Modernizing LinkedIn’s Static Application Security Testing Capabilities to protect our members

Emmanuel Law
10 min readadvanced
--
View Original

Overview

The article discusses LinkedIn's modernization of its Static Application Security Testing (SAST) capabilities to enhance security for its members. It outlines the design principles, challenges faced with legacy systems, and the implementation of a new pipeline using GitHub Actions, CodeQL, and Semgrep.

What You'll Learn

1

How to implement a modern SAST pipeline using GitHub Actions

2

Why observability and metrics are crucial in security testing

3

When to apply blocking mode in pull request workflows

Prerequisites & Requirements

  • Understanding of Static Application Security Testing (SAST)
  • Familiarity with GitHub Actions and CodeQL(optional)

Key Questions Answered

What are the design principles for LinkedIn's SAST modernization?
The design principles include developer-first security, extensibility and self-service, resilience and redundancy, and observability and metrics. These principles guide the development of a robust SAST pipeline that balances security with developer velocity.
How did LinkedIn address challenges with its legacy SAST approach?
LinkedIn's legacy SAST approach was fragmented, consisting of disjointed systems. The modernization involved migrating to GitHub Actions and using CodeQL and Semgrep to create a unified pipeline that enhances consistency and maintainability.
What is the purpose of the Drift Management System (DMS) in SAST?
The Drift Management System (DMS) checks each repository daily to ensure that the SAST stub workflow file is present and up to date. If discrepancies are found, it automatically updates the workflow file to maintain consistency across repositories.
What is the blocking mode in LinkedIn's SAST pipeline?
Blocking mode ensures that all pull requests must have completed SAST scans and be free of security alerts above a certain threshold before they can be merged. This prevents vulnerable code from being introduced into the system.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

CI/CD
Github Actions
Used to automate the SAST pipeline for security testing across repositories.
Static Analysis Tool
Codeql
Used for scanning code to identify security vulnerabilities.
Static Analysis Tool
Semgrep
Complementary to CodeQL, used for custom security rule enforcement.

Key Actionable Insights

1
Implement a centralized SAST workflow using GitHub Actions to streamline security checks across multiple repositories.
This approach allows for easier updates and maintenance, as changes to the workflow can be made centrally and propagated to all repositories without manual intervention.
2
Utilize observability metrics to identify bottlenecks in the SAST pipeline.
By tracking metrics like run duration and error rates, teams can optimize the scanning process and improve overall efficiency.
3
Adopt a fail-safe mechanism to prevent disruptions in developer workflows during SAST scans.
Implementing a self-recovery mechanism ensures that developers can continue their work even if a scanning error occurs, maintaining productivity.

Common Pitfalls

1
Failing to address SAST alerts before merging pull requests can lead to vulnerabilities in production.
This often happens when developers prioritize speed over security. Implementing blocking mode can help enforce security checks before code is merged.
2
Neglecting to update the SAST workflow across multiple repositories can lead to inconsistencies in security practices.
Using a Drift Management System helps ensure that all repositories maintain the latest security workflows, preventing drift and maintaining security standards.

Related Concepts

Static Application Security Testing (sast)
Github Actions
Codeql
Semgrep
Security Best Practices