What is DevSecOps?
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
DevSecOps infuses security into the continuous integration and continuous delivery (CI/CD) pipeline, allowing development teams to address some of today’s most pressing security challenges at DevOps speed.
Historically, security considerations and practices were often introduced late in the development lifecycle. However, with the rise of more sophisticated cybersecurity attacks, and development teams shifting to shorter, more frequent iterations on applications, DevSecOps is now becoming a go-to practice for ensuring applications are secure in this modern development ecosystem
DevOps vs DevSecOps
DevOps isn’t just about development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full life cycle of your apps.
Why? In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are over. Effective DevOps ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can undo even the most efficient DevOps initiatives.
Now, in the collaborative framework of DevOps, security is a shared responsibility integrated from end to end. It’s a mindset that is so important, it led some to coin the term “DevSecOps” to emphasize the need to build a security foundation into DevOps initiatives.
DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals. However, effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
Static Code analysis
- Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
- Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.
- Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues, they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.
Dynamic Analysis
- Dynamic Application Security Testing (DAST) is the process of analysing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.
What is the difference between SAST and DAST?
- DAST attacks the application from the “outside in” by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.
- SAST, on the other hand, analyzes static environments, meaning the source code of an application. It looks at the application from the “inside out,” searching for vulnerabilities in the code.
- To maximize the strength of your security posture, it’s a best practice to use both SAST and DAST. Having this unified taxonomy across testing methods enables you to have a complete view of vulnerabilities.
Vulnerability Scanning
vulnerability scan is an automated, high-level test that looks for and reports potential known vulnerabilities. For example, some vulnerability scans are able to identify over 50,000 unique external and/or internal weaknesses (i.e., different ways or methods that hackers can exploit your network).
PCI DSS requires two independent methods of PCI scanning: internal and external scanning. An external vulnerability scan is performed outside of your network (e.g., at your network perimeter), and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, and it looks at other hosts on the same network to identify internal vulnerabilities.
Think of your environment as a house. External vulnerability scanning is like checking to see if doors and windows are locked, while internal vulnerability scanning is like testing if bedroom and bathroom doors are locked.
Typically, vulnerability scans generate an extensive report of found vulnerabilities and gives references for further research on these vulnerabilities. Some even offer directions for how to fix the problem.
Despite what many businesses believe, scanning isn’t enough. You shouldn’t just scan and sit on the report. Act quickly on any discovered vulnerabilities to ensure security holes are fixed, and then re-scan to validate that vulnerabilities have been successfully addressed.
Vulnerability scanning identifies potential harmful vulnerabilities, so that you can remediate processes to ensure network security.
DevSecOps Implementation Strategy
It’s the tendency to automate all security checks, coding them into unit tests and using them early in software development, not at the end of the cycle.
It is then about security integrated with DevOps practices. This brings agility together with security from the conception of the project. So, we have the same workflow, adding the security components. How can we do that?
In this post, we will cover 6 steps for implementing DevSecOps. These are complex steps that require a lot of work to adapt. However, it is essential to consider each of them when choosing the work methodology:
- Perform security audits on current infrastructure and address failures
- Automate security tests
- Check code dependencies frequently
- Split scans into manageable chunks
- Integrate security tools with DevOps tools
- Continuously invest in training for the development team
-
Perform security audits on current infrastructure and address failures
Before starting the implementation of a new methodology, it is crucial to identify the current situation of the processes and services applied.
For this, it is necessary to conduct security audits on the entire infrastructure that currently supports your software projects.
Look at your systems from the attacker’s point of view and try to find the weakest points. This allows you to design effective countermeasures for potential security breaches, removing bottlenecks in processes or removing weak chains altogether.
Threat modeling can’t be automated, but it’s a beneficial exercise to keep your developers aware of potential security vulnerabilities and avoid creating new product code breach points.
-
Automate security tests
Once the current infrastructure has discovered and fixed vulnerabilities, it’s time to start developing automated security scanning solutions.
For this, it is necessary to code these solutions to be part of the unit test in the new features added. As such, security requirements are met from the beginning of the software development process, not being treated as the last thing before release.
According to a survey conducted by Sona type on QA and test automation in 2020, more than 44% of the more than 5000 respondents know that DevSecOps practices are essential. However, they do not have the time to implement these solutions. How is your team in this regard?
It is important to emphasize that this automation must be implemented with great care and caution. When running static application security tests (SAST) in test and staging environments, ensure that these tests only run on the latest additions to the code base.
Consider introducing Dynamic Application Security Testing (DAST) practices into your workflows if you haven’t already. Rather than verifying code in development and testing, this practice focuses on verifying the integrity and performance of applications running in production.
-
Check code dependencies frequently
The migration of on-premises environments (private data centres that companies have internally) to the cloud has fuelled the unprecedented growth of software development; after all, the IT industry has been able to complete projects faster, thus meeting the needs of customer requirements more quickly.
To further strengthen this approach, open-source software and modules become the primary approach to software delivery because developing all modules from scratch is essentially a waste of time and resources.
However, it is noticeable that using third-party code depends on its security flaws and vulnerabilities.
Because of this, it is essential to implement security checks on the dependency’s software solutions use.
GitLab, in its new version, has released a security panel and maintenance mode for software marked as compromised, so each project member is notified if the project they depend on is updated. Another way to do this is using the OWASP Dependency Checker tool, which can be added as a plugin to most browsers and CI/CD tools.
-
Split checks into manageable parts
When you don’t have Security implemented in the environment, one of the biggest problems (if not THE biggest problem) of introducing DevSecOps practices is the need to introduce them gradually.
There may be a very long list of required checks but implementing them in rapid succession will be a big challenge for your developers.
Instead, implementing just a few checks during each product development sprint allows the process to go much smoother and encounter less resistance from the technical and the teams involved in the process.
This gives the team time to tackle new tasks and integrate them into the daily routine of software delivery workflows.
Better to go slow, getting there consistently, than trying to force change and hurt the business overall.
-
Integrate security tools with DevOps tools
As we’ve seen, Security needs to be automated in DevSecOps. For it to be productive to work with this methodology, the security verification tools must be reliable and work well with the rest of the DevOps tools used in your team.
This allows for the seamless integration of security checks into your software delivery CI/CD pipelines and the cloud monitoring solutions used to maintain the performance of your production environment.
Solutions like Splunk, Selenium and other tools have cleaned and simple integrations with Kubernetes and Terraform, Jenkins and Ansible, ELK stack, Prometheus + Grafana, and other popular DevOps software.
-
Continuously invest in training for the development team
At this point, looking at the progress so far is essential. System auditing has already been performed, quality control through automated testing has already been implemented, code dependencies are checked regularly, security checks are gradually implemented into the existing pipeline, and security monitoring tools are integrated with other parts of the DevOps team toolkit.