DFT Wiki

These are my notes about what DevSecOps effectively adds to DevOps.

With DevSecOps, security checks are pushed to the beginning and are part of all development phases (Design/Plan/Develop/Build).

Key Points

• Secure SDLC (aka SSDLC)
  • Source-code quality check,
  • Dependency management,
  • Scan artifacts,
  • Threat modeling,
  • Unity and integration tests,
  • and more.
• Secure CI/CD
  • Minimized permissions,
  • Defending against pipeline attacks or weaponization,
  • Absolute segmentation for applications/data/systems/environments/etc,
  • and more.
• Infrastructure as Code (IaC)
  • Secret management,
  • Leveraging of GitOps best practices,
  • Monitoring and alerting,
  • and more.
• Process
  • Add security requirements to story templates, review checklists and refinement sessions.
  • A risk assessment decision matrix for features, assets, resources, etc is required.
  • Only allow building on top of approved base images

Challenges to Overcome

• Security must not be siloed but a company-wide discipline,
• Visibility (logs, alerts, monitoring, etc) is paramount,
• Prioritization for security issues should be part of the company culture,
• Due diligence before using any tool or library plus up-to-date software bill of material,
• Mastering and testing on a sandbox before pushing it into production

Metrics

• Meantime to Production (MTTP)
  • The time it takes to get a whole new app deployed to production from its first commit.
• Meantime to Recover (MTTR)
  • It refers to the ability of the infrastructure to recover from a failed deployment (rollback) or a service interruption (self-healing).
• Deployment Agility
  • A combination of the speed and frequency of deployments.
• Failure Rate
  • Calculates the percentage of deployments that contained a bug in relation to the total of deployments. This reveals the size of the opportunity for improvements.
• Communication of Risks
  • In DevOps, the comparison of these metrics over time shows how much impact changes caused during a period. But in DevSecOps, risk means the likelihood of a vulnerability being exploited and its impact on systems.

---

TOOLS

• Source-code scanners:
  • SonarCube Community Edition [Link]
  • Semgrep [Link]
  • Snyk [Link]
• Search for credentials:
  • GitLeaks [Link]
  • TruffleHog [Link]
• Dependency management and SBOM:
  • OSV-Scanner [Link]
• Scan CT and VM images for vulnerable packages, secrets, misconfigurations, and more:
  • Docker Scout CVE [Link]
  • Trivy [Link]
  • Grype [Link]
• Optimize container images:
  • Slim [Link]
• Scans IsC manifests for errors, misconfigurations, and suggests best practices:
  • Checkov [Link]
  • TFLint [Link]
  • Kics [Link]
  • Conftest [Link]
• Automate pentesting in the pipeline:
  • OWASP ZAP [Link]
• QA tests for web apps on browser:
  • Cypress [Link]
• Real-time behavioral security analysis:
  • Falco [Link]