Suggested Security Tool Type for CI Phase
Question
You have been tasked with strengthening the security of your team's development process.
You need to suggest a security tool type for the Continuous Integration (CI) phase of the development process.
Which of the following is the option you would suggest?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B
Validation in the CI/CD begins before the developer commits his or her code. Static code analysis tools in the IDE provide the first line of defense to help ensure that security vulnerabilities are not introduced into the CI/CD process.
https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts
Out of the options provided, the most appropriate security tool for the Continuous Integration (CI) phase of the development process would be Static Code Analysis (B).
Static code analysis is a technique that analyzes the source code of an application to detect potential security vulnerabilities, coding errors, and other quality-related issues. It examines the code without actually executing it, and provides feedback to the developers in the form of reports and notifications.
During the CI phase of the development process, code is integrated into a shared repository multiple times a day. As a result, any security vulnerabilities present in the code could be propagated throughout the codebase quickly. Therefore, performing static code analysis during this phase would enable developers to detect and resolve security issues early in the development process, before they can cause significant damage.
Penetration testing (A) and dynamic code analysis (D) are not well-suited for the CI phase of the development process. Penetration testing involves actively attempting to exploit vulnerabilities in an application to determine its level of security. This is not practical during the CI phase because the code is not yet fully developed, and the application is not yet deployed. Dynamic code analysis involves analyzing the application's behavior while it is running, which is also not applicable during the CI phase.
Threat modeling (C) is a useful security tool that involves identifying potential threats and vulnerabilities to an application and determining how to mitigate them. However, this technique is best suited for the design and planning phases of the development process, rather than the CI phase.
Therefore, Static Code Analysis (B) is the best option for strengthening the security of the development process during the CI phase.
