Open in app

Sign in

Write

Sign in

Introduction to DevSecOps

Sharukksp
SecureLink
Published in
6 min readNov 1, 2020

DevSecOps is a term thats trending now, where the application/product security is included in the DevOps life cycle. In this blog, I will attempt to introduce the DevOps life cycle, tools used in each phase of the life cycle, advantages of implementing DevSecOps and some necessary security tools used in DevSecOps.

Before talking about DevSecOps, we need to talk about DevOps and the different phases in it. Traditional waterfall based models of software development had their own pitfalls which models like Agile & Rapid tried to solve, however the challenge was still the siloed operation of teams.

DevOps is a combination of Development and Operation teams, its main aim is to reduce the SDLC and deliver the product in time with Robustness and without any latency. DevOps was a natural progression that came from the Agile framework, where development and testing activities are done simultaneously with continuous integration and continuous deployment.

SecureLink DevSecOps Roadshow

There are different phases of DevOps and the different tools used in each phase. The main goal of the tools is used to shorten and automate the various stages of software delivery. Below are the different phases and tools.

  • Plan — This phase is for planning, capturing & defining the business requirements.

— — — — — — — Continuous Integration — — — — — — — —

  • Code — Creation of Software/Application code is done in this phase as per requirement. Bitbucket, GitLab, GitHub, Mercurial, and Ant are some sample repositories and tools used.
  • Build — Building the Software/Application by compiling the code into a build. This is where error checking is done to ensure that code is free of errors before being integrated into the centralized shared repository. Maven, Gradle, Docker, puppet are some sample tools used.
  • Test — Testing the Software/Application by using manual and automated tools, to ensure good quality continuous testing, security performance and load testing is done in this phase. Selenium, Junit, Codeception, ShiftLeft Scan, checkmarx are sample tools used.

— — — — — — — Continuous Deployment — — — — — — — —

  • Release & Deploy — In this Phase Software/Application is prepared for release through in line with release management practices and deployed into a environment for usage. Kubernetes, Open Shift, Open Stack, Chef, Jira are some sample tools used.
  • Operate — Software is now in use and in operation. Users are able to use the software in question with the latest features deployed.
  • Monitor — Monitoring is done in this phase for identifying, collecting information about issues, errors from a Software/Application which is in production. Splunk, Wireshark, Datadog, Grafana, New Relic are some sample tools used.

All these phases are done in a continuous evolution throughout the lifespan of Software/Application. Jenkins is an automation server and it is utilized all over the pipeline.

Development and Operation teams work simultaneously in DevOps while in the case of DevSecOps, Development, Operations and Security Teams work simultaneously and continuously throughout the phases to ensure the Application is delivered securely. The main aim of DevSecOps is to cover the gaps between Development, Operations & Security Teams and ensure the safe delivery of the product.

Why we need DevSecOps and Advantages of Implementing DevSecOps?

An ability to identify and correction of bugs/vulnerabilities by Developers in the early stages. By implementing DevSecOps in an Organization, Continuous integration, Continuous Deployment and Continuous testing are done in each phase so a High-quality product is delivered. Developers are aware of vulnerabilities and can modify/write code with security in mind, reducing the cost of mitigating vulnerabilities later in the pipeline.

While incorporating security into DevOps below are the main factors(which are highlighted) that need to be considered in all phases of the DevSecOps Lifecycle.

  • Plan — In this phase “Threat modeling” is the primary factor to be considered to ensure where potential threats can emerge out of the lifecycle.
  • Code — By considering “Secure Coding, Security as a Code as important factors, security perspectives will cover at early phases of its development. Developers will take care of security while developing the application.
  • Build — In this phase “Static Application Security Testing (SAST) is done using SAST tools for examining the source code to identify and mitigate security vulnerabilities.
  • Test — Some of the business logic related vulnerabilities will be missed while performing SAST such kind of vulnerabilities will cover by performing “Dynamic Application Security Testing (DAST) & Pen-testing” using a different set of DAST & Pentest tools.
  • Deploy — While deploying an application into the cloud it is very important to check how securely it is configured so “Security Configuration & Secure Transfer into Cloud are important factors. if the application is not securely configured it may create backdoors for the attackers.
  • Operate — “Security patching” activities are done to remove the weakness of the vulnerabilities and also application smoothness will be checked to ensure patching activities are done precisely.
  • Monitor — “Security Analysis, Security Monitor, Security Audit is done by using automated tools, AI/ML tools(behavior analysis tools)for ensuring that no malicious activities will be carried out in the production environment. it is very important to analyze and monitor the application continuously, there is a separate dedicated team(Security Operation Center) that will perform these activities.

