DevSecOps

Definition:

The software project lifecycle model has been evolved from waterfall to agile model, and now commonly used the Scaled agile framework.

In order to onboard the security practices within the software development lifecycle, the term DevSecOps has arisen starting from 2015 by different entities like Gartner, OWASP and NSA.

The term DevSecOps includes the SEC section between the development and operation to onboard all required activities related to the security within the software development lifecycle.

Process:

Here are the key DevSecOps practices summarized:

1. Shift Left Security:  Integrate security early in development (design, coding), from planning, analysis, design, implementation, deployment, and even after deployment by operations monitoring.

2. Automated Security Testing
   Use tools for static (SAST), dynamic (DAST), and software composition analysis (SCA).

3. Threat Modeling
   Identify risks before coding using STRIDE, OWASP, or MITRE, it helps identify early potential threats within your solution.

4. Secrets Management
   Prevent hardcoded credentials with vaults and scanning.
   Use vaults (e.g., HashiCorp Vault, AWS Secrets Manager). 

5. Dependency Scanning:  Continuously check third-party libraries for vulnerabilities.

• Snyk or OWASP Dependency-Check for small enterprises

• JFrog Xray or Sonatype Nexus IQ for large enterprises  

6. Security as Code: Define policies and configurations in code (e.g., OPA, Terraform), intersected with others.

7. Policy Enforcement in CI/CD
   - Block builds/releases if security checks fail.
   - Example: Enforce quality gates in SonarQube (e.g., no critical bugs allowed and the same for vulnerabilities)

8. Runtime Security Monitoring

• WAF: We application firewall

  • • Protect solutions from attacks

    • Sample: Blocks/alerts on web attacks like SQLi, XSS

    • Tools: 

• SIEM: Security Information and Event Management 

  • Collects, analyzes, and correlates security logs from multiple sources 

  • Tools: Splunk, IBM QRadar, Elastic Security, Azure Sentinel  

• IDS:Intrusion Detection System

  • Detect and respond to threats.

  • Snort, Suricata (NIDS), OSSEC (HIDS).

  • Focus on all network activity, not like WAF scope

  • Comes after WAF in the architecture, after the load balancer
    
    

9. Zero Trust Principles
   Enforce least privilege and continuous authentication.
   
   

10. Security Training
    Educate developers on secure coding and common vulnerabilities.

DevSecOps Benefits:

1. Early Security Integration
   Embed security checks early in development.
   Sample: Use SAST tools like SonarQube integrated into the IDE or CI pipeline.

2. Reduced Risk
   Continuously detect vulnerabilities to prevent surprises.
   Sample: Weekly vulnerability reports generated by OWASP Dependency-Check.

3. Improved Compliance
   Automate audit trails and enforce security policies.
   Sample: Use OPA/Gatekeeper to enforce Kubernetes security policies automatically.

4. Cost Efficiency
   Fix security issues early to reduce expensive fixes later.
   Sample: Automated unit tests that include security assertions to catch issues upfront.

5. Higher Quality Code
   Detect and fix security bugs during coding.
   Sample: Use ESLint security plugins combined with peer code reviews.

6. Automated Governance
   Enforce security policies as code with automated pipeline gates.
   Sample: Fail builds automatically on high severity security issues using GitLab CI security gates.

7. Continuous Monitoring
   Detect threats and anomalies in real time.
   Sample: Deploy Falco for runtime threat detection in Kubernetes or OpenShift clusters.