Security/Application Security Pipeline

Purpose
This document provides guidance on how to implement security into the CI/CD pipeline, leveraging both GitLab's integrated tools and custom tools provided and developed by the Security Team.

In an effort to improve application security testing, our goal has been to “shift left” to remove more vulnerabilities earlier. The idea is to empower the developers to find and fix vulnerabilities earlier in the software development lifecycle, when changes are less costly and more timely.

With security embedded into the development workflow, developers can get feedback on the security of their code as they are working, they can remediate in real time, and free up the security team’s time to focus on monitoring issues, assessing risk, and solving vulnerabilities that can’t be fixed by the developer. By continuously testing even small, incremental code changes, an avalanche of work is avoided at the end of the SDLC.

Note: The Security Team strongly recommends to include security pipelining features into either migrated repositories or new ones. These features have to be triggered for each new Merge Request and for Continuous Development/Delivery.

Use Cases

 * Allows security flaws to be fixed early, when less expensive, removes context-switching, and minimizes risk by preventing vulnerabilities from reaching production.
 * Reduces security and compliance risks.
 * Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

How to configure SAST
To enable and configure SAST with default settings:
 * 1) On the top bar, select Menu > Projects and find your project.
 * 2) On the left sidebar, select Security & Compliance > Configuration.
 * 3) In the SAST section, select.
 * 4) Review the draft MR that enables SAST with the default recommended settings in the   file.
 * 5) Merge the MR to enable SAST. You should see SAST jobs run in that MR’s pipeline.

Known Guides and Documentation

 * Configure SAST in the UI with default settings