What is DevSecOps?
In simple words, it is Development , Security, Operations. It’s agenda is to make everyone accountable for implementing security measures at the same pace as development and operations.
So DevSecOps is injecting security into DevOps lifecycle.
When implementing security into your DevSecOps pipeline, it’s important to conduct some activities with purpose.
Below are two sets of checklists that a DevSecOps pipeline goes through. We can do more activities earlier or later within the development process as they suit our life cycle operations.
This checklist will guide us through the DevSecOps journey
Pre-commit checks
Pre commit checks are done to fix minor security issues before committing changes to source code repositories.
Benefits
They can help a team automate manual tasks thus leading to increase in their productivity.
Use Case
The pre-commit checks help in updating a threat model when new controls are added to the application code. Manual code review is also provided which can help to review code when large changes are made. And if found any security vulnerabilities, risk analysis gets triggered.
Commit-time checks
This activity is automatically triggered by a check-in to a source code repository. These tests bring fast results to a developer who is pushing code to the common repository.
Benefits
Commit-time checks ensure that code is compilable and is able to build at all times. They also focus on critical and high security issues inside code.
Use Case
These checks help development teams to rectify the high security risks and additionally also provide them with QA security testing.
Build-Time Checks
Build time checks get automatically triggered on successful commit time checks.
Performing advanced automated testing of application requires security testing, open source management, risk-based security tests, and storing artifacts in repositories.
Benefits
Build-time checks break the build in case of any failure :
This includes:
- Event when unit test fails
In case vulnerability is found
Code not compiling on committing changes
Build time checks also look for dependencies whether there are any vulnerabilities which are publicly disclosed.
Use case
Build-time checks allow users to configure more comprehensive SAST rule sets. Also these checks are used to set up jobs that identify risks in third party codes. These checks help in automating risk based security testing.
Risk Based Security Testing - Each test in a risk based security test is intended to trigger a particular risk that has been previously identified during risk analysis. They also notify DevSecOps teams about critical risk values.
Test-time checks
Test-time checks are automatically triggered by successful build-time checks.
Here the latest good build is picked up and deployed to a staging or test environment. Then all the tests such as functional, integration, performance testing are executed on this build.
Benefits
This is the last testing phase before a product is released into production. The staging environment almost represents the real production environment.
Use case
Here we include the tool’s full security rule sets. Since we’ve already ran SAST in the earlier checks, we ensure that tests that haven’t yet been covered are run.
Deploy-time checks
When all of the previous steps have been completed successfully, and the application is ready for deployment, deploy-time checks involve additional pre- and post-deployment security checks that will finish out our DevSecOps pipeline.
Post-deployment provides an assurance that changes made to the production environment haven’t led to security issues. A good strategy is to implement a process that periodically triggers security testing.
Benefits
Deploy-time checks can help find bugs that may have been missed during pre-production testing activities. Continuous monitoring allows insight over the traffic which an application is receiving . Also these metrics help to identify malicious users.
Use case
Pre-deployment
- Automate configuration management
- Automate provisioning of the runtime environment
Post-deployment
- Automate collection of application-level security metrics
- Schedule security scanning
- Enable vulnerability scanning
- Create an incident response plan
- Provide insights to the DevSecOps team that will lead to build of a threat intelligence program
Best Practices for DevSecOps.
Embrace Automation
Most important requirement for continuous testing and continuous integration is speed. Speed makes the automation process a fundamental requirement.Therefore having necessary security measures and triggers is essential.
So organisations should not only adopt static testing but to have dynamic security testing is equally important. Which means vulnerability scanning will be done in real time.
In order to achieve this it's important to have necessary tools which will enable automation of security measures in our code configuration. Some of the static and dynamic security testing tools are:
SAST Tools
Coverity : It is static analysis by Synopsys helps development and security teams find and fix defects and security flaws in code as it’s being written.
Appnox : It is an on-demand mobile application security platform that helps businesses detect and fix security vulnerabilities using an Automated Security Testing suite.
Checkmarx : It is the Software Exposure Platform for the enterprise. Over 1,400 organizations around the globe rely on Checkmarx to measure and manage software risk at the speed of DevOps.
DAST Tools
Netsparker- It can identify vulnerabilities in all types of modern web applications, regardless of the underlying architecture or platform.
Veracode- It comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline,empowers developers to fix security defects, and scales your program through best practices to achieve your desired outcomes.
Risk management in Open source technologies.
Since hacks and breaching in data has become a regular news, security is cited as an important concern. Codes belonging to open source projects when infused in any project in the form of dependencies can cause vulnerability risks. Because these may be unmanaged code with no security measures applied.
Therefore code dependency checking is must. Having an OWASP utility check will ensure no vulnerability in these codes from open source projects.
Security Management process
When a security team encounters any bug, it reports it in the repository. Sometimes developers don't have the bandwidth to check those reports. This leads developers to give priority to functional testing and they skip security vulnerabilities.
Therefore DevSecOps team must have a uniform Security Management Process and any changes done will also notify the security team and they can execute authentication testing protocol.
Integrating Bug tracker in Application Security System
This will create a list of bug reports automatically . The report will create actionable details about bugs such as its severity, details and treatment required.
This makes the security team advanced and prepared to fix the issues even before they land into a production and development environment.
Threat Modelling
Threat modelling is a process that developers use to identify security risks or vulnerabilities in their code and can assess the seriousness of each. On the basis of these they further plan to prioritize techniques to mitigate attack and rectify their code .
The SANS institute recommends risk management before DevSecOps implementation. Risk management will help you to identify threats in software components and measures to counter those threats.
Conclusion
With the rise in demand to reduce the development of a reliable application. DevOps as a practice is set to shoot. But as with power comes responsibilities. Security measure is as much important concern as the development of the end product is. So injecting security right from the early stages in development . Therefore implementing Development + Security + Operations should be a standard agenda for organisations right from the start and the above set of checklists would help to achieve that.
