Implementing DevSecOps: Strategies for Integrating Security into the Development Pipeline
I am a young man from Jamaica trying to learn as much as I can in cyber security.
According to agilealliance.com, agile can be described as
"the ability to create and respond to change. It is a way of dealing with, and ultimately succeeding in, an uncertain and turbulent environment."
But that doesn't tell us much now, does it? To make a long story short the goal is to develop a product quickly and in small increments, the small increments are what will enable the succeeding in a turbulent environment.
Why consider adding security?
The main draw to adding security to this process is discovering issues or potential vulnerabilities as soon as possible. As early as the ideation phase and architecture planning, a security analyst within their agile team should be able to integrate themselves in all stages of the development lifecycle, guiding and teaching about the importance of security.
There is also a cost-benefit in that it's cheaper to have an issue addressed early instead of discovering vulnerabilities when you're ready to release to the public and then having to go back and do rework to have the issue resolved.
Another benefit that isn't spoken about as much is the added time that an analyst will have when performing their testing. When a traditional penetration test is done on an application a set amount of time is provided which is often too short, not allowing the analyst to fully explore attack vectors or be creative in their assessment. However, in this agile space, a lot more time is given to the analyst, enabling them to fully explore and be creative when doing their assessment.
How to secure your pipeline
Training
When pursuing security you must first consider training and sensitization. No amount of tools and processes will be able to cover and mitigate the risk of human error. Thus, it is important to teach your staff how they may perform their roles securely. This can be achieved through various means including but not limited to hiring a third party to perform training activities or enrolling your staff in courses and tracking their completion.
Automated Security Testing
It is recommended to include security scanning tools in your development pipeline that can automatically scan your application for vulnerabilities. When these are performed routinely it may help you lower your attack surface by identifying vulnerabilities with little to no human intervention. These tools may also be kept up to date to identify and scan for new vulnerabilities.
Automated Code Scanning
In addition to dynamically scanning the application for vulnerabilities, you can perform static code analysis on your codebase to improve protection. Similarly to dynamic scanning, this can be set to trigger every time a change is made to the code base to ensure full coverage.
Securing your infrastructure
While it is a good step to scan your applications for vulnerabilities it is just as important to scan your infrastructure for possible vulnerabilities. It provides many of the same benefits as Automated Security Testing at a different level in the pipeline.
It is also recommended to have your infrastructure resources (servers, databases, etc.) be generated via a template that is already secured. This can minimize the time it takes to provision resources while also providing another level of security controls.
Monitoring and Incident Response
Having your applications secured and hardened is wonderful but you should never forget to ensure that Monitoring and incident response processes are in place. It is important to always remember that no application or environment can ever be 100%, there will always be some vulnerability that with enough time and resources a malicious actor can exploit and cause damage to your organization.
Monitoring will be essential in alerting you when malicious activity is detected, it will also provide you with a trail to be able to trace the activity for any user or intruder to your application.
While monitoring will keep a vigilant eye, incident response procedures will inform your organization on how to investigate and remediate these issues when they present themselves.