Sean Wright

Personal blog of app security guy

Sean Wright


23rd May 2018

I've recently begun to look into using a service called If That Then This (ITFF). The premise of the service is that it has a Trigger upon which you can perform an Action. For example, if the forecast is for it to rain tomorrow, then it can then remind you to take your umbrella. All of these actions and responses are accomplished via what IFTTT term an Applet. There many and many available Applets from several vendors, but one can create their own Applets as well.

Using ITFFF for Secure SDLC

It then dawned on me, from a security persective it can fulfill a great role in a security aspect in one's SDLC. Security in a SDLC often has several measures when not met "trigger" some form of result/action. Say for example we have a web app scan, and it finds a XSS vulnerability. We would then file a bug, notify the relevant development team, and depending on the severity may even block the release.

With the whole move of software development to a Continious Integration / Continious Delivery (CI/CD) model, everything in the SDLC has to become a lot more automated. In the above example, the web based scan would need to be included in the build process, run before deployment and most importantly happen in an autonomous fashion.

As this is where I think IFTTT can come into great use! Using the above example, the Trigger would become a finding from the scan. Based on this we can have several Actions:

  • Send out a notification (it doesn't even have to be an email, it could even be a notification to some Slack channel for example).
  • Break the build.
  • Prevent the green-light on some deployment process/system.

Basically the possibilities are only limited by one's imagination. And this wouldn't even be limited to the development and deployment process. We could have an Applet which would monitor the latest CVE's. If it spots one which impacts an application it could even result in an Action of automatically updating that affected library, building and then deploying the application.

Now a disclaimer, I have not worked much with IFTTT. So most of the above is based on my rudimentary understanding of the service. Over the coming weeks, I plan to spend a lot more time trying to understand what is and what isn't possible, and hopefully even be able to come up with some Proof of Concepts!

View Comments