DevSecOps emerged as an evolution of DevOps (Development Operations) by incorporating security into the mix, thus transforming it into DevSecOps (Development, Security, Operations). This approach ensures that security measures are integrated and maintained alongside development and operations activities. The core idea is to embed security throughout the DevOps lifecycle, making every team member responsible for security at every stage.
When implementing security within your DevSecOps pipeline, it is crucial to perform specific activities purposefully. Below are key checklists that outline the different stages of a DevSecOps pipeline. You may choose to adjust the timing of these activities within your development process to align with your lifecycle operations.
A software development philosophy that encourages security adoption across the software development lifecycle. Taken From Article, DevSecOps Framework and Tools
It is the first step in the DevSecOps security checklist. Pre-commit checks fix minor security issues before committing changes to source code repositories.
Pre-commit checks can help a team automate manual tasks, thus leading to an increase in their productivity.
The pre-commit checks help the development team run scans using Code Sights. This tool provides just-in-time security guidance to developers whenever they write code. Therefore, before committing the code, Code Sight acts as a security expert and provides guidance automatically when a developer creates a legend that might have security flaws.
This activity is automatically triggered by checking into a source code repository. These tests give fast results to developers who push code to shared storage.
It ensures that code is compilable and can always be built. It also focuses on critical and high-security issues inside code.
Build time checks get automatically triggered on successful commit time checks. Performing advanced automated testing of applications requires security testing, open-source management, risk-based security tests, and storing artefacts in repositories.
Build-time checks break the build in case of any failure :
It includes:
Build time checks also look for dependencies and whether any vulnerabilities are publicly disclosed.
This allows users to configure more comprehensive SAST rule sets, such as the OWASP Top 10, when dealing with web applications. Moreover, these checks help to set up jobs that identify risks in third-party codes by using tools such as Black Duck can be used.
A practice of implementing security at every step in the DevOps Lifecycle with DevSecOps Tools. Taken From Article, DevSecOps Tools and Continuous Security
These are triggered automatically by successful build-time reviews. Here, the latest good build is picked up and deployed to a staging or test environment. Then, based on this build, all the tests, such as functional, integration, and performance testing, are executed.
This testing phase takes place just before a product is released into production. Here, the staging environment is the most representative of the production environment.
Here, we include the tool's complete security rule sets. Since we've already run SAST in the earlier checks, we ensure that tests that have yet to be covered are run.
After completing the previous steps successfully, the application is ready for deployment, and the deploy-time inspections involve additional pre- and post-deployment security checks to finish our DevSecOps pipeline. An appropriate strategy is to implement a process that periodically triggers security testing. Post-deployment assures that changes made to the production environment haven't led to security concerns.
These checks can help find bugs that may have been missed during pre-production testing activities. Continuous monitoring allows insight into an application's traffic. These metrics also help identify malicious users.
Pre-deployment
Post-deployment
Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent Source: Gartner, Inc
These five checklists ensure the best practices for DevSecOps:
The most crucial requirement for continuous testing and continuous integration is speed. Speed makes the automation process a fundamental requirement. Therefore, having the necessary security measures and triggers is essential. It's better to have dynamic security testing rather than static. This means vulnerability scanning is in real time, and it's crucial to have the necessary tools to enable the automation of security measures in our code configuration.
Since hacks and data breaches have become regular news, security is cited as an essential concern. When infused in any project in the form of dependencies, codes belonging to open-source projects can cause Vulnerability risks. These may be unmanaged codes with no security measures applied. Therefore, code dependency checking is a must. Having an OWASP utility check will ensure the vulnerability of these codes from open-source projects.
DevSecOps has to maintain a Security Management Process. When a security team encounters a bug, it reports it in the repository. Sometimes, developers don't have the resources to check those reports, leading to functional testing over security testing. Therefore, DevSecOps must have a uniform Security Management Process so that code modification can be done in one place, and the DevSecOps team must be notified of that. They can execute authentication testing protocols.
With the increase in demand to reduce the development of a reliable application, DevOps as a practice is set to shoot. But as with power comes responsibilities. Security measures are a significant concern in the development of the end product. Therefore, security should be injected right from the early stages of development. Thus, implementing development, security, and operations should be a standard plan for organizations from the start, and the above checklists would help achieve that.
- Read about Azure Security Services at Glance, along with Security Checklist
- Explore here about Infrastructure as Code in CI/CD Pipeline
- Read more about DevSecOps vs SecDevOps