DevSecOps

Speed is one of the main tenets of DevOps.  In a continuous integration and continuous deployment (CI/CD) environment, getting code out the door quickly is paramount to anything else.  For security to be a part of this workflow, it needs to be automated.  Security controls and tests need to be embedded early and everywhere in the development lifecycle, and they need to happen in an automated fashion.

Akumen group utilizes a number of tools with range in capabilities for doing security analysis and testing throughout the software development lifecycle, from source-code analysis through integration and post-deployment monitoring. These include Checkmarx, Splunk, Contrast Security, FireEye, and Metasploit to name a few.

Code dependency checks are fundamental to DevSecOps, and utilities such as the OWASP Dependency-Check can help ensure that you do not use code with known vulnerabilities in your software.  The OWASP utility works by scanning your code and dependent open-source component libraries to see if they contain any key OWASP flaws.  It works against a constantly updated database of all known vulnerabilities in open-source software.

SAST tools allow developers to scan code as they write it so they can receive instant feedback on issues that might cause security problems.  The tools are an essential component of your DevSecOps practices.

The key when introducing SAST tools is to think small.  Often, when a security team implements a static testing tool in the CI/CD chain the team tends to turn on checks for a whole slew of security issues and ends up creating problems for developers.  Instead our experts like to turn on one or to security checks at a time to have security rules incorporated into their workflow.

Our experts break things down into manageable chunks.  Choose one to start with and prove it works before moving to the next thing.  Security professionals who go in and disrupt things will just slow things down and experience conflicts with developers.

A security product needs to make it easy for developers to quickly initiate scans and get results without having to leave their existing toolset.  Another key requirement are speed and accuracy.  The tools used need to be fast, accurate, and immediately actionable.  Our experts use tools that can help identify and prioritize vulnerabilities as they are writing software.

Conducting threat modeling in a DevOps environment can be challenging because of the notion that it can slow down the velocity of a CI/CD environment.  You can’t automate the threat-modeling process in the same way you can for almost every other facet of DevOps.  But threat modeling is still crucial for the overall success of your DevOps efforts because it gets developers to think of their software from the perspective of an attacker.

One of the biggest challenges is to get buy-in from various stakeholders.  Development, security, and operations teams often operate in their own silos.  Getting the investment and time needed to train development teams on secure coding is a big challenge.  Investments have to be made in training developers on security.