Policy-as-code is a method of defining and managing security rules, criteria, and conditions through code. It is a way of enforcing security and risk policies programmatically, within a continuous integration/continuous delivery/continuous deployment (CI/CD) pipeline. In an application security testing context, it codifies rules for policy evaluation, response, and notification to enable security teams to automate testing workflows.
Policies are written in a high-level language, and code is entered into a policy engine that uses queries. The policy engine consumes these policies as inputs, processes them, and then delivers a query result. This result generates a decision that aligns with the policies in place to determine which type of application security testing (AST) is appropriate, when it should be used, and where.
Policy-as-code is a scripted, readable file that provides preconditions for testing a given application. These files are written in a supported programming language (such as YAML or Python) that is compatible with the tools an organization uses. The policies are enforced via API call to a CI pipeline, so security testing can be run without breaking current builds.
Key considerations for writing policy-as-code include
In the context of application security testing, organizations can leverage policy-as-code to define the conditions for when to test, what testing tool should be used, and whether there is a need to test. By codifying these parameters, security teams can simplify the coordination of multiple AST tools and achieve precision in their testing workflows. This enables consistent, automated enforcement of security policies, and ultimately, the ability to achieve better software quality without compromising development velocity.
More specifically, enforcing policy-as-code helps in these important ways.
Organizations today use a wide range of AST tools, and some can take days to provide security scanning results. Ever-increasing development speeds require application security testing tools and practices that can keep up.
Additionally, ensuring that software is compliant and secure means understanding software risk at the development level, in earlier stages of the software development life cycle. But without a cohesive testing strategy in place, organizations end up with manual scanning and code reviews, and overall, inconsistent security hygiene.
Further, integrating numerous tools across existing pipelines can be a complex and time-consuming undertaking, and can increase the risk of breaking existing build and release pipelines. If organizations can’t easily integrate their AST tooling with an existing software delivery tracking system, or prioritize security activities based on risk, security and development resources can easily become stretched thin.
These tooling challenges often result extraneous testing that adds hurdles and time lags to developer productivity. Security analysts will struggle to keep up with siloed tooling and manual reviews, and costly and potentially exploitable software flaws can go undetected due to lack of testing and broader visibility into process, decisions, and key findings.
Policy-as-code helps overcome these impediments to DevSecOps by
Black Duck® Software Risk Manager™ is a comprehensive ASPM solution that enables teams to
Get insights into the current state of security for web-based apps and systems
Download the reportLearn how to gain visibility and secure your apps across the enterprise
Download the white paperGet the trends and recommendations to help improve your software security program
Download the reportThree steps to consolidate your effort, insight, and tools
Download the guide