The ultimate guide to starting Devsecops | step by step

blog + secure coding + DevSecOps Z. Oualid today

Background
share close

Adopting and implementing the Devsecops principles in your development process is becoming more and more important to produce secure applications. Unfortunately, by searching this subject on Google you can’t find a step-by-step process that explains this in detail. Therefore, here are the steps to successfully start a Devsecops:

  • Enhance security knowledge between developers
  • Check architecture security
  • Secure the committed source code
  • Dynamically test the built application
  • Check the production environment
  • Monitore the App and its environment

The list shown here might seems to be a little bit theoretical for now. However, in the next section of this blog post, I am going to explain what needs to be done and implemented in each of those steps to successfully make a secure development process.

This blog post suppose that you have already a working DEVOPS process in place that you want to secure.

Enhance security knowledge between developers

Before you ever think about including security in the DevOps environment you should first think about how you would manage the change. Managing the change of process and technologies is the most difficult part of the Devsecops or even the DevOps process. Therefore, making some meetings with your team members to discuss the pros and cons of this methodology is the first thing to start with.

Moreover, doing those meetings will help your team member feel they are part of the project of implementing the Devsecops process which will give you a better-tuned process.

Once you feel that the team is ready for making the changes, you will need to start educating them about the security problems of the app development. Those education sessions will help you identify the security champions in your team.

Security champions are developers who developed a good understanding of the security aspects and who will help others to solve security issues in their codes. In addition, the security champions can also work directly with security experts to discuss and solve security problems related to architecture and functionalities.

You can also automate this learning process by installing IDE plugins that detect security problems while writing code. Many critical vulnerabilities are pattern-based and can easily be avoided at the coding phase using those tools. Detecting those vulnerabilities at this stage will drastically reduce the vulnerability fixing cost.

You need to understand that this is the most important critical and important step in the whole process. The more your team is aware of those security issues the more they will avoid them will coding the more quality code will be produced. You can take as much time as needed in this first step to ensure that the change will not have any or at least less resistance from the team.

Check architecture security

The first thing you should implement in the DevSecOps process is the design security check phase. The most critical vulnerabilities that cause millions of dollars to companies to fix them are related to design issues. Making a change in the design of an application may in some cases cost even way more than developing the application from scratch.

Therefore, the first thing to do in the DevSecOps is to build a team of both security champions, application architectures, and security experts to check and make the design of the app as secure as possible. This team will try to analyze and discuss the application architecture from both aspects (client’s needs, and security requirements).

Unfortunately, as far as I know, there is no tool that can automate this phase at least for now. Therefore, the checks and the building of the application design should be performed manually.

Secure the committed source code

Once the source code is developed and committed to the central server, the process of the static security analysis needs to be launched.

The static analysis is the process of reading the application source code to identify the possible vulnerabilities. This process can be performed both manually and automatically. The best approach is to perform it in both manners. However, the DevOps approach was built on automating as many tasks as possible to accelerate the production of the new application version. The source code analysis is a very complex task and it usually takes too much time to finish when it is performed manually and even semi-manual.

Therefore, the best solution will depend on your context, if the nature of the application you are producing requires a high level of security and may take the needed time then use both automatic tool and manual checks. However, if the development speed is the most important then opt for automatic tools.

You should know that all scanning tools give a certain rate of false-positive results. Therefore, even if you choose to use automatic tools to scan the source code, a security expert or at least a security champion will be needed to manually evaluate the results and decide either they are false positive or not.

Unfortunately, the tools that perform static analysis of the source code are still too expensive. In addition, the free tools are still not adapted or hard to adapt to be used in a CI/CD environment. However, here is a list of some powerful tools that exist now in the market:

Dynamically test the built application

Unfortunately, some application vulnerabilities cannot be discovered at the source code level and code execution is the only solution. Therefore, once the source code is scanned and built, dynamic checks for the application need to be performed.

Dynamic checks include:

  • Application functionalities and business logic vulnerabilities
  • The dependencies vulnerabilities
  • The containers vulnerabilities
  • Application, system, and network configuration

The source of vulnerabilities for modern applications can be anything. Even if the source code developer has very good knowledge in cyber security a vulnerable library or plugin that he uses might be the source of that vulnerability. Moreover, the containers used in the build of the app can also be the source of very critical vulnerabilities.

Therefore, checking all those elements before pushing the app in the production environment should be done to avoid any possible breach.

The dynamic checks can also be performed either manually using a penetration test or automatically using the DAST tools.

Note:

I have already explained in a separate blog post what is the difference between DAST and penetration test for more details about this subject.

You should know that also DAST tools have a false positive rate and may require security experts to verify. However, the rate level for the DAST tools is still very low compared to SAST tools (static analyzers)

Here is a list of tools that you can use in this phase:

For application scan:

For dependencies verification:

For containers check here is a list of open-source tools:

Check the production environment

Even if you check all the other components one by one if the production environment is vulnerable all the other aspects will become useless. You can imagine security as a chain that depends on each of its rings.

Therefore, performing a penetration test against both the server, the network, or even the cloud environment is very important to eradicate those vulnerabilities once the app is fully test and ready for deployment. Moreover, a security configuration check should also be performed to enhance the security of the application environment.

Monitoring the App and its environment

One of the most important tasks that should be performed once the app is fully deployed in the production environment is monitoring. Unfortunately, many people forget about this task, and those that perform it only do it for bug hunting.

Application monitoring or the environment monitoring task is very important to both avoid cyberattacks and to contain any possible future breaches.

I have explained the importance of this point in many situations. For example when you want to use a vulnerable application that cannot be shut down or when you want to quickly detect and stop a DDOS attack and more.

Here is a list of some devsecops monitoring tools that you can use:

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post
selective focus photography of person holding turned on smartphone

today

close

blog Z. Oualid

Mobile app pentesting methodology

Performing a penetration test against your mobile application is becoming an important task for higher security. Unfortunately, performing a penetration test without following a well-defined methodology could waste time without ...

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *