VAddy is Automated Web Security Testing Service for DevOps Teams.

http://vaddy.net

This is Kanatoko, one of VAddy’s core developers and security expert.

When the 2014 year began, not a single line of VAddy’s codebase had been written; in the spring, my coworker Ichikawa and I started to get excited about VAddy’s prospects; now we have even completed a Jenkins plugin. The seamless CI integration that we had dreamed of at the time is becoming a reality. As more real-world projects begin to use VAddy, we can look back on 2014 as a year in which we felt we made an impact on the software development world.

Continuous integration is becoming a widespread practice. By building applications and running unit tests frequently, I think that CI is being used to make the deploy process easier and less stressful.

VAddy is a service that scans for web application vulnerabilities, such as SQL injection and cross-site scripting (XSS) attacks, during the CI cycle.

I first heard about the concept behind VAddy (a vulnerability scanning service that connects with CI) from Ichikawa a long time ago. My initial reaction was, “Wow, I never thought about that before!”

In addition to working on VAddy, I am also one of the developers working on Scutum, the world’s first web application firewall as a service (WAF SaaS). Scutum is a collaboration between my employer, Bitforest Co., Ltd., and a group of web security professionals, SecureSky Technology Inc. (SST). I still remember something that SST’s president, Noriguchi, once said: “Software development requests usually don’t include security and performance testing.” My own personal experience corroborates this. When an application is built to the requested specifications, it isn’t uncommon for security and performance to be neglected until the very end of development (unless they are explicitly stated in the specifications).

Now let’s talk about CI. Although CI runs many different tests automatically, I think that security and performance are often neglected here, too. Of course, even if that is true now in 2015, do you think it will still be true in 2020–or 2025?

Continuous Delivery (CD) is another approach that is gaining awareness. By hooking into CI systems, it allows applications to be delivered (or deployed) automatically after various tests have passed. This could actually have a huge impact on how people deploy—once they get used to this method, they won’t be able to go back to any other way.

Ideally, both security tests (vulnerability scanning) and performance tests would complete before an application is deployed to a production environment. It’s therefore only natural to combine these with your CI infrastructure. Once you get used to it, I think that it will seem obvious in retrospect.

To build software, you must at the very least write code that actually runs. That’s where I used to start, too. At some point I also started writing test code, often epitomized by unit tests.

I initially considered writing test code to be a chore, but doing so allowed me to dramatically reduce the number of bugs in my code. Before long, testing became second nature to me. It’s amazing how quickly what was once inconceivable became so obvious.

This may be a bit of a digression, but when I first saw the touch interface that Steve Jobs made “obvious” with the iPhone, I thought, “That never would have occurred to me” (as a computer interface). However, now it’s so natural and obvious that we aren’t even consciously aware of it.

Similarly, at first the idea of incorporating vulnerability scanning into CI had never occurred to me, but the more I thought about it the more natural it seemed. In particular, when you prepare browser tests using a framework like Selenium, you are maintaining web application state changes (for crawling) not as documentation but as executable information. Because vulnerability scanners need the information associated with a web application’s screen transitions, they are extremely compatible with Selenium test data. As soon as I realized this, I turned to Ichikawa and exclaimed, “This is a really good idea!” We hadn’t decided on the name “VAddy” yet, but that was the start of our vulnerability scanning service for CI systems.

We want to make even more progress on VAddy in 2015, and at the same time change the idea of CI vulnerability scanners from “unthinkable” to “obvious.”

Thank you for reading and for your continued support of VAddy in 2015!



http://vaddy.net

