By Gologic with the collaboration of Alexandre Couëdelo.
DevSecOps is a process of applying security best practices to the code and infrastructure as it goes through your development environment and deployment process/pipeline.
We often talk about shift left security to describe this approach because most of the security validation is added early in the process (on the left side of the DevOps loop).
Many tools are available to improve security at different stages of your software delivery pipelines. The issue is that too many tools may compete for the moment of your attention.
This article aims to help you get started with a short list of security tools to look at. The goal is not to provide an exhaustive list, but to point toward tools that can help you cover a wide range of vulnerabilities.
DevSecOps and shift-left security
Remember our DevOps infinite loops? The leftmost step plan—code—build—test needs better security best practices. Why risk releasing and deploying a vulnerable application in production when you can add a gate in your DevOps pipeline to prevent known threats?
Let’s have a look at each step at a time.
Plan: Compliant and threat models
During the planning phase, there are two essential activities in terms of security: defining the scope of your compliance and a threat model.
However, those are often forgotten and left aside because development teams are not familiar with those activities often reserved for security teams. The threat model is essentially a diagram that looks at the solution and identifies potential threats and how they are mitigated.
Here is a short list of tools to create your threat models:
- OWASP Threat Dragon: an open-source threat modeling platform.
- PlantUML: my all-time favorite diagram as code tool.
Code: Static Application Security Testing (SAST)
To protect your application, it is essential to validate if your code followssecurity best practices by source code analysis tools, also known as Static Application Security Testing (SAST) Tools. Typically, these tools scan for a list of vulnerabilities without running the program and look at your code’s dependencies and logic, such as input validation and code injection protection.
Using those tools while coding to have feedback before your CI/CD pipeline kicks in is best. Either look for integration with your IDE or create git hooks to validate the code before pushing.
Here is a list of tools you may want to explore:
- SonarQube & OWASP dependency-check: may be the most popular tools at the moment.
- Codecov: a growing contender to SonarQube in the open-source community.
Build: Image Scanning
Start by scanning the code regularly via your selected tools in your CI pipeline in case some vulnerability slipped into your code base. The code is not the only element at risk.
Code runs on an operating system that can also be vulnerable. Most modern applications are packaged as containers. It is important to perform security scanning for your container images via your CI pipeline to avoid security flaws.
Here is a list of tools for image scanning:
Test: Dynamic Application Security Testing (DAST)
DAST tools evaluate the security vulnerabilities of your application at runtime, testing the software as if a user was interacting with it. The objective is to identify common and high-severity vulnerabilities by analyzing the code execution.
It is important to couple DAST with automated testing and event lead testing to generate as much insight as possible before sending your software to production.
Here is the list of tools for the DAST:
- OWASP ZAP
- Aqua security’s DTA
How does strengthening security in processes work?
The biggest change with DevSecOps is the idea of bringing security as early as possible in the process. As a result, the stages on the left side of our DevOps loop game tools to catch as many vulnerabilities as possible and deploy a more secure application?
What about the left side, you may ask? Well, the security decisions and best practices have always been centered around the Operation side. So there is already a lot of effort made on that side. Not really something new, necessarily linked to DevSecOps.
Once again, the key idea in DevSecOps is shift-left security. We want to bring security awareness to Devs and the security tools to keep the application secure.
Ops on the other hand have to have security standards to keep all platform components secure, including IaaS, PaaS, and SaaS.
If you would like to know more about the DevOps services offered by Gologic, do not hesitate to contact us. Our company also offers a DevOps health check for your company so that you can focus on your priority issues challenges.