With the proliferation of cloud applications and the need for business agility, rapid deployment has become the norm. While this may be good for releasing new, it can sometimes present a security risk. Focusing too heavily on releasing features sometimes security gets “tacked on” at the end.
DevSecOps bridges the gap between developers, security, and operations. integrate security throughout the application lifecycle.
Top 10 best practices for DevSecOps
Here are our top 10 best practices for DevSecOps' success in meeting these goals;
1. Incorporate Security Tooling in CI/CD
Rather than approaching security as a manual process, incorporating it into the CI/CD tooling makes it an automated and repeatable process. The process happens without intervention on anyone’s part.
To accomplish this, DevSecOps can do the following:
- Implement IDE Plugins - These plugins work directly in the IDE to identify security issues and alerts the developer during coding.
- Send Scan Reports - Send scan reports to developers after the security scan to remediate the issues.
2. Dynamic Application Scanning Tool (DAST)
DAST tools provide insight into how the application behaves once deployed to production.
These tools scan the application while it is running to detect vulnerabilities. DAST tools use the OWASP Top 10 list which represents the ten most critical web application vulnerability risks for the year.
3. Source Code Scanning (SAST)
SAST testing is like DAST in that it looks to find weaknesses listed on the OWASP Top 10 list.
The difference, however, is that SAST is a white box testing method that examines static code.
SAST works at the following stages:
- Building - Running SAST in the build stage provides yet another layer of protection that can detect issues that might have been missed at the IDE level.
- Testing - Testing often brings about issues that require code changes. SAST should be used regularly to ensure no new issues are introduced.
- Deploying - SAST tools can detect vulnerabilities in binaries and libraries during deployment.
4. Automate With Infrastructure as Code (IaC)
Cloud computing has become increasingly popular because of the ease with which infrastructure can be spun up and scaled.
However, as the number of infrastructure components has grown, it's difficult to manage the scale of the infrastructure.
IaC offers an automated means to provision infrastructure components via configuration files. Implementing IaC means that only the CD pipeline has access to make infrastructure changes.
There are two approaches to IaC:
- Declarative - With declarative configuration, the tools state what resources are needed and what properties those resources need to build the infrastructure.
- Imperative - Imperative declarative specifies what commands need to be run to create the resources needed.
5. Use Blue/Green Deployments to Manage Patches
With new vulnerabilities emerging each day, there is no shortage of patches. However, incorporating these changes into a production environment can be risky as the change could render the application unusable.
The solution to this approach is what is known as Blue/Green deployments. Using this approach, DevSecOps runs two identical instances of production with the ability to switch easily between them.
When a patch must be deployed, the following process takes place:
- The patch is applied to the inactive instance (Blue)
- Test the patch in the Blue environment
- After tests pass, the current running instance (Green) is destroyed
- The blue environment takes over as the running instance
6. Red vs Blue Team Penetration Testing
This approach to testing involves two teams, referred to as the Red team and the Blue team.
The Blue team performs a risk assessment to determine issues and implements changes to protect against those problems.
The Red team takes over and acts offensively to exploit the system.
Some of their tactics could include packet sniffing, attempting to install malware, or social engineering.
7. DevSecOps Best Practices for Container Hardening
According to BMC, a 2019 survey found that over 87% of respondents were running containers.
This number is exactly why one of the best practices for DevSecOps is to harden these containers to prevent attacks.
Here are a few suggestions:
- Avoid Root Access - Attackers could exploit root access to install malware. This can be prevented by deleting the Sudo command.
- Launch in Read-Only Mode - Prevent attackers from executing malicious code by launching the container in read-only mode.
- Perform Vulnerability Scans - Scan all images to ensure there are no vulnerabilities present.
8. Incident Management
Reporting bugs is often disjointed from the process to log security issues.
As a result, the information ends up in two different locations, which reduces the visibility of those items.
A good practice is to treat security defects as code defects and log them in the same place.
That way, these items get the same visibility and opportunity to be prioritized alongside the other bugs.
9. Scenario Planning
While all the above issues can identify the most obvious issues, what about the not-so-obvious problems?
There are often plenty of use cases downstream that teams may be unaware of.
A good and desired practice for DevSecOps is to talk to stakeholders and other departments.
These discussions could lead to a new set of items that should be addressed, such as compliance requirements for example.
10. Promote a Security Mindset
Simply implementing these tools won’t be enough to get everyone on board.
DevSecOps will need to promote a security mindset throughout the organization.
That way, it isn’t an afterthought, but rather a daily goal to ensure security best practices from everyone.
DevSecOps is vital to ensuring application security is a priority at all stages of the application lifecycle.
With this approach, organizations benefit from a stronger posture to prevent attacks.
Adservio’s approach to digital transformation ensures the highest regard for security for your efforts.
Get in touch with us today and learn how can our expertise help you implement best practices when it comes to DecSecOps.