Adherence check - Static Application Security Testing (SAST)

Problem to solve

To adhere to regulatory standards and to provide evidence of compliance, I need to be able to generate a report for auditors detailing the last date/time each of my repositories were scanned by each security scanner. I would leverage this data to also action against projects that are out of compliance to bring them into compliance and ensure that scanners are properly enabled/enforced to run.

Proposal

Add an adherence check for the "GitLab Standard" that checks that Static Application Security Testing (SAST) is enabled on the project.

SAST can be enabled to configure SAST for the current project. For more details, https://docs.gitlab.com/ee/user/application_security/sast/index.html#configure-sast-by-using-the-ui

Implementation plan

cloned from #440715 (closed)

changed milestone to %Backlog

added backend devopsgovern documentation groupcompliance priority2 sectionsec typefeature workflowplanning breakdown labels

added to epic &12661 (closed)

marked this issue as blocking #442144

cloned to #467082 (closed)

Potential frameworks, standards and laws that this check maps back to

Object of Compliance	Standard/Framework/Law/Regulation	Section	What it says	Link
PCI DSS	Framework	Requirement 6: Develop and maintain secure systems and applications	6.6: Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic	https://listings.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
OWASP Software Assurance Maturity Model (SAMM)	Open community project	Stream A: Scalable Baseline	Use automated static and dynamic security test tools for software, resulting in more efficient security testing and higher quality results. Progressively increase the frequency of security tests and extend code coverage. Application security testing can be performed statically, by inspecting an application’s source code without running it, or dynamically by simply observing the application’s behavior in response to various input conditions. The former approach is often referred to as Static Application Security Testing (SAST), the latter as Dynamic Application Security Testing (DAST). A hybrid approach, known as Interactive Application Security Testing (IAST), combines the strengths of both approaches (at the cost of additional overhead) by dynamically testing automatically instrumented applications, allowing accurate monitoring of the application’s internal state in response to external input. Many security vulnerabilities are very hard to detect without carefully inspecting the source code. While this is ideally performed by expert or peer review, it is a slow and expensive task. Although “noisier” and frequently less accurate than expert-led reviews, automated SAST tools are cheaper, much faster, and more consistent than humans. A number of commercial and free tools are able to efficiently detect sufficiently important bugs and vulnerabilities in large code bases. Dynamic testing does not require application source code, making it ideal for cases where source code is not available. It also identifies concrete instances of vulnerabilities. Due to its “black-box” approach , without instrumentation, it is more likely to uncover shallow bugs. Dynamic testing tools need a large source of test data whose manual test generation is prohibitive. Many tools exist which generate suitable test data automatically, leading to more efficient security testing and higher quality results. Select appropriate tools based on several factors, including depth and accuracy of inspection, robustness and accuracy of security test cases, available integrations with other tools, usage and cost model, etc. When selecting tools, use input from security-savvy technical staff as well as developers and development managers and review results with stakeholders.	https://owaspsamm.org/model/verification/security-testing/stream-a/
ISO 27001	Framework	8.28	Annex A Control 8.28 assists organisations in preventing security risks and vulnerabilities that may arise due to poor software coding practices through developing, implementing, and reviewing appropriate secure software coding practices.	https://www.invicti.com/white-papers/application-security-according-to-iso-27001-invicti-ebook/ https://www.isms.online/iso-27001/annex-a/8-28-secure-coding-2022/#:~:text=Per%20ISO%20270010%3A2022%2C%20Annex,appropriate%20secure%20software%20coding%20practices.
Health Insurance Portability and Accountability Act (HIPAA)	Law	Provision 164.308(a)(8)	Requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of their systems
GDPR	Law	Article 25	The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.	https://gdpr-info.eu/art-25-gdpr/ https://www.parasoft.com/blog/using-static-analysis-to-security-design-in-gdpr/

mentioned in issue #474795 (closed)

assigned to @hraghuvanshi

changed milestone to %17.3

@hraghuvanshi This issue looks like it may slip this current milestone. Can you leave a or to signify if you are on track to deliver this issue? Please also consider updating the issue's Health Status or Milestone to reflect its current state, and communicate with your Product Manager as appropriate.

Bot policy.

Analysis

1. As per the documentation for configuring/enabling SAST in a project, the configuration needs to be added to the pipeline configuration file of the project as mentioned in https://docs.gitlab.com/ee/user/application_security/sast/#configuration. Even if we are configuring from UI, the change will be done in the pipeline configuration file.
2. For supporting the adherence check for whenever the SAST scanner runs on a certain project, we can create the adherence check for the scanner when the relevant job artifact is created, which will indicate the last scan of the project with that scanner, and also indicate that the scanner is enabled on the project.

@hraghuvanshi Would this approach make it easier for other scanners to be included?

@nrosandich Sorry for delay, yes adherence checks for other scanners can also be added in a similar way.

changed milestone to %17.4

@hraghuvanshi This issue looks like it may slip this current milestone. Can you leave a or to signify if you are on track to deliver this issue? Please also consider updating the issue's Health Status or Milestone to reflect its current state, and communicate with your Product Manager as appropriate.

Bot policy.

mentioned in merge request !163579 (merged)

@nrosandich I have created a POC MR !163579 (merged) for this and the video recording for adherence checks creation when sast scanner runs for the project is added here.

I am also checking something else too which might help us in creating adherence checks for the main branch of the repo only.

SastAdherenceCheck

@hraghuvanshi This is great progress. I uploaded to YT here https://www.youtube.com/watch?v=ds9ZlcHAh3o

cc @khornergit @g.hickman

This is super cool - great to see the progress, thanks for the cc

mentioned in epic gitlab-org#12661 (closed)

@hraghuvanshi This issue looks like it may slip this current milestone. Can you leave a or to signify if you are on track to deliver this issue? Please also consider updating the issue's Health Status or Milestone to reflect its current state, and communicate with your Product Manager as appropriate.

Bot policy.