Security Control Panel for security testing
Problem to solve
Security testing is done for each and every pipeline, so every new change is checked before deploy it to production. But security threats can be discovered after the code is already live, and it should be spotted as soon as possible.
We now focus to avoid security problems to land into
master, but this is not enough. We must ensure the security is kept even after that.
With the existing approach we can prevent security issues, but we cannot detect yet.
The Security Control Panel is a place where security tests are set, scheduled and executed to ensure that the deployed applications are not vulnerable to new attacks. For example, DAST can be scheduled on the
production environment every night, or static checks can be executed on the version of the code that is published, even if it is not the latest
What we need to define is a list of assets (environments, published docker images, etc.) that are still relevant for our application, and ensure that they are all periodically tested for security problems.
For each asset, we need to know enough information to perform the tests:
- for SAST and Dependency Scanning, we need to know the commit of the asset to checkout
- for Container Scanning, we need to know the image tag to pull from the registry
- for DAST, we need to know the url of the deployed application (or the environment name)
Tests can be done with "standard" pipelines, but we can also consider to have built-in job definitions so we can run security testing even if the orginal
.gitlab-ci.yml file doesn't contain this information.
The panel can be both at project level, group, or instance level. It could be in strict relation with Security Dashboard, that is where results can be accessed.
Implement a Security Control Panel that can contain all the tasks to ensure assets for a given application are constantly checked and kept secure.
What does success look like, and how can we measure that?
Users access and set policies in the Security Control Panel.