DevSecOps changes the application security value proposition by leveraging DevOps principles to shift security practices left and automating the collection of security-related data.
Coveros is a consulting company that helps organizations build better software. We provide software development, application security, QA/testing, and software process improvement services. Coveros focuses on organizations that must build and deploy software within the constraints of significant regulatory or compliance requirements. The primary markets we serve include: DoD, Homeland Security & associated critical infrastructure companies, Healthcare providers, and Financial services institutions
Make security a first class citizen in your software development process.
Part of the daily workflow instead of something done late in the process. By late I mean too late to change much.
Shifting Left is the practice of taking something you did later in a process and doing it earlier in a process.
Shifting Security Left is the practice of doing security testing and analysis during development. Usually automating data collection to make it faster and cheaper.
DevSecOps leverages the collaboration and automation of DevOps to Shift Security Left.
Fewer security compromoses in production. Making is less likely that something will happen to exploit the software.
By shifting security left teams are usually given the opportunity to deal with security issues as they happen so there are fewer last minute mistakes, compromises, and untested code going into production.
Making Application Security a first class citizen in a software development process. Vs. and after thought that gets interpreted as a hurdle.
Appear on the cover of a national newspaper is bad, being part of the current network news cycle is worse, appearing before Congress is worse.
Losing $1Ms, $10Ms, $100Ms in revenue, fines, and compensation is even worse.
Privacy Laws are coming … GDPR, CANSPAM, and soon others.
This is where compromised come into play.
We don’t have time to triage (analyze) all of the findings
We don’t have time to fix all of the issues
We don’t want to fix issues that already exist in the code base
We don’t have time to find alternatives
The functionality can’t wait
What is the likelihood of something happening anyway?
Threat Analysis - Figuring out who wants to attack you, why, and how they would do it.
Secure Code Review - Human beings reviewing code for security flaws
(Check In) Static Analysis - Using fast running static analysis to find a number of issues including vulnerabilities and insecure code
SAST - Static Application Security Testing - Using static analysis to specifically find security issues
SCA - Software Composition Analysis - Checking your software and dependencies for security issues and license compliance
Security Testing - Using test automation tools to verify the security features of an application (functional and nonfunctional)
DAST - Dynamic Application Security Testing - Using tools to interact with your software like a user and in different ways to find issues (crawl your site, fuzz testing, injection JavaScript, etc.)
IAST - Interactive Application Security Testing - Using software agents that monitor the internal state of your running application to find issues
Pen Testing - Penetration Testing - A human being trying to find vulnerabilities in your software, usually aided by tools like proxies, could be informed by the results of other tools
Infrastructure Analysis Testing - using tools to check the host and software configuration to determine if known vulnerabilities are present
Encrypted Data Channels - all network traffic encrypted including traffic within a data center
Data Encrypted at rest - all Personally Identifiable Information (PII), if not all data, needs to be encrypted in the database or files in a system, including backups
RASP - Runtime Application Self-Protection - Using software tools or agents to monitor the internal state of an application and determine if an exploit is currently happening
SIEM - Security Information and Event Management - Software that monitors a running system, including logs, and determines if security events are happening, have happened, and manage the process of recovering from the event.
Your implementation order may vary because:
You already have something in place
Your risk may drive a different order
Your tech stack may make something easier to put in place quickly
Threat Analysis is a story about:
Who – who will attack you
What – Attack you
Where – Your Application UI or API
When - Whenever you software is running
Why – What do the attackers get out of it? Money, Fame, a bot, a place to stage other attacks, crypto-mining resources
How – What tools or techniques might they use
One upside of all of these is that they are operating on the software as it is being used in an environment so the number of false positives is low. The downside is the performance overhead can be high. Some tech stacks require component substitutions that might have unexpectable trade-offs such as a lower performance interpreter, slow start or warm up times, or a large number of extra libraries.
These are advanced because they are new tools and techniques that are stilling finding their place in processes and practices. They are unproven and are looking for the right niche to fill. That said, they are promising.
They can also be very resource intensive and have yet to prove they are worth the cost and complexity of using them.
IAST seems to be best done in pre-production environments where performance is less of an issue
RASP has to be done in production and the real trick is to tune it properly. Some RASP (and IAST) solutions have the added issue of requiring different or specific runtimes that are an added risk to projects and can often be the first thing people blame when things start to go wrong.
IAST has the upside of producing fewer false positives, almost always when IAST identifies an issue it is really an issue.
SIEM – Tools to detect an anomaly and track what happens in investigation, clean up, and remediation of the anomaly (ostensible security related)
Infrastructure Analysis Scanning & Testing – Using tools to make sure your OS and Server software is secure and up to regulations or policy
Encrypting data at rest or in transit are important aspects of Application and Data security. At this point all websites. Web apps, and web services should be encrypted point to point. Most or all services, even within a datacenter should be encrypted. As within a datacenter more and more become in a public, private, or hybrid cloud or tenancy in a remote data center the odds of only friend eyes seeing your traffic gets smaller and smaller (if it ever really was, insider threats are more common then outsider threats).
A build pipeline is the automation embodiment of a DevSecOps value stream, as your build moves down your pipeline to become a release candidate you want to have more and more confidence that the software and platform are secure and resilient to attack and exploit.
DevSecOps is as much about how security is perceived as it is about the technical practices and their implementation. You want to move the perception that security is a hurdle to security being an enabler of higher quality software and supports the business or mission better.