Sign in Try for Free
DE

Continuous Security

Ensure good security exposure with continuous security embedded in your dev process.

Run an automated scan now
14-day free trial. No CC required.
  • Perform regular vulnerability scans on your web applications and APIs
  • Embed DAST into your agile dev process
  • Mitigate risks with extensive reports and remediation advice
Flixbus
Instana
Atoss
Ottonova
Alltron
Hirmer
Netfonds
Acrolinx

Features

Continuous vulnerability scanning

Crashtest Security provides software developers with automated vulnerability scanning software for web applications and APIs.

Start 14-day free trial

Scan setup in minutes

1

Scheduled scanning

2

Dev toolchain integration

3

Extensive reporting

4

Success Stories

Vulnerability scanner with most advanced crawling options

Easy to setup

The easy setup, the scanning of future-oriented technologies such as JavaScript and API targets, as well as the easy integration into our existing CI/CD pipelines and internal development processes were the main arguments for ottonova.

Andreas Katzig, CTO at ottonova

Continuous testing throughout the development process

We wanted a plug and play solution that enables continuous testing throughout the development process. Especially for me, it was important that the developers quickly implement the tool and, in return, deliver resilient results that can be trusted.

Nis Carstensen, CTO & Head of Development bei Netfonds

Continuous Security

Whitepaper

Continuous security whitepaper

Learn how to implement continuous security into your agile development.

Download

Continuous delivery

To introduce continuous security topics, we start with one of the core principles: “continuous delivery.” This topic covers some general terms and definitions around DevOps and agile development. A continuous delivery process enables teams to take developed code and publish it automatically in a production environment. This process typically includes various tests and is the core enabler for automating and standardizing software development security tests.

If you have never heard of DevOps or the term “continuous security,” we recommend starting with our basic FAQ on all topics around DevOps. We introduce the general case, why DevOps is implemented into software development teams, and its benefits. We also cover some essential technologies that drive the success of DevOps and agile development. Plus, you’ll get references for further readings.

To understand the real-life benefits of a continuous delivery workflow, read our blog post, “Why Continuous Delivery is Important.” We share a user’s story from a friendly startup trying to implement text changes in their software. The user understood Heroku, Bitbucket, and the basics of code repository workflows quite quickly. Unfortunately, the changes could not be checked without the agency due to the lack of continuous delivery processes.

Our final content on continuous delivery goes into more detail and addresses the cybersecurity angle in much more detail. If you are interested in the bits and bytes of secure DevOps Processes and red teaming, read our blog on “Why should cybersecurity care about DevOps?”. This article discusses the implications of security teams when it comes to DevOps and continuous delivery. We dive deeper into two concrete elements that cybersecurity should address: security champions and standardization through tools. Even as an experienced pentester or developer, you will learn something new.

Container security

Containers create a virtual layer between the infrastructure and the code on top of it. This helps developers always have the same conditions – development, testing, or production environments. Containers can be configured to include specific networks, compute, storage resources, and operating systems and software installations. While virtualizing the infrastructure and base-layer software makes it easier for developers, it is also a security concern.

We have prepared a guide that covers the best practices for container security. These best practices cover learnings we have incorporated ourselves and are a great starting point for any startup or larger organization when setting up the initial architecture. We cover the container security (i.e., Docker) in technical deep-dives and go into the orchestration layer (Kubernetes). Read the cybersecurity startup best practices for container security.

We have two specific how-to articles around containers for everybody a little more advanced:

  • Collect Kubernetes Logs on Docker for Mac” gives you a neat workaround for collecting logs with a bash script. This works great on your local cluster when using the built-in Kubernetes functionality on Docker for Mac.
  • We have a solution for all Terraform, Kubernetes, and Vault users if you run into a “resource does not have attribute” error. We have a short script for you to automatically create a Kubernetes service account and use the JWT token to provision Vault in the cluster.

Tools and integrations

Now that we covered the basics of continuous delivery and technical aspects, we can start with the advanced integrations and tools integrated into DevOps workflows. We will specifically cover tools to enable security tests. Below is an overview of the different tools you can use in a DevOps environment.

First, we have an article that will help you understand the deeper aspects of DevOps by providing further helpful resources. The materials cover culture, the first hands-on app development experience, end-to-end workflow mapping, automation, and KPI topics.

We have a 30-minute tutorial on building your own DevSecOps pipeline for you. This tutorial will walk you step-by-step through setting up an app in Heroku, creating a simple CI/CD workflow with CircleCI, and integrating two tools: A SAST test (Python safety check) and a DAST test (Crashtest Security). You will also learn about basic GitHub push/pull/commit functionality.