Web App Scanning 101: What Security Pros Need to Know About CI/CD Pipelines

Git, repositories and pipelines…oh my! We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.

Awesome! This should be easy. All you need to start is … Wait… what's a pipeline?

Well, let's start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files/code, you have to do what's called a “git commit” and “git push.” Developers use Git as a foundation to run their CI/CD pipelines.

Wait … what's Git, and what does CI/CD mean?

To be clear, continuous integration and continuous deployment (CI/CD) is a methodology — not a tool.

The “D” in CI/CD is often referred to as “delivery” instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.

Before we get there, let’s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called “Git,” an open source version control software. Version control allows you to track and control all changes to a codebase.

These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.

Developers have been using this great version control tool ever since, but every time they wanted to test their production applications/software, they had to do the following:

1. Log on to a server
2. Pull code from a repository
3. Package code up in a nice zip-type file
4. Send that package to another server that was the staging/testing environment
5. Run the application and confirm it still runs at all
6. Run any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the application

The most efficient developers would make scripts to automate some or all of this work, but there was an even better way…

What is continuous integration?

Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?

On top of that, continuous integration automatically builds your application, so you don’t have to package and run it yourself, letting you keep working on building.

For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner — available in Tenable Web Application Scanning — can help.

At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.

Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI/CD pipeline.

What is continuous deployment?

Deployment is when you take what you have built and push it out for real use. It’s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you’d better remember the changes you made and have fun spinning that back up.

Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.

Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.

Wrapping it all up

PHEW. Ok. A CI/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.

Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.

Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.

For more documentation on how to implement, see Tenable’s Documentation

Now, back to the original question: So, you want to scan some web apps in the pipeline?

You can walk through the “how to run Web App Scans in your CI/CD pipeline” in this public demo: https://demo.tenable.com/share/lajsp7ujjmzb

Learn more

• View the on-demand webinar Tenable Web Application Scanning Customer Update, April 2024
• Visit the product page, https://www.tenable.com/products/web-app-scanning
• Download the data sheet, Vulnerability Exposure: A simple, scalable approach to dynamic application security testing