Open in app

Sign in

Write

Sign in

[Part 5] DevSecOps Templating

Alexander Lahutsin
9 min readNov 13, 2023

Welcome to the 5th DevSecOps article (previous articles:
Part 0: https://medium.com/@lahutsin/part-0-devsecops-introduction-412e3aa019a6
Part 1: https://medium.com/@lahutsin/part-1-devsecops-analytics-41c560004da3)
Part 2: https://medium.com/@lahutsin/part-2-devsecops-nast-96f7c9e25645
Part 3: https://medium.com/@lahutsin/part-3-devsecops-sca-ids-ips-33f8838047b5
Part 4: https://medium.com/@lahutsin/part-4-devsecops-waf-ngfw-bef47ee03cc3 (0–7 — spoiler). Today we will discuss with you the basic utility sets. We will also explore the key stages of implementing DevSecOps into an enterprise, analyzing the current situation, and discussing the strategy. I hope you will be satisfied with getting some knowledge in this specialization, and continue to develop this area in the future. This series of articles assumes a basic understanding and knowledge of DevOps. As an author, I do not claim to have a final or conclusive expert opinion in this area.

DevSecOps Implementation Template

The following are the key stages of implementing DevSecOps:

**1. Assess the current situation. At this stage, you need to analyze the current development process, identify strengths and weaknesses, identify security issues and vulnerabilities in the application, and understand what tools and methods are used for developing and testing applications.

**2. Develop a DevSecOps implementation strategy. At this stage, you need to develop a DevSecOps implementation strategy, define goals and objectives, and select appropriate tools and methods to ensure the security and efficiency of the development process.

**3. Implement tools and methods. At this stage, you need to implement the selected tools and methods, such as automated security testing tools, version control tools, log monitoring and analysis tools, automated application build and deployment tools, and other tools needed to ensure the security and efficiency of the development process.

**4. Monitor and analyze. At this stage, you need to monitor the development process and analyze data to identify problems and improve the development process. This may include monitoring application performance, security monitoring, security data analysis, and other types of monitoring and analysis.

As we already know, DevSecOps processes should track the implementation of any functionality in the software. Why is this necessary? In 99% of projects, no one tracks this, and at critical loads, the application often breaks down and the business suffers. The point is that many organize monitoring and logging but do not attach serious importance to this.

For this purpose, there is an approach to tracking performance before each update. It is usually done on the third day (depending on the delivery strategy) and compared with the previous one. The acceptable norm is up to 10–15% for performance improvement. All other indicators are unfavorable for the operation of the software and should be noted in the post-release report to the team.

Current Situation Analysis

Current situation analysis is an important stage of DevSecOps implementation as it allows us to identify strengths and weaknesses of the current development process and identify security issues that need to be addressed.

Current situation analysis can include the following steps:

  • Studying the development process. It is necessary to study the current development process and understand what tools and methods are used, what tasks are solved at each stage, what roles are performed by the team, and what problems arise in the development process.
  • Identifying vulnerabilities and security issues. It is necessary to analyze the application and identify vulnerabilities and security issues that may be associated with the use of outdated tools and methods, poor application design, violation of security principles, etc.
  • Evaluating performance and quality. It is necessary to evaluate the performance and quality of the application and identify problems related to performance, application errors and failures, long delivery times, etc.
  • Analyzing the team structure and management processes. It is necessary to analyze the team structure, define roles and responsibilities, identify problems with communication and collaboration, and also analyze project management processes, such as risk management, planning, and change control.
  • Defining security requirements and standards. It is necessary to define security requirements that may be associated with legal norms, standards, and customer requirements, and understand what tools and methods are necessary to ensure compliance with these requirements.

Current situation analysis helps to determine what measures need to be taken to implement DevSecOps, what tools and methods should be used, and what changes need to be made to the current development process to ensure security and efficiency.

Taking into account the above, a consortium is mandatory. We adopt best practices, including specialists from other areas, in order to discuss the situation on a particular project, identify problem areas, and discuss how to approach the process, thereby developing the experience in the consortium team, as well as applying the best approach to the matter.

DevSecOps Implementation Strategy Development

DevSecOps implementation strategy development is an important stage as it allows us to define goals and objectives, select appropriate tools and methods, and develop a plan of action for implementing DevSecOps into the current development process.

The following are the key steps that can help in developing a DevSecOps implementation strategy:

  • Define goals and objectives. It is necessary to define the goals and objectives that should be achieved as a result of implementing DevSecOps. These may include, for example, increasing application security, reducing delivery time, improving performance, etc.
  • Select appropriate tools and methods. It is necessary to select appropriate tools and methods to address the tasks defined in the previous step. These may include, for example, tools for automating security testing, tools for monitoring performance, tools for managing access and authorization, etc.
  • Develop a plan of action. It is necessary to develop a plan of action for implementing DevSecOps, define the stages and timelines for implementation, identify the responsible persons for each stage, and define the budget and resources required for implementation.
  • Involve the team. It is necessary to involve the team in developing the DevSecOps implementation strategy to take into account the opinions and experiences of all participants and ensure their support during implementation.
  • Evaluate the results. It is necessary to evaluate the results of implementing DevSecOps, conduct an analysis of achieving goals and objectives, evaluate the effectiveness of the tools and methods used, and also identify further steps for improving and optimizing the development process.

It is important to note that the DevSecOps implementation strategy should be flexible and scalable to be able to quickly adapt to changes in security requirements, technologies, and development methods.

