Overview
What is Argus?
Argus is an application security testing (AST) framework that allows you to deploy a running security test environment that can easily be incorporated into software development workflows. Argus is developed on Kubernetes infrastructure (K3s), which lets companies quickly deploy in the DAIR cloud, and start static application security testing (SAST) and the more advanced dynamic application security testing (DAST). Bundling the necessary tools for this test framework makes deployment fast and easy, however this topic is still complex and requires technical skills to fully understand the solution. The project is divided into two parts; first, the more straightforward SAST setup, then part two, the DAST setup, for those wishing to automate testing of their deployed web application.
What value has it added to my business?
Adding a structured application security testing to the software development workflow helps to ensure that your software base has been checked for vulnerabilities and ensures a consistent coding practice. Vulnerability scanning and consistent coding practices help increase the software quality produced and instill confidence for end-users that the application has undergone security quality assurance and quality control measures.
SAST Component
Argus uses a free and open-source offering to help developers become familiar with the SAST workflows and understand highlighted security issues. This solution can be installed in the DAIR Cloud (or on-prem, or at home) for learning and experimenting. The only requirements are a virtual machine and access to the application source code.
While there are commercial SAST solutions, those solutions come with specific caveats. Some SAST solutions provide free or low-cost tiers but require that the code base be placed on a publicly accessible source code repository. Other SAST offerings are targeted towards developers interested in trialing the product and may not provide access to features that help address security issues with the code. Another concern is that some SAST products don’t provide upfront pricing forcing you to consult with sales staff to get pricing information.
DAST Component
The DAST application space is limited in terms of free production-grade offerings. Argus aims to address this issue by leveraging a popular open-source tool called Zaproxy. Combining Zaproxy with industry best practices help you learn how to integrate a DAST solution into your continuous integration and continuous delivery (CI/CD) pipeline.