Last updated at Fri, 15 Apr 2022 14:22:55 GMT
To the left, to the left, to the right, right — the CI/CD Pipeline is on the move.
DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle (SDLC). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.
In Q1 2022, we've continued to invest in improvements to InsightAppSec and tCell that help organizations shift left and automate security testing prior to production deployment. And at the same time, we've made other enhancements to make your life easier. Oh… and we added new attacks and blocking rules for Spring4Shell.
Shifting app security testing left in the CI/CD pipeline
Your development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a DevSecOps approach means baking security across the application lifecycle and includes shifting left whenever possible.
Dynamic application security testing (DAST) solutions simulate attacks just like the attackers, and they're known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.
Since the launch of InsightAppSec — Rapid7's industry leading cloud-native DAST — we've focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.
“Our app developers don't need to come to me, they don't need to come to our team, they don't need to send emails. They don't need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it."
- Midhun Kumar, Head of Infrastructure and Cloud Operations, Pearl Data Direct
GitHub Actions allows development teams to automate software workflows. With our new InsightAppSec Scan Action for GitHub, you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.
This is available for no additional cost in the GitHub Marketplace.
GitLab CI/CD can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.
The feature is available for no additional cost, and we have resources to help you learn how to setup the GitLab integration.
Spring4Shell testing and protection
CVE-2022-22965, a zero-day vulnerability announced on April 1st, is no April Fools' Day joke. While it's not as dreadful as Log4Shell, it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.
To help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released new capabilities, including:
- New RCE Attack Module for Spring4Shell (InsightAppSec)
- New Block Rule for Spring4Shell (tCell)
- New Detection of CVE-2022-22965 in running applications (tCell)
InsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.
Customers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our API documentation.
Rapid7's application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.
Stay tuned for all we have in store in Q2!
- Securing Your Applications Against Spring4Shell (CVE-2022-22965)
- InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production
- How InsightAppSec Detects Log4Shell: Your Questions Answered
- A Dream Team-Up: Integrate InsightAppSec With ServiceNow ITSM