Idea by and |  28 Jan 2020 |    LEAVE A COMMENT    | Reading Time: 10 minutes

What is DevSecOps?

When secure practices and tools integrate to drive visibility, collaboration, and agility into each stage of DevOps pipeline it takes a major transformational shift called DevSecOps. The fundamental objective of DevSecOps is to make every individual responsible for security in the process of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.Every organization with a DevOps framework should transform towards a DevSecOps mindset and bringing individuals of all abilities and across all technology disciplines to a greater level of proficiency in security. Whether it’s testing potential security exploits or building business-driven security services, in the DecSecOps framework a number of tools ensure security is built into applications instead of developing security measures in a disorganized manner afterward.

To experience continuous integration where the cost of compliance is reduced and software is delivered and released faster, we need to constantly ensure that security is present during every phase of the software delivery life-cycle.

Why we need security in DevOps?

Before the concept of DevSecOps, continuous software delivery and updates were the conventional practices of a typical DevOps culture. But for security teams, it complicates the process of code analysis and to follow other security routines on software, before it has deployed in production.  As a matter of fact, the DevOps delivery approach provides organizations with an opportunity to diminish overall security risks in software. Some of the fundamental reasons are stated below:

  • The scalability and speed of application deployments have improved but security concerns are frequently ignored in favor of meeting the requirements of a business.
  •  In the development process, Security cannot be an afterthought depending upon the applications to keep operations running.
  • The security process of applications must escalate in order to keep pace with operations.

How can we bring security into DevOps?

  • Integrating security tools and processes firmly throughout the DevOps pipeline.
  • Automate core security functions by embedding security checks prior to the software development lifecycle.
  • Non-stop monitoring and reconditioning of security defects along with development and maintenance throughout the application lifecycle.

The Stages of DevSecOps

  1. In the BUILD stage in the DevSecOps pipeline, code is retrieved from the online repository and a build is made according to the project’s coding language.
    Recommended Tools: Gradle and Maven.
  2. A set of technologies called SAST (Static Application Security Test) is used to analyze application source code, byte code and, binaries for coding and design conditions that are indicative of security vulnerabilities.
  3. The Staging and deployment setup is for testing codes, builds and updates to make certain quality under a production-like environment before application deployment. The staging environment requires a replica of the same configurations of hardware, servers, databases, and caches to ensure the software functions correctly.
  4.  In the User Acceptance Testing (UAT) stage of the software testing process, the users test the software to ensure it can manage the required tasks according to the specifications in real-world scenarios.
  5. In this stage, a Dynamic Application Security Test (DAST) tool is to spot potential security vulnerabilities in the web application and architectural shortcomings.
    Recommended Tools: OWASP Zap (Vulnerability assessment tool)
  6. Infrastructure Scanning is a stage where the known vulnerabilities (Publicly Disclosed ones) are scanned.
    Recommended Tools: Clair (Docker container scan), OpenVAS (software framework of several services and tools offering vulnerability scanning and vulnerability management)
  7.  On the other hand, the Compliance Scan is a stage where we focus on the scanning of configuration settings or reinforcement of security that is applicable to a system. Precisely, compliance scans determine adherence to a specific compliance framework.
    Recommended Tools: Inspec (InSpec is an open-source (OSS) automated testing tool for integration,  compliance, security, and other policy requirements)
  8.  In the Production stage, a user is given the exposure to directly interact with the application. It is one of the most sensitive steps as it may be implemented by deploying a configuration change or by deploying new code to the live environment.
  9. WAF (Web Application Firewall) that scans, monitors and controls network, Internet and local system access and operations to and from an application or service.
     Recommended Tools: ModSecurity, ironBee

Tools Employed:

  • Docker (Build)
  • SonarQube (SAST)
  • Owasp ZAP (DAST)
  • Ansible (Deployment/Configuration management)
  • Clair (Infrastructure Scan)
  • ModSecurity (WAF)

Conclusion:

In the digital age, organizations facing insurmountable challenges to secure their development life cycle from security loopholes. DevSecOps is a methodology that interlinked the aspects of DevOps and standard security practices. It aims to prevent vulnerabilities that may occur at each step of the development process. Hence Security must be integrated in-depth with DevOps from the outset, to provide continual security measures in the software development life cycle.

AUTHOR

Mohsin Saeed

Mohsin Saeed Awan - I lead the department of IT, Networks and Security in Zigron Inc. In my role as IT/Networks/Security Lead, I superintend the IT infrastructure, security and network management of Zigron Inc. Moreover, I aim to provide avant-grade security solutions and services to our clients world-wide including i.e. DevOps, DevSecOps, Automation of Infrastructure, Private Cloud, Security Orchestration, Automation and Response and Managed SOC. Some of my core expertise include, Networking, Virtualization, Linux Administration, Windows Administration and Infrastructure and Application Deployment Automation. Prior to Zigron Inc, I supervised IT/Networks department in Protege Global and I got my professional skills tailored in SMEC Oil and Gas Pvt. Ltd as an Assistant IT Lead.

Sikandar Iqbal

Sikandar Iqbal - I am a time-served DevOps engineer in Zigron Inc. My major engineering practices at Zigron include building and supporting web SaaS solutions based on Linux/Unix platform in a cloud (AWS) and on-premise, securing and monitoring of infrastructure are the areas of my expertise. My significant contributions are in automating, supporting and to ensure CI/CD is in product development. Currently, I am working with the InfoSec team to corroborate network and infrastructure security via SIEM, SOAR, and embedding security within the hyper agile speed of DevOps.

error: Content is protected !!