Notify users when existing code is vulnerable to new security flaws
Problem to solve
If a code is marked as secure, it doesn't mean it really is. It only means that, with the technology and the knowledge we have at the moment the security scan was executed, no flags were raised.
But new security vulnerabilities may be found even if the code was previously marked as flawless, and was not changed. For example, a new security problem may be found in a dependency, and the advisory published after the security scan was initially executed.
This means that we should ensure that the code is secure every time a new update is done either to the code, or to the definitions that security scanners are using.
We can continuously run security tests on the code, and see if there is something new that must be addressed.
In this case, users should be immediately notified so they can triage and remediate to the problem.
Further details
This is also important to allow auto-remediate to be effective.
Proposal
We can achieve this goal in two ways:
- set a scheduled pipeline to run security testing (e.g., every hour)
- run security testing in the background, and decouple it from "regular" pipelines
In both cases, we need to notify the user with new vulnerabilities. This can be done by updating the status of the Security Dashboard, and sending emails.
What does success look like, and how can we measure that?
New vulnerabilities are spotted as soon as their definitions are available to our tools.