Security verifications and checks are incorporated at different points of DevOps pipeline, thus making security everybody's responsibility.
Planning is quite critical to address security and technical debt.
In this phase the security issues to be addressed in the next few sprints are decided.
Threat modeling, data flow diagrams are worked upon in this phase.
Interactive application security testing aids in analyzing the application from an outside point of view.
Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration.
Protocol and input fuzzing, application vulnerability correlation are other activities that can be carried out during this phase.
In the release phase, further security checks can be performed by using penetration testing.
Coding phase highlights the shift left velocity and involves choosing security tools and solutions that integrate within the developer environment.
Security architecture review along with core inspections and environment hardening are to be carried out during this phase.
In modern software development, many third party libraries are used. Hence security scanning should involve scanning of third party libraries for known vulnerabilities at cve mitre site
Security code review using automated tools as well as manual review must be done for custom code taken from internet.
Source code analysis tools, also referred to as Static Application Security Testing - SAST Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.
Software composition analysis can be utilized to enforce the organization's open source policies.
In the deployment phase, chaos testing will help determine how the system behaves in unusual/unexpected circumstances.
During the configuration phase, binaries need to be signed and timestamped to facilitate integrity checks for release.
The signature should be verified before deploying into the CI/CD pipeline
Involves checking the signature of the binaries
Focus on configuration assurance at instantiation by security controls like defense-in-depth
Practically, some vulnerabilities may remain unidentified and will inevitably make into production.
Continuous monitoring helps in detecting irregular behavior in production.
- Technologies such as RASP can be leveraged.