For starters, this just a blog post with one target reader, namely me. If others find it useful, this is just a nice side effect (as the Java programmer said to the Lisp programmer).
Sources
Where did I steal these ideas from:
- Practical end-to-end Container Security at scale. GOTO Play App talk on automated jenkins pipeline sec checks tips and tricks.
- Checkmarx GOTO night…
- https://www.csoonline.com/article/3245748/what-is-devsecops-developing-more-secure-applications.html
Normal sec dev ops in organizations
The normal organisational security process goes something like this. Penetration testing and the likes very late in the process. This leads to a bunch of Vulnerability issues, which are added to the tracking system (eg Jira). Scrumish process: Backlog — > Prioritized -> Sprint backlog -> Fixed, deemed unecessaray or too hard . The issue with this process, is the time between identification and doing. The container with the vulnerability might not exist anymore on the time for fixing. Or the dev-team has to stop all other activities to fix vulnerabilities before prod deadline.
DevSecOps
The purpose of dev sec ops is faster feedback. Making the CI build discover the vulnerability. This way issues must be fixed to get a green build.
Screenshot from the beforementioned GOTO talk.
