Why DevSecOps and not just DevOps?
Amazon Web Services, a premier proponent and purveyor of DevOps services defines DevOps as:
“The combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.
Under a DevOps model, development and operations teams are no longer “siloed.” Sometimes, these two teams are merged into a single team where the engineers work across the entire application lifecycle, from development and test to deployment to operations, and develop a range of skills not limited to a single function.
In some DevOps models, quality assurance and security teams may also become more tightly integrated with development and operations and throughout the application lifecycle
These teams use practices to automate processes that historically have been manual and slow. They use a technology stack and tooling which help them operate and evolve applications quickly and reliably. These tools also help engineers independently accomplish tasks (for example, deploying code or provisioning infrastructure) that normally would have required help from other teams, and this further increases a team’s velocity”
?When security is the focus of everyone on a DevOps team, this is sometimes referred to as DevSecOps. Therefore, security is the concern of developers, testers, network engineers, infrastructure experts (Compute, Server, Network and Storage management), and production (operations managers).
With DevSecOps, enterprises can develop modern applications securely by focusing on four key areas
1.??????Web based attacks (e.g., OWASP Top-10)
2.??????Catching security “bugs” early in the development process. This reduces remediation costs five-fold (Source:?Gartner)
3.??????Continuous Integration / Continuous Delivery (CI/CD) processes and tools to offer real time compliance for HIPAA, FINRA, PCI –DSS, FedRamp and other regulatory regimes
4.??????Instrument and monitor threat landscape in real time using advanced threat correlation, logging, monitoring, and alerting, and to provide excellent customer service.
Since most applications are now delivered via a web browser, discovering web-based vulnerabilities is more important than ever. The Open Web Application Security Project (OWASP) is a leading industry security association released the most common types of vulnerabilities in web-based applications through its top 10 list for 2021:
·???????Broken Access Control
·???????Cryptographic Failures
·???????Injection
·???????Insecure Design
·???????Security Misconfiguration
·???????Vulnerable and Outdated Components
·???????Identification and Authentication Failures
领英推荐
·???????Software and Data Integrity Failures
·???????Security Logging and Monitoring Failures
·???????Server-Side Request Forgery (SSRF)
We also stress that compliance with regulatory regimes e.g., HIPAA, PCI-DSS, FedRamp are critical for meeting client requirements. DevSecOps covers all the major technical components for complying with compliance and/or security requirements.
Since DevSecOps is a critical to building web-scale applications, and to discover vulnerabilities, security engineers working in DevSecOps must cover at least the following:
1.??????Source code analysis for security vulnerability discovery
2.??????Open-Source vulnerability discovery
3.??????API management and behavior?
4.??????CI/CD automation to speed up application delivery
5.??????Secrets Management and access control across the SDLC
6.??????Kubernetes / Container security?
7.??????Logging and monitoring
8.??????Real time application monitoring
9.??????Runtime security management
10.??Penetration resting
?Each of the items listed above can and should be detailed by any DevSecOps team worth its salt. If your team is not paying attention to any of these core vulnerability discovery processes, you should ask why?
If you need more information on how DevSecOps should be implemented in your environment, please reach out [email protected]