DevSecOps from Zero to Hero..!!
Arpit Mittal
Product Security Specialist | DAST | SAST | SCA | DevSecOps | VAPT | VM | Cloud Security | CompTIA Sec+ | CEHv9 | Freelance Pentester | Ex- Infosys, ACKO, Persistent
Day by day we are learning different security approaches to minimize an improve the security gaps and for that we have to apply best possible security at all the levels. Now if we will talk about specifically for Application Security we can go with most preferred approaches which is SAST/DAST but do you think it is sufficient to secure your application as well as minimize the cost? The answer will be a big NO because while managing the whole application security domain we need to be ensured from the scratch and for this we have to start applying security best practices at the development level hence SSDLC (Secure Software Development Life Cycle) comes into the picture when we can train our developers to do the secure coding thus we can reduce the vulnerabilities count at the SAST and DAST level and then go for secure code review and dynamic security assessment process
BUT?
What if we can automate this process?
Yes here we go with the DevSecOps process to use a secure code practice along with the best security solutions to innovate and ensure the data security and maintain the privacy. We cannot just rely on the scanners and reports to check the loopholes and check the weaknesses. We are already aware with the DevOps approach since a long time and now we need to add 'Security' in between Development and Operation.
?DevSecOps integrate security seamlessly into Agile environment along with the different development and security solutions.??
DevSecOps is mostly in use to automate your CI/CD process along with the security. In this stage you'll define how you'll automate your process, how many stages you will be required for better CI/CD, what solutions you'll use in each stages to improve the security posture. These solutions can be open source or enterprise it's all depends upon your budget but in most of the stages you can use open source solutions to reduce the cost. I've created below architecture as per my understanding with the each stages of DevSecOps:
DevSecOps process include the development and operations posture of your organisation so that you can analyse and place the security. I'll recommend to create an architecture overview like what you're going to implement, define the stages of CI/CD, define what will be the processes involve in each stages, how you'll deploy the code, how you'll test your code, how you'll monitor the environment. For an example i've created below architecture, this flow includes each stages along with the process/services:
Integration of Open-source Solutions into Pipeline:
It's easy to integrate open-source solution into existing CI/CD pipeline to enhance the security but before that check the solution properly and customise it as per your requirement (If needed), We've added few open-source solutions like Gitleaks, OWASP Dependency Checker, OWASP ZAP, etc. I'll share the reference below for further research. I'll also recommend to use any Vulnerability Management like Defectdojo to track the vulnerabilities.
领英推荐
Benefits to Implement DevSecOps:
When we are saying DevSecOps it means continuation of integration and development along with the security. Here everyone can have a different mindset and approach to understand the DevSecOps process. When I've started my research about develops I came across multiple resources and I'll recommend everyone to explore from yourself on the basis of your requirements.
References:
Suggestions and improvements are always welcome as i'm still a learner. :)
Driving IT and Data Analytics Audits | Learning about AI (something new every week)
2 年A very informative article Arpit!
Threat Researcher at BforeAI
2 年peru level post
Lead Security Engineer at Coupa Software | GCPN | OSCP | OSWP | eWPTXv2 | CRTO | CEH | CHFI | ECSA | CREST CPSA | CISM | AWS Certified Security - Specialty | Red Teaming | Speaker
2 年Nice one Arpit Mittal Bhai ?? I must say you can add some portion related to Design review and Threat Modelling practices as well in this approach Of course this is baseline and we all need to improve and mature day by day, thanks for bringing this
Accidental Team Lead | Not So Certified Hacker | OWASP Mobile Security Project Lead |
2 年Pro