Adopting and implementing the Devsecops principles in your development process is becoming more and more important to produce secure applications. Unfortunately, by searching this subject on Google you can’t find a step-by-step process that explains this in detail. Therefore, here are the steps to successfully start a Devsecops:
Enhance security knowledge between developers
Check architecture security
Secure the committed source code
Dynamically test the built application
Check the production environment
Monitore the App and its environment
The list shown here might seems to be a little bit theoretical for now. However, in the next section of this blog post, I am going to explain what needs to be done and implemented in each of those steps to successfully make a secure development process.
Enhance security knowledge between developers
Before you ever think about including security in the DevOps environment you should first think about how you would manage the change. Managing the change of process and technologies is the most difficult part of the Devsecops or even the DevOps process. Therefore, making some meetings with your team members to discuss the pros and cons of this methodology is the first thing to start with.
Moreover, doing those meetings will help your team member feel they are part of the project of implementing the Devsecops process which will give you a better-tuned process.
Once you feel that the team is ready for making the changes, you will need to start educating them about the security problems of the app development. Those education sessions will help you identify the security champions in your team.
Security champions are developers who developed a good understanding of the security aspects and who will help others to solve security issues in their codes. In addition, the security champions can also work directly with security experts to discuss and solve security problems related to architecture and functionalities.
You can also automate this learning process by installing IDE plugins that detect security problems while writing code. Many critical vulnerabilities are pattern-based and can easily be avoided at the coding phase using those tools. Detecting those vulnerabilities at this stage will drastically reduce the vulnerability fixing cost.
You need to understand that this is the most important critical and important step in the whole process. The more your team is aware of those security issues the more they will avoid them will coding the more quality code will be produced. You can take as much time as needed in this first step to ensure that the change will not have any or at least less resistance from the team.
Check architecture security
The first thing you should implement in the DevSecOps process is the design security check phase. The most critical vulnerabilities that cause millions of dollars to companies to fix them are related to design issues. Making a change in the design of an application may in some cases cost even way more than developing the application from scratch.
Therefore, the first thing to do in the DevSecOps is to build a team of both security champions, application architectures, and security experts to check and make the design of the app as secure as possible. This team will try to analyze and discuss the application architecture from both aspects (client’s needs, and security requirements).
Unfortunately, as far as I know, there is no tool that can automate this phase at least for now. Therefore, the checks and the building of the application design should be performed manually.
Secure the committed source code
Once the source code is developed and committed to the central server, the process of the static security analysis needs to be launched.
The static analysis is the process of reading the application source code to identify the possible vulnerabilities. This process can be performed both manually and automatically. The best approach is to perform it in both manners. However, the DevOps approach was built on automating as many tasks as possible to accelerate the production of the new application version. The source code analysis is a very complex task and it usually takes too much time to finish when it is performed manually and even semi-manual.
Therefore, the best solution will depend on your context, if the nature of the application you are producing requires a high level of security and may take the needed time then use both automatic tool and manual checks. However, if the development speed is the most important then opt for automatic tools.
You should know that all scanning tools give a certain rate of false-positive results. Therefore, even if you choose to use automatic tools to scan the source code, a security expert or at least a security champion will be needed to manually evaluate the results and decide either they are false positive or not.
Unfortunately, the tools that perform static analysis of the source code are still too expensive. In addition, the free tools are still not adapted or hard to adapt to be used in a CI/CD environment. However, here is a list of some powerful tools that exist now in the market:
Unfortunately, some application vulnerabilities cannot be discovered at the source code level and code execution is the only solution. Therefore, once the source code is scanned and built, dynamic checks for the application need to be performed.
Dynamic checks include:
Application functionalities and business logic vulnerabilities
The dependencies vulnerabilities
The containers vulnerabilities
Application, system, and network configuration
The source of vulnerabilities for modern applications can be anything. Even if the source code developer has very good knowledge in cyber security a vulnerable library or plugin that he uses might be the source of that vulnerability. Moreover, the containers used in the build of the app can also be the source of very critical vulnerabilities.
Therefore, checking all those elements before pushing the app in the production environment should be done to avoid any possible breach.
The dynamic checks can also be performed either manually using a penetration test or automatically using the DAST tools.
You should know that also DAST tools have a false positive rate and may require security experts to verify. However, the rate level for the DAST tools is still very low compared to SAST tools (static analyzers)
Here is a list of tools that you can use in this phase:
Even if you check all the other components one by one if the production environment is vulnerable all the other aspects will become useless. You can imagine security as a chain that depends on each of its rings.
Therefore, performing a penetration test against both the server, the network, or even the cloud environment is very important to eradicate those vulnerabilities once the app is fully test and ready for deployment. Moreover, a security configuration check should also be performed to enhance the security of the application environment.
Monitoring the App and its environment
One of the most important tasks that should be performed once the app is fully deployed in the production environment is monitoring. Unfortunately, many people forget about this task, and those that perform it only do it for bug hunting.
Application monitoring or the environment monitoring task is very important to both avoid cyberattacks and to contain any possible future breaches.
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH).
I hope you enjoy my articles :).
Performing a penetration test against your mobile application is becoming an important task for higher security. Unfortunately, performing a penetration test without following a well-defined methodology could waste time without ...
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Post comments (0)