In both the analysis and the strategy plan, it is important to create some documents to improve the project template for this area in the future and update the list of fresh utilities that are changing very intensively.

Implementation of Tools and Methods

The following are the main steps that can help with the implementation of DevSecOps tools and methods:

  • Tool selection: It is necessary to select tools that will ensure the security and efficiency of the development process. These could include tools for automated security testing, version control tools, log monitoring and analysis tools, automated build and deployment tools, access and authorization management tools, and so on.
  • Testing and optimization: It is necessary to test new tools and methods, as well as optimize their use to ensure maximum efficiency and security of the development process.
  • Tool integration: It is necessary to integrate the selected tools to ensure their interaction and efficiency. This could include integrating security testing tools, log monitoring and analysis tools, access and authorization management tools, and so on.
  • Team training: It is necessary to train the team on the new tools and methods to ensure their support and effectiveness when used. Training could include conducting training, workshops, courses, and so on.

Ultimately, based on the above, we are required to develop a strategy and, after discussing the strategy at a council and approving or editing it, make a report on the step-by-step implementation of utilities and methods based on the criteria for implementing tools and methods.

It sounds complicated, but in the end, we get a plan that explains to the customer what we will do, why, and why for maximum transparency of actions.

It is also worth noting that, in addition to documents, it is necessary to hold several KT sessions in order to answer colleagues’ questions about the new utility and how it works. Analyze the standard set of errors, and go through the instructions.

Secrets

Finding and removing sensitive information from a Git repository is an important task in DevSecOps. There are many tools that can help identify sensitive information, such as passwords, keys, and tokens, in a Git repository. Here are some of the popular tools for finding sensitive information in Git:

  • Git Secrets: Git Secrets is a tool for finding sensitive information in a Git repository. It uses patterns to identify sensitive information, such as passwords and SSH keys and can be easily integrated into the CI/CD process.
  • TruffleHog: TruffleHog is a tool for finding sensitive information in a Git repository. It searches for sensitive information, such as passwords and API keys, in the commit history, not just the latest commit.
  • Gitleaks: Gitleaks is a tool for finding sensitive information in a Git repository. It uses patterns to identify sensitive information, such as passwords, SSH keys, and access tokens and can be easily integrated into the CI/CD process.
  • Gitrob: Gitrob is a tool for finding sensitive information in a Git repository. It searches for sensitive information, such as passwords and SSH keys, in the commit history and can be easily integrated into the CI/CD process.
  • Repo Supervisor: Repo Supervisor is a tool for finding sensitive information in a Git repository. It searches for sensitive information, such as passwords and SSH keys, in the commit history and can be easily integrated into the CI/CD process.

These are just some of the tools that can be used to find sensitive information in a Git repository. It is important to choose a tool that is best suited to your needs and takes into account your specific security and efficiency requirements.

Container scanning is an important part of DevSecOps to ensure the security of the source code and applications running in containers. In my practice, I often encounter clone containers with built-in malware for subsequent exploitation. The list of utilities for scanning containers is usually in the tasks of the article. Therefore, it is important and necessary to check all kinds of containers for honesty and transparency. In general, there is a signing mechanism for Docker containers.

Container signing with a certificate can be done using the Docker Content Trust (DCT) mechanism, which uses the Notary signing system. DCT allows you to sign images with private keys and then verify them with public keys. DCT can be enabled by setting the DOCKER_CONTENT_TRUST environment variable to 1. Then, when creating and pushing a Docker image, the system will prompt you to create a new key pair (if it has not already been created) and sign the image with your private key.

When receiving a Docker image, if this mechanism is enabled, Docker will verify the image signature using the corresponding public key. If the signature cannot be verified, the image will not be downloaded.

Please note that Docker Content Trust requires access to a Notary server, which can be public (for example, the Docker Hub Notary server), or you can deploy your own Notary server.

To verify the signature of a Docker image, you must enable Docker Content Trust (DCT). DCT automatically verifies the image signature when you run the docker pull, docker run, or docker create commands.

When Docker Content Trust (DCT) is enabled, any attempt to download an image that has not been signed will be rejected. An error message will be displayed indicating that the image is not signed.

To ensure the security of the image, it is recommended to use vulnerability scanning tools, such as Clair or Anchore.

It is important to remember that secrets, their structure, and storage must be hidden very carefully. In addition, we must understand the correct hierarchy of secret storage, both in the git provider, the cloud, the cluster, microservices, and, accordingly, the control of their transmission in traffic.

In this article, I briefly mentioned monitoring. The point is that the end system or platform should have a single incident response center, which means that the fewer alarm panels, the higher the concentration and attention to potential threats or problems, and the greater the understanding of the problem’s connection with the reaction of the entire system. In the next article, we will talk in detail about monitoring, endpoints, and SIEM systems.

Extra:

Templates for GIT secrets in CI:

  • Git Secrets
  • TruffleHog
  • Gitleaks
  • Gitrob
  • Repo Supervisor
  • and more…

Templates for Docker scanning in CI:

  • Aqua Security
  • Twistlock
  • Clair
  • Anchore
  • Sysdig Secure
  • KubeScan
  • and more…

Write your opinions in the comments.
What do you think about this?

Best Regards,
Alex Lahutsin

DevOps
Security
Devsecops

--

--

Alexander Lahutsin

Written by Alexander Lahutsin

21 Followers

DevOps / DevSecOps

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams