What is DevSecOps?
The purpose of DevSecOps is to ensure security is integrated with each phase of the Software Development Life Cycle and deliver secure software. DevSecOps refers to a combination of Development, Security, and Operations. Security is a shared responsibility, not just an IT Security task. DevSecOps is a mindset which allows the implementation of the right tools, security audits and apply patches without impacting the software product delivery timeline
How is DevSecOps different from DevOps?
Most software organizations follow the Agile software development life cycle to build and deliver their products. DevOps focuses on automating infrastructure setup, deployment and release processes. There is a risk of security threats even in the best DevOps implementations. DevSecOps comes to the rescue here, which focuses on integrating security into DevOps practices right from the start of the SDLC.
DevSecOps is a culture of selecting the right tools, performing regular audits, detecting threats and applying the fixes before they cause any havoc. DevSecOps provides end-to-end security solutions, which includes security in Cloud Providers, Operating System, Source code, API, Databases etc.,
Why DevSecOps?
In recent times when security is of utmost importance, DevSecOps plays a critical role. Continuous Automation and implementation of security practices in SDLC will enable the Organization to create and release vulnerable free and compliant software.
Adopting DevSecOps will improve security compliance and even add an advantage over new threats, and customers’ security needs. DevSecOps helps nullify risks before they can enter into the build flow. Many Organizations have started putting efforts to transform their DevOps into DevSecops.
Security practices are not only part of the Security or Operations team's responsibilities but also part of the Development team. These teams should collaborate effectively to come up with a process of applying Security best practices, Compliance if any. Also, regularly scanning Infrastructure, Applications, and Code will enable the DevSecops Team to detect new threats, and vulnerabilities and apply patches ASAP to avoid high-security risks.
Types of Security Scan
- Vulnerability Scanning
- Compliance Scanning
- Misconfigurations Scanning
Vulnerability Scanning
Vulnerability Scan looks for attributes in the targets which can raise potential security risks. Targets can be the Network, Host, or Code. Vulnerability Scanning involves network discovery i.e host and port information, obsolete software versions, software with known security flaws, and misconfigurations on the target. To get this data, Vulnerability Scanners identify the operating systems, and software applications running on the target and compare them with information on known vulnerabilities stored in vulnerability databases.
NIST National Vulnerability Database ( NVD ) is one such example which provides information on known vulnerabilities and regularly updates them. NVD is widely used by vulnerability scanners to match known vulnerabilities and identify low to severe vulnerabilities. Regular Vulnerability Scanning will enable the organization to identify new threats and security risks and provide opportunities to apply patches before they cause any issue.
Vulnerability Scanners: Trivy, Wazuh, Qualys, Neuvector, Tenable, ManageEngine
Compliance Scanning
A compliance scan tries to match a set of security rules of a given compliance policy on a target. Targets can be the Network, Host, or Application. Government agencies, and IT standards organizations build these security standards and cybersecurity frameworks. Below are a few examples,
- CIS - Center for Internet Security - These benchmarks are widely used security standards for defending against cyberattacks and building secure baseline configurations.
- HIPAA - Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule - HIPAA was introduced in 1996 and designed to protect US workers' health insurance coverage and increase the use of electronic medical records to secure patients' data. Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009
- PCI-DSS (The Payment Card Industry Data Security Standard) - It was introduced in 2004, governed by the Payment Card Industry Security Standards Council (PCI SSC) and aims at securing credit and debit card transactions against data theft and fraud.
- GDPR (General Data Protection Regulation) - It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU)
- COPPA (Children’s Online Privacy Protection Rule) - COPPA which is a U.S.-based law is aimed to protect the privacy of children under the age of 13 from the dynamic nature of the internet
The criticality of these compliance policies is directly dependent on an organization's product domain. For a Health Care application, storing and processing individually identifiable health information needs to be a HIPPA complaint. For a Finance application, storing, processing or transmitting credit card information should be PCI DSS compliant.
Compliance Scanners: Wazuh, Qualys, Tenable, VMware Tanzu, ManageEngine
Misconfigurations Scanning
Misconfigurations are security configurations that are incorrectly configured or left insecure
risking your systems and data. Misconfigurations are easy to identify and fix. Scanners look for syntax errors, best practices not being followed while using secure credentials, and misconfiguring applications or operating system settings in the targets. Targets can be application code, IAC code, docker files, Operating system configuration etc.
Unattended misconfigurations provide an easy way for attackers to enter and mess up your systems. Proper documentation of applying configuration changes, and default settings can help avoid misconfigurations. Misconfiguration scanners can be simple plugins like git secrets, linters used in languages to tools like Trivy, ManageEngine
Misconfiguration scanners: Git secrets, Trivy, ManageEngine, Burp,
Conclusion:
Collaboration between Security, Operations, and Development to streamline the process of implementing best security practices, and conducting regular security audits and scans will enable your organization to focus more on the secure product instead of worrying about new threats and security risks.
Content Credit: Swethakiran Puli