The complexity of the source code or the system design is a well-known vector of security vulnerabilities. According to published research, after some point, the number of defects in an application increases as the number of code lines increases. The defect increase is exponential and not linear, meaning that the rate of defects increases much faster compared to the rate of code being added. Unless you have good test coverage for both functionality and security, you won’t be able to deploy changes into production frequently with confidence.
Two main kinds of security tests are integrated into the development life cycle: static code analysis and dynamic testing. You can integrate both tests to run automatically after each daily build. In the rest of this chapter, we look at the top 10 API security vulnerabilities as categorized by the Open Web Application Security Project (OWASP) and then take a look at tools we can use to perform static and dynamic analysis of our code.1 If you’d like to learn more about security best practices, we recommend Agile Application Security: Enabling Security in a Continuous Delivery Pipeline (O'Reilly Media, 2017) by Laura Bell et al.