Ideas and notes from our experience in automating application security.
In order to automate dynamic security testing, we must have a live environment, and as good security professionals know your tests are only as good as the environment you’re testing in.
More often than not, the environments that are provided to me do not match production. I see the majority of teams asking developers to maintain an additional environment just for security testing. In this standard approach we are always at the mercy of the devs, and if your employer is price sensitive, you may also get grief about the cost of the server.
I greatly dislike being at others’ mercy to complete my work, but fortunately you can put the challenge of getting an accurate environment in your control! I’ve had a great deal of success with asking developers to provide a production container via docker-compose, that is updated when a pull request is merged.
This should be a very small investment by engineering to port an install to docker-compose. It is drop-in simple. If it isn’t drop-in simple, you have much bigger problems. This allows me to spin up a production ready environment at will, in CI, for security testing.