Reach Us
Blogs

DevSecOps — Shift left on “Security”

What is DevSecOps? Is it a new buzz word in the DevOps world or is there more meaning to this?

DevSecOps is all about integrating “Security” into your DevOps pipeline so that you don’t need to be worried about Security towards the latter half of your project. It is similar to the concept of shifting quality left into the development phase as against having separate phases for quality assurance and integration testing.

In simple terms:

  • DevSecOps — Security/Compliance as Code

  • Development + Security + Operations

Security is integrated as Compliance from the planning stage itself.

Credits: https://www.boozallen.com/s/insight/blog/how-to-avoid-the-devsecops-technology-trap.html 

But as any rational human being would always ask the question “ Why this Change? — DevOps is yielding good results for my organization, teams are performing better than before with excellent ability to accommodate changes, customers are always happy with our delivery and post-production support”.

Credits — YouTube

What is DevSecOps: It is the process of instilling a thought or creating a culture in team and stakeholder that “Security” is everyone’s responsibility and it is one of the important factors to consider during the discovery phase of a product or a change in the existing product.

Security as part of the SDLC or Agile cycle from day one instead of bolting it up later during the final release phase. All the team members are responsible for Security — “Period”.

Why do we need: We need it to ensure that our products and application are always threat proof, if not — at least we must be prepared to predict and respond to threats.

Who owns it?: Of course, the team owns it with the DevOps & IT team being the primary owners

Credit: https://dzone.com/articles/shifting-left-devsecops

When do we use it: Each stage of Product Development/Enhancement, even after the changes are active in Production.

Where do we use it: The below summary explains how each role in “DevOps” framework can embrace Security as Culture.

  • Developer: Discusses with Security Analyst on coding strategy, exception handling, adds checkpoints at various stages. Include SAST Tools(Bandit, FindSecBugs, Graudit) for Unit Testing

  • Test Engineer: Include Security Testing as part of TDD Approach along with Regression, Functional and Performance Test. Burp Proxy, Zed Attack Proxy. Cookie Editor are a few tools that can support automation for security tests. Test Automation bundled up with CI/CD will execute all the required integration tests, API Validation, overall security tests(SAST and DAST)

  • Operations Engineer: Operations team is no longer focused on Deployment, installations, hardware management, they jump into projects starting from the discovery phase – helping Dev/QA team to various security scenarios. Further, we can also extend the DevSecOps to the operational phase by integrating with SIEM tools like Splunk, Elk, OSSIM, OSSEC, PagerDuty etc.

Six important components of a DevSecOps approach:

  1. Code analysis — Deliver code in small chunks so vulnerabilities can be identified quickly.

  2. Change management — Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.

  3. Compliance monitoring — Be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR, compliance, PCI compliance, etc.).

  4. Threat investigation — Identify potential emerging threats with each code update and be able to respond quickly.

  5. Vulnerability assessment — Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.

  6. Security training — Train software and IT engineers with guidelines for a set routine.

Tools: While the choices of tools options are wide, here are some of the interesting tools in the Security space.

It offers the ability to automate and scale the secure design activity by helping developers and security analysts deal with software vulnerabilities as early as the application design stage along with the BDD-Security framework.

Automated threat modeling platform which offers a web-based, platform-independent solution that analyzes the information. ThreatModeler also provides mitigating security requirements and test cases to ensure security implementation.

A cloud security solution specially designed for deployment stage, which enables organizations to proactively assess and manage cloud security risk — across all AWS and Azure services, and provide an easy to read, aggregated view into all accounts and regions.

One of a kind DevSecOp Tool which addresses Open source vulnerabilities. WhiteSource integrates into the SDLC and is compatible with over 200 programming languages, as well as a wide variety of build tools and development environments.

Summary: DevSecOps is here to stay, with growing security and vulnerability issues, enterprises will be keen to identify security issues up front and resolve them. It goes back to the age-old adage of “stitch in time saves nine” …so why wait till things go bad, better to fix things before it breaks.

Note: We would love to hear from you, please reach out to us at Sales@CloudifyOps.com if you would like to know more about our services.

CloudifyOps Medium Link for Blogs:

https://medium.com/@CloudifyOps/devsecops-shift-left-on-security-bfa86cdd2ff5

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us