Automated Security Checks

In the current episode, we look at the importance of security tests in software development. Security tests are not only necessary at the end, but throughout the entire development process. Various tools, such as OWASP-Zap and other dynamic scanning tools, are presented to help detect security vulnerabilities at an early stage. Typical vulnerabilities such as SQL injection and cross-site scripting are also discussed and how modern frameworks tackle these problems. It is particularly interesting to note that many companies are still reluctant to integrate security tests as they find this too complicated or time-consuming.

There are now many tools on the market that are freely available and can be integrated into the pipelines to simply incorporate security into the process right from the start.” - Christian Biehler

Christian Biehler is an experienced and qualified expert in IT security. After successfully completing his Master of Science in IT Security, he has gained over 10 years of experience as a hacker, penetration tester, consultant and trainer. Christian has worked for various companies in different industries and thus has a wide range of practical expertise from more than 300 projects in the areas of web, mobile, OS & service pentesting on Windows and Linux environments. In addition to the DevSecOps world, the Microsoft world around the local Windows worlds with clients, servers and Active Directory as well as the Microsoft cloud with Entra ID, Azure and M365 have been a major focus of his work for several years. Since 2019, he has been the Managing Director of bi-sec GmbH, a company that specializes in consulting, penetration testing and training in the field of IT and information security.

Highlights of this Episode:

• It is important to consider security testing throughout the software development cycle, not just at the end.
• SQL injections used to be a big issue, today it’s more about logic and access controls.
• Tools like OWASP-Zap can be integrated into pipelines to detect security vulnerabilities early.
• Many companies are reluctant to integrate security testing into the development process due to organizational and political barriers.
• There are many freely available tools that can help with the implementation of security testing.

Security tests in the software development cycle

In this episode of the Software Testing Podcast, Richie talks to Christian Bieler about the importance of security testing throughout the software development lifecycle. Christian explains how companies can identify and fix security vulnerabilities early on and which tools can help.

Introduction to the importance of security tests

In the latest episode of the Software Testing Podcast, I had the pleasure of speaking with Christian Bieler, a proven expert in security and security testing. The relevance of the topic could hardly be greater. Until recently, security tests were often only carried out at the end of a development project, usually in the form of a penetration test (pen test). However, the perspective has now changed: Security should be an integral part of the entire software development cycle. Christian emphasizes the need to consider security aspects right from the start in order to avoid problems later on.

The trip to Vienna and first impressions

Our conversation took place at the Software Quality Days 2024 in Vienna. Christian told me about his pleasant journey and his first impressions. It was his first visit to Vienna and he planned to spend the weekend there to get to know the city better. We talked about how nice it is to combine professional commitments with personal experiences. This relaxed introduction helped us both to get into the actual topic in a more relaxed way: the integration of security into the development process.

Challenges and changes in the area of software security

Christian began his presentation with a review of the last ten years in the field of software security. He talked about how expectations and challenges have changed. While SQL injections used to be one of the biggest threats, today the attack vectors have shifted more towards logic and access control vulnerabilities. These new threats require a different approach and increased measures throughout the development process. Christian also emphasized the importance of automation in security testing and noted that many modern tools are already able to detect standard vulnerabilities at an early stage.

Integration of security tools in development pipelines

A key topic of our discussion was the integration of security tools into the development process. Christian explained in detail how various tools such as OWASP-Zap or Nuclei can be used to detect security vulnerabilities at an early stage. These tools can be seamlessly integrated into CI/CD pipelines and provide reports that developers can use immediately. I found Christian’s practical examples particularly impressive: Automated testing allowed many obvious vulnerabilities to be identified and fixed in advance.

The role of developers and organizational hurdles

Christian also spoke about the organizational challenges of implementing security tests. The topic of security is often pushed back and forth within a company without anyone taking concrete responsibility. This leads to important security measures being postponed or only half-heartedly implemented. Christian emphasized the importance of clearly defined roles and responsibilities as well as central control of security tools within a company.

Conclusion: The path to better software security

In conclusion, Christian summarized that there is no reason to shy away from the integration of security tools. Most companies already use static code analysis tools or dependency checkers - a good first step. He encouraged development teams to simply get started and gain initial experience. Even if not everything runs perfectly straight away, every step towards a more secure development environment is valuable. With the right tools and a well-thought-out strategy, many common security gaps can be closed in advance.