What security practices does DevSecOps integrate into the DevOps pipeline?

What security practices does DevSecOps integrate into the DevOps pipeline?

Autopublished from RSS Original article

DevSecOps integrates security practices into the DevOps pipeline at each stage:

Plan Phase

In the plan phase, DevSecOps teams perform:

  • Security analysis to identify risks and threats
  • Security planning to outline how and when security testing will occur
  • Threat modeling to identify potential vulnerabilities

Tools like IriusRisk can help with the planning process.

Build Phase

During the build phase, DevSecOps performs:

  • Component analysis to check for vulnerabilities in dependencies
  • Static application security testing (SAST) to analyze code for flaws
  • Dependency checking tools like Snyk to identify vulnerabilities in dependencies

Code Phase

In the code phase, DevSecOps focuses on:

  • Static code analysis to find bugs and vulnerabilities
  • Code reviews to improve code quality from a security standpoint
  • Pre-commit hooks to automatically run security tests on new code

Tools like Gerrit and Phabricator integrate with the development workflow.

Test Phase

Testing includes:

  • Dynamic application security testing (DAST) to analyze running applications
  • Fuzz testing to identify edge case issues
  • Penetration testing to find exploits

Tools like ZAP, Arachni, and AppScan are used for security testing.

Release Phase

The release phase focuses on:

  • Principle of least privilege to restrict access
  • Configuration management to audit and lock down infrastructure
  • Hardening guides from NIST, CIS Benchmarks, etc.

Runtime

At runtime, DevSecOps uses:

  • Runtime application self-protection (RASP) tools to block attacks
  • Penetration testing and bug bounty programs
  • Security monitoring and analytics

In summary, DevSecOps takes a holistic approach by integrating security practices and tools into every stage of the development pipeline from planning to runtime. This helps build more secure systems from the ground up.

Sources

  1. https://medium.com/cloud-native-daily/exploring-devsecops-practices-integrating-security-into-the-development-lifecycle-fff90ce04f2b
  2. https://www.atlassian.com/devops/devops-tools/devsecops-tools
  3. https://learn.microsoft.com/en-us/devops/operate/security-in-devops

Did you find this article valuable?

Support Abhay Singh by becoming a sponsor. Any amount is appreciated!