13 Secure coding practices and automation

 

This chapter covers

  • OWASP top 10 API security vulnerabilities
  • Performing static analysis of code by using SonarQube
  • Automating code analysis by integrating with Jenkins
  • Performing dynamic analysis of code by using OWASP ZAP

The complexity of the source code or the system design is a well-known vector of security vulnerabilities. According to published research, after some point, the number of defects in an application increases as the number of code lines increases. The defect increase is exponential and not linear, meaning that the rate of defects increases much faster compared to the rate of code being added. Unless you have good test coverage for both functionality and security, you won’t be able to deploy changes into production frequently with confidence.

Two main kinds of security tests are integrated into the development life cycle: static code analysis and dynamic testing. You can integrate both tests to run automatically after each daily build. In the rest of this chapter, we look at the top 10 API security vulnerabilities as categorized by the Open Web Application Security Project (OWASP) and then take a look at tools we can use to perform static and dynamic analysis of our code.1 If you’d like to learn more about security best practices, we recommend Agile Application Security: Enabling Security in a Continuous Delivery Pipeline (O'Reilly Media, 2017) by Laura Bell et al.

13.1 OWASP API security top 10

13.1.1 Broken object-level authorization

13.1.2 Broken authentication

13.1.3 Excessive data exposure

13.1.4 Lack of resources and rate limiting

13.1.5 Broken function-level authorization

13.1.6 Mass assignment

13.1.7 Security misconfiguration

13.1.8 Injection

13.1.9 Improper asset management

13.1.10 Insufficient logging and monitoring

13.2 Running static code analysis

13.3 Integrating security testing with Jenkins

13.3.1 Setting up and running Jenkins

13.3.2 Setting up a build pipeline with Jenkins

13.4 Running dynamic analysis with OWASP ZAP