes into the revision control system (other scenarios are also possible) the latest version of the code is pulled, compiled, automatically tested and potentially deployed on a pre-production environment for further manual testing. This simple workflow ensures that not only developers are more productive when developing new features (i.e. we do not have to wait for all of the code and dependencies to get compiled and re-integrated to the baseline) but also that we will have a fresh new environment where we can try all software features within the product's own mini-ecosystem. The later really provides the true benefit of CI especially when we are dealing with multi-tier, complex products engineered by separate teams working in their own silos.

Because CI works so well at automating the build, test and test deployment process it is easy to see the value of embedding a Web Application Security Testing toolkit as part of CI's workflow. Websecurify Cohesion fills this niche but important gap by providing the security Quality Assurance (QA) required throughout your projects' SDLC (Security Development Lifecycle).

One would think that such a solution is complex to setup and maintain but we wouldn't have bothered to release it if that was the case. In the day and age of Software as a Service types of solutions, Websecurify Cohesion provides rather easy approach to security. Our technology does not require any additional servers or access to cloud services. It is a drop-in, add-on, designed to work in a fast and efficient manner. Moreover, it puts you in control of the entire process.

There are three key aspects of Websecurify Cohesion I would like to draw to your attention.

Websecurify Cohesion is designed to fail and break your build when critical bugs are identified. While you can turn this feature off, we believe that critical security issues should be something that requires your full attention as early as possible. Not well-functioning code is bad. Vulnerable code is worse. By being able to capture vulnerable conditions as early as possible during the software development process we can ensure that the code you and your team write is in compliance with widely accepted security principles.

For the perfectionists and the software development zealots, Websecurify Cohesion provides another angle to achieve software of a higher quality. Websecurify will report when security best practices are not followed all the way through. While these issues do not carry a high severity rating, getting them fixed is most of the time a trivial task. However, more often than not, even though easy, these little fixes are left behind and never properly prioritised. With Websecurify Cohesion security problems, regardless of their severity level, will be identified and reported. You don't have to worry about priorities because problems will be flagged during the development process when there is still time and allocated resources to do things right.

Lastly, Websecurify Cohesion is effective when dealing with 3rd-party developers. Very often you find companies, which outsource the software development process in order to save cost to find out at the end that the product that has been developed is not on par with any security standards and guidelines. Websecurify Cohesion provides the level of supervision required to create a good quality product regardless who develops it. In practice, a CI system can be configured to continuously test the product that is developed and thus reveal early signs of bad coding practices, which may result into severe vulnerabilities.

While these are some of the main reasons why you should consider using Websecurify Cohesion as part of your CI solution, there is a lot of room for further innovation. There is virtually endless supply of use-cases and we are ecstatic to work with you to explore new and executing ways to make this technology even more useful than it is.

That being said, get in touch if you require more information or you just want to explore other custom solutions we have lined up but not reviled yet.