My Dev-Sec-Ops MindMap

Humans are pattern-seeking story-telling animals, and yes, I am a human, and here is my DevSecOps story.

In my role, I often need to make recommendations and decisions regarding the tools and processes that can strengthen the DevSecOps environment. With the fast-paced nature of code changes and feature deployment, it's essential to communicate with stakeholders clearly and concisely. This means presenting information in a simple, modular, and cohesive narrative that acknowledges ongoing innovation.

To help visualize this approach, I've created a mind map that outlines the key elements of my DevSecOps story. I break down the different components of the approach, including continuous integration/continuous deployment (CI/CD) pipelines, static and dynamic application security testing (SAST/DAST), vulnerability scanning, and runtime application self-protection (RASP).

By presenting this information in a clear and coherent way, I hope to demonstrate the importance of a holistic approach to security in DevSecOps. Through ongoing innovation and adaptation, we can stay ahead of emerging threats and ensure that our systems remain secure in the face of evolving risks.

Plan:

We use many tools to plan and collaborate. Following is what I like.?

• Notion: My favorite tool is to publish content and collaborate. This amps the knowledge management capabilities for the teams.?
• Slack: I see an email less world soon. I love the private channels and external collaboration features.
• Jira: Our good old Jira continues to deliver.?
• Loom: A simple way to show what product managers want to build.
• Lucidchart: Where were you in all these years? One must experience this tool.?

Code:

For a security professional, it is essential to standardize the tech stack. Why? Because we need to secure those. Some tools may not work with the latest open source languages, which are being adopted by the developer community.?

• GitHub: Github is my favorite software version control platform. It is better to use the enterprise version and benefit from features like Gitleaks.?
• Gitlab: My other choice, but I will recommend GitHub due to the ecosystem of developers that use this (network effect).?
• GoLang: Open source programming language and appears to be growing in popularity.?
• ReactJS: An open-source front-end JavaScript library for building user interfaces or UI components.
• Python: Developers who love to code in Python usually like coding in Go. I recommend sticking to few popular languages from the security engineering POV as the security tools depend on the technology stack we intend to secure.?

Build:

Selecting a build platform is critical for the DevSecOps process. I observed the following tools working well in the DevSecOps paradigm.?

• MergeQueue: Automates pull request merge workflow, and monitors all pull requests on your Github repository. Instead of manually merging pull requests, the engineers label them when ready. MergeQueue prioritizes ready PRs based on FIFO. Based on your configuration, MergeQueue performs some operations on PRs. Merges PR when all the merge criteria have been met. Reports and dequeues pull requests that fail the criteria.
• Buildkite: A platform for running fast, secure, and scalable continuous integration pipelines on your own infrastructure.
• Jenkins: Open source automation platform that enables developers to build, test, and deploy software.?

Test:

Continuous testing complements the Continuous Integration (CI), Continuous Deployment (CD) process. I believe there will be a new term coined as Continuous Testing (CT) to complement CI-CD. The future will be CI/CT/CD.??

• pytest: The pytest framework makes it easy to write small tests yet scales to support complex functional testing for applications and libraries.
• Veracode: Source code security analyzer a classic Dynamic Analysis Security Testing (DAST) tool and IAST (interactive application security testing) tool.?
• Brigecrew: Automates the infrastructure code review process and enables AppSec teams to scale.?
• Sonarcloud: Automates the application security assessment use cases by automating the code quality review, detect bugs and vulnerabilities.
• Cypress: Front-end testing tool.
• Armorcode: No-code or low-code platform for Application Security Posture Management.?It is also a security orchestration and posture management platform.
• Appscan: Now HCL AppScan, can be your one-stop IAST, DAST, SAST, SCA solution.?

Release:

I came to CyberSecurity from a GRC background. The transitional, waterfall-based software release controls still hold good in this Dev-Sec-Ops world. The trick is to educate the auditors and get them to understand the tools. I have worked with many smart auditors, and they have been on board with the idea of automated controls in the DevSecOps process.?

• GitHub: Code repository and tagging system that flags what is to be released.
• CloudBees: Release management tool that will have approval (WF, APIs)

Deploy:

In a simple sense, deploy means releasing the code to production. The incremental deployment techniques supported by modern tools have helped the industry to increase the velocity of deployment.??

• Spinnaker: Deploys the images of the environments (PRD, QA, DEV)
• Terraform: ?An open-source infrastructure as code software tool that helps deploy and manage cloud services.?
• AWS Cloudformation: If you are on AWS, you need to use the AWS CloudFormation service to deploy a collection of related AWS and third-party resources and manage them in an orderly and predictable fashion.?

Operate:

As we deploy microservices-based applications with Service Mesh, we need to monitor if the service orchestration is effective.?

• Istio: Istio is an open-source service mesh that helps organizations run distributed, microservices-based apps. Istio manages traffic flows between services, enforces access policies, and aggregates telemetry data without requiring changes to application code.

Monitor:

Monitoring production systems for unusual activities that may result in cyber incidents is our responsibility as cybersecurity professionals.?

• DataDog: Monitoring services of cloud platforms and creates lots of logs. This can be an expensive tool if not configured and managed well.?
• Lacework: With a $500 M funding and recent high-profile hires, this vendor will innovate very well in this space and go beyond typical Cloud Security Posture Management (CSPM).?
• Orca Security: They also raised $500M recently. This product is designed well. I like simple, intuitive dashboards. The Security professionals like the asset view. A good Cloud Workflow Protection Platform (CWPP).?
• LogicHub: Founded by some industry insiders and innovators, Logichub has pivoted to become a SIEM/SOAR/MDR platform. Watch them and invest in this company if you get an opportunity. Why? Don't you want a proper MDR solution that has an inexpensive SIEM??

Governance:

Governance is different from compliance to an industry-standard (PCI, SOC, ISO, NIST, CIS, PSD2). The Orca, Lacework, Bridgecrew, AWS Audit Manager has a compliance view. A new breed of companies is emerging, and I hope they will transform themselves into Continuous Cloud Compliance Platforms (CCCP - Gartner may coin this buzzword). In my next post, I will detail Drata, Vanta, SecureFrame, VeryGoodSecurity (VGS). I will also talk about API governance (check out traceable.ai)???

Please feel free to provide any feedback. I will be glad to make changes.