We will discuss DevSecOps along with exposure and expertise in Cloud technologies needed .
We thanks AWS for providing lot of tools. However in Customers Projects where lot of competing Cloud Platforms come it is important that we provide DevSecOps Pipeline architecture so that Clients can plan and budget them
AWS beautifully explains many if usecases and we hereby use their recommended DevSecops landscape ash shown. Thanks to AWS for this inline landscape
Overview
Understanding DevSecOps and integrating as part of SDLC is very important
Components of DevSecOps
Code Analysis
This is very important part. I have worked with Teams in various Projects and is accomodated in SDLC Timeline when we are working with Financial Companies. The time and efforts needs no justification in Finance World like Banks, Credit Cards
Change management
As part of DevSecOps we need change management tools to track, manage, and report on changes related to Project -SDLC. CR will come from Dev team and we need to scan and prevents inadvertent security vulnerabilities. We used JIRA and other company developed tools which are private to company. Teams have to work with Code Committers to scan vaulnerabilites.
We should provide DevSecOps pipeline reference architecture on Cloud ro cover DevSecOps practices, including SCA (Software Composite Analysis), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing) and aggregation of vulnerability findings.
Compliance management
Project software has goal to comply with regulatory requirements . We can use AWS CloudHSM for compliance with security, privacy, and anti-tamper regulations such as HIPAA, FedRAMP, and PCI.
Threat modeling
We have to find any security issues that might arise before and after deploying the application. Then we should fix any known issues and release an updated version of the application (Devops and Dev teams)
Security training
Company should provide training to developers and operations teams with the latest security guidelines. This way, the development and operations teams can make independent security decisions when building and deploying the application. We provide content to to Training Department that address concerns . CSRF , Forgery, SqlInjection, Unsecures API, Unpatched Software, Weaken os Stolen Credentials, Access Control, Unauthorized Access, Runtime Threads, Vulnerabilit Management, CSRF attack,XSS,Javascript Fetchs,XSRF
We are responsible for DevSecOps pipeline reference architecture on AWS that covers the afore-mentioned practices, including SCA (Software Composite Analysis), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and aggregation of vulnerability findings into a single pane of glass. We have done this in Project and Certifications inside Financial Companies
DevSecOps tools
Static application security testing
(SAST) tools analyze and find vulnerabilities in proprietary source code.
Required Code Access. I have requested and was granted access . Vulnerabilities in the code can bring your cluster in Cloud to heel and bleed in production.
Some of them are listed
- SpectraOps
- Veracode
- JIT
- Reshift
- Klocwork
- Checkmarx
Software composition analysis
I have worked in most of Projects and it has huge OSS to which Dev Teams have no visibility and onus falls on DevSecOps. This is required to automate in OSS(open source security)
Some tools
- Spectral
- Snyk
- Jit OSVScan
- BlackDuck — Worked with this , But others are good too
- Cast
Interactive application security testing (IAST) tools
It is an application security tool that was designed and developed for both web and mobile applications to detect and report issues even while the application is currently running.
Dynamic application security testing
We need to mimic hackers by testing the application’s security from outside the network. In banks , FI we need to learn this. This varies based on Framework. We were using lot of SpringBased serverside webs which forms the Face of Online Banking coupled to the fact that struts, Spring Web based Applications focussed on Functionality. With teams we developed in house tools to address them
For Working in Projects we Cloud AWS , we recomended as first Step
Amazon Inspector
Amazon Secret Manager
and made cultural shift to add them. Since the projects were On Premise the devteams has no idea and appetite , understanding of Vulnerabilities on Cloud
For CloudSecurity, Network Detection lot of tools availble , Used falcon , others are also promising. We had Out Business Platform(Bakcend to backend with us) where partners and Customers connect to our System on Cloud, including API, Searches on our Clusters
I worked with GCP a lot and you can explore the tools there . I have written more on AWS but it applies to other Cloud Platforms
For AWS though not every uses all depending on yur infrastructure you can use
- AWS Lambda
- AWS CodeBuild
- AWS CodePipeline
- AWS SNS
- AWS System Manager Parameter Store
I ended up using most but we had CI/CD pipelines with Jenkins and we used scripts , terraform, ansible, ansible playbooks etc to for solutions
