We previously talked about ‘Why’ and 'When' you should adopt DevSecOps. In this post, we help you with the ‘How’ - starting with Scantist SCA (free forever!) and giving you some additional follow-up tips to continue your DevSecOps journey.
Go to https://scantist.io and sign in with any of your preferred version control services like Github, Gitlab, or Bitbucket.
Once in, click on the Projects tab, followed by Manage Projects.
You should now see a list of your repositories on the page. Click on the small green ‘plus’ icon next to the repository name to add it as a project and trigger a scan.
In a few short seconds, you should see your results. If you have vulnerabilities, click on the number to view the detailed results.
Bonus: Click on the project name, and under Scan Settings enable event-driven scan to trigger a scan every time a new Pull Request or Merge Request is created.
And there you have it. You are now covering 60-90% of your application’s total code-base against over 100,000+ known vulnerabilities affecting open-source and third-party components that are most often used to target applications. That wasn’t as hard as you thought, was it?
Now that you have taken the first step to DevSecOps, there are a few additional steps you can take to further improve your application security posture.
First, understand the different application security tools that you’d need to make a full DevSecOps transition. We recommend this great post by Carnegie Mellon University researcher Thomas Scanlon. Here’s a TLDR; there are 10 tools, of which 4 are basic - Database Security, SAST (for the code your write), SCA (for the open-source code you use - this is where Scantist comes in!), and DAST (for runtime analysis).
Second, look at security configurations for your version control system - Github has a few security controls that are readily available to use, and similar options are available for Bitbucket and Gitlab too (though these may be limited to higher-tier accounts).
Third, there is a suite of great open-source application security tools at OWASP. If you are the type that likes to DIY, these can be a great way to build a reasonably mature DevSecOps pipeline.
We know most organisations have only just made the exhausting transition to DevOps - or are actually still undergoing that transition. And adding another set of integrations - especially for security in a complex risk landscape - can seem daunting at first. We hope this blog helps make things a little easier and gives you that little push we all need to get started!