Some of the DevSecOps Tools which are mainly Used are Checkmarx, SonarQube, Acunetix, GitLab, Threat Modeller, Immunio, Chef, CA Vera code, Shift Left, Chef.

Checkmarx:

It is a secure Code analysis tool for finding vulnerabilities in the source code. It is easy to integrate with any CI/CD tools like Jenkins and can extend to support all types of testing frameworks.

SonarQube:

It is an open-source tool for performing static code analysis to identify security vulnerabilities, duplicate codes, unit tests, automatic reviews on 23+ programming languages. In many DevOps tools, SonarQube has a built-in integration.

Acunetix:

Acunetix is an automated application tool for identifying different types of application-related attacks like XSS, SQL, XXE, etc.

Immunio:

Immunio is a Runtime Application Self-Protection (RASP) technology that injects an agent into the application and tries to exploit vulnerabilities and provides a report. It can protect and monitor the application in runtime and provide a detailed report of how the exploit can happen and what is the source and injection point of it.

CA Veracode:

Veracode covers all required features for Developers and Security teams. It is capable of performing Static Analysis, Dynamic analysis security testing, Software Composition analysis & Web Application Scanning.

ShiftLeft:

Shift Left is a NexGen Static Analysis tool to identify Cloud-Centric vulnerabilities such as insider threats, Hard coded Sensitive information, Business logic flaws, etc. It reduces the attack surface and is helpful for developers & Security professionals.

Chef:

Chef is a Configuration Management tool used to maintain configurations and policies in a DevSecOps environment. It is mainly known as IaC(Infrastructure as Code) tools.

People

People are one of the biggest components of your CI/CD. DevOps/DevSecOps is about culture, practices and tools and these are implemented by your people. For those interested in a career in DevOps, some sample topics are mentioned below.

DevOps Engineer

Core

Fundamentals of Secure Development

Fundamentals of Secure Architecture

Fundamentals of Secure DevOps

Securing the COTS Supply Chain

Intermediate

Securing Network Access

Securing Operating System Access

Securing Cloud Instances

DevSecOps in the AWS Cloud

DevSecOps in the Azure Cloud

Securing the Open Source Software Supply Chain

Automating Secure Configuration Management

Advanced

Essential Security Engineering Principles

Essential Data Protection

Essential Application Protection

Securing API Gateways in a DevSecOps Framework

Automating CI/CD Pipeline Compliance

Automating Security Updates

Identifying Threats to Containers in a DevSecOps Framework

Conclusion:

Many organizations will use different kinds of DevSecOps tools according to budget and availability. Implementing DevSecOps will help the organization improve the robustness, efficiency, performance and security of the product. Continuous feedback from the customer and improving the product and releasing the new product releases will also get easier. All teams in DevSecOps needs good communication, Co-ordination and time management to deliver the product on time with less security gaps. The most important aspect to remember that DevSecOps is more about culture, automation and practices than a one off solution.

Reference links:

  1. https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf?ver=2019-09-26-115824-583
  2. https://resources.infosecinstitute.com/transitioning-from-devops-to-devsecops/
  3. https://www.redhat.com/en/topics/devops/what-is-devsecops
  4. https://www.atlassian.com/devops/devops-tools
  5. https://www.devsecops.org/blog/2015/2/15/what-is-devsecops
  6. https://www.smartsheet.com/devops-tools
Devsecops
DevOps
Devops Tool
Devsecops Tools
Ci Cd Pipeline

--

--

Sharukksp
SecureLink

Written by Sharukksp

4 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams