DevSecOps integrates security practices into the DevOps pipeline at each stage:
Plan Phase
In the plan phase, DevSecOps teams perform:
- Security analysis to identify risks and threats
- Security planning to outline how and when security testing will occur
- Threat modeling to identify potential vulnerabilities
Tools like IriusRisk can help with the planning process.
Build Phase
During the build phase, DevSecOps performs:
- Component analysis to check for vulnerabilities in dependencies
- Static application security testing (SAST) to analyze code for flaws
- Dependency checking tools like Snyk to identify vulnerabilities in dependencies
Code Phase
In the code phase, DevSecOps focuses on:
- Static code analysis to find bugs and vulnerabilities
- Code reviews to improve code quality from a security standpoint
- Pre-commit hooks to automatically run security tests on new code
Tools like Gerrit and Phabricator integrate with the development workflow.
Test Phase
Testing includes:
- Dynamic application security testing (DAST) to analyze running applications
- Fuzz testing to identify edge case issues
- Penetration testing to find exploits
Tools like ZAP, Arachni, and AppScan are used for security testing.
Release Phase
The release phase focuses on:
- Principle of least privilege to restrict access
- Configuration management to audit and lock down infrastructure
- Hardening guides from NIST, CIS Benchmarks, etc.
Runtime
At runtime, DevSecOps uses:
- Runtime application self-protection (RASP) tools to block attacks
- Penetration testing and bug bounty programs
- Security monitoring and analytics
In summary, DevSecOps takes a holistic approach by integrating security practices and tools into every stage of the development pipeline from planning to runtime. This helps build more secure systems from the ground up.
No Comments