Main Line

What Is DevSecOps?

DevSecOps is a proactive approach to securing CI/CD pipelines that integrates security practices into all phases of the software development and operations process to help organizations develop trusted applications. By introducing security measures and processes early in the SDLC, DevSecOps aims to reduce security incidents in production.

Your CI/CD pipelines can be protected with security best practices incorporated into the development and deployment processes. The most effective ways to improve an organization's security posture are through threat modeling, secure development practices, continuous security testing, a secure infrastructure, secure deployment techniques, and collaboration.

As part of the DevSecOps pipeline, development teams collaborate with security and operations teams to define security requirements, build threat models, and implement secure architectures. For threat modeling, you can use the Open Web Application Security Project (OWASP) threat modeling tool Threat Dragon [1].

DevSecOps Principles

The key DevSecOps principles are: (1) shift security to the left, which implies that security and testing should be performed at the beginning of the SDLC process; (2) include software patches that are applied as soon as they are available to update tools and technologies that help thwart hackers from exploiting underlying vulnerabilities in your applications; (3) promote automation to eliminate human involvement and reduce errors in CI, acceptance testing, identity and access management, and so on; and (4) keep pace with evolving tools and technologies that help you with changing and evolving demands and provide the required training to your team to leverage new tools and technologies and learn secure coding practices and threat modeling.

DevSecOps Pipeline Stages

The DevSecOps pipeline (Figure 1) integrates security best practices into every stage of the SDLC. The software development team works with the security and operations teams to identify potential security risks and plan security measures. These security measures include defining the security objectives, building the threat models, and determining compliance requirements.

Figure 1: DevSecOps pipeline stages.

In the code phase, developers adhere to secure coding best practices, follow security-focused design patterns, and incorporate security libraries and frameworks. You can leverage code reviews and pair programming to help you identify security issues in the early stages of the SDLC. The code snippet in Listing 1 shows how you can adhere to secure coding practices to write code that is safe from SQL injection attacks.

var author = new SqlParameter("author", "joydip");
var blogs = context.Blogs
    .FromSql($"EXECUTE dbo.GetBooksForAuthor {author}")
    .ToList();

During continuous integration, developers submit changes to a shared repository. Code changes are pushed into a version control system, triggering an automated continuous integration process. You can leverage static code analysis tools focused on security to identify insecure coding practices, hard-coded credentials, and vulnerabilities in a codebase. During this process, the code is compiled and unit tests are executed to identify security vulnerabilities, if any.

An essential part of the DevSecOps pipeline is security testing. By integrating security testing into the CI/CD pipeline, developers get faster feedback and identify security vulnerabilities sooner. Listing 2 illustrates how you can create a JUnit test method to validate whether an item has been added successfully to a cart.

public void testAddItem() {
Cart cart = new Cart();
Item item = new Item();
item.setItemCode("0001");
cart.addItem(item);
boolean result = cart.containsItemCode("0001");
assertTrue("Add an item", result);
assertEquals("1 item has been added", instance.getItemCount(), 1);
}

The several types of tests include: static application security testing (SAST), a process to identify code errors, security flaws, and unsafe coding practices early in software development; dynamic application security testing (DAST), a process that involves testing applications that are deployed in production environments to detect common security flaws, such as insecure configurations, injection attacks, and XSS attacks; software composition analysis (SCA), which checks your application's dependencies for known vulnerabilities in external libraries and components; and automated penetration testing (pen testing), which emulates and analyzes real-world security attacks in your application's security posture.

Before an application reaches the next phase, the release, you should leverage security analysis tools to scan for any security vulnerabilities and perform pen testing. The final step in this process is deployment of the application to the production environment, provided all security tests have been satisfied.