{"id":11239,"date":"2022-01-18T19:09:34","date_gmt":"2022-01-19T01:09:34","guid":{"rendered":"https:\/\/threecloud.wpengine.com\/?p=11239"},"modified":"2024-02-28T07:46:18","modified_gmt":"2024-02-28T15:46:18","slug":"putting-the-security-in-devsecops","status":"publish","type":"post","link":"https:\/\/3cloudsolutions.com\/resources\/putting-the-security-in-devsecops\/","title":{"rendered":"Putting the Security in\u00a0DevSecOps"},"content":{"rendered":"<p><span data-contrast=\"none\">For<\/span><span data-contrast=\"none\">\u00a0most developers<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0the words\u202f<\/span><span data-contrast=\"none\">\u201c<\/span><span data-contrast=\"none\">Security Policy Review<\/span><span data-contrast=\"none\">\u201d<\/span><span data-contrast=\"none\">\u00a0can<\/span><span data-contrast=\"none\">\u00a0stir up images o<\/span><span data-contrast=\"none\">f long meetings late in a project<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0with corporate security officers pouring over their code with the scrutiny of\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">tax\u00a0<\/span><span data-contrast=\"none\">audit<\/span><span data-contrast=\"none\">or<\/span><span data-contrast=\"none\">.\u00a0<\/span><span data-contrast=\"none\">The<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">meeting<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0often end with\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">laundry list of dramatic changes to the code and architecture to meet the ever-present threats of the\u00a0<\/span><span data-contrast=\"none\">outside world.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><span data-contrast=\"none\">In the best case, we go through this exercise and find that our code is in good shape<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0thanks to modern languages and platforms that are &#8220;secure by default.<\/span><span data-contrast=\"none\">\u201d<\/span><span data-contrast=\"none\">\u00a0In the worst case, we find that we have a lot of expensive mitigation late in the development cycle. Alas, the complexity and lack of time or expertise has an impact<\/span><span data-contrast=\"none\">, making<\/span><span data-contrast=\"none\">\u00a0a rigorous approach to application security impractical.<\/span><span data-contrast=\"none\">\u00a0Enter\u00a0<\/span><a href=\"https:\/\/www.devsecops.org\/blog\/2015\/2\/15\/what-is-devsecops\"><span data-contrast=\"none\">DevSecOps<\/span><\/a><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">p<\/span><span data-contrast=\"none\">art of the ongoing shift left of groups outside of traditional development and <a href=\"https:\/\/3cloudsolutions.com\/app-operations\/\">operations<\/a>,\u00a0<\/span><span data-contrast=\"none\">DevSecOps<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">is\u00a0<\/span><span data-contrast=\"none\">now considered a best practice for<\/span><span data-contrast=\"none\">\u00a0any compan<\/span><span data-contrast=\"none\">y<\/span><span data-contrast=\"none\">\u00a0that store<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0custom or client data.\u00a0<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Why\u00a0<\/span><span data-contrast=\"none\">DevSecOps<\/span><span data-contrast=\"none\">\u00a0is a\u00a0<\/span><span data-contrast=\"none\">B<\/span><span data-contrast=\"none\">etter\u00a0<\/span><span data-contrast=\"none\">W<\/span><span data-contrast=\"none\">ay\u00a0<\/span><span data-contrast=\"none\">Fo<\/span><span data-contrast=\"none\">rward<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">The good news\u00a0<\/span><span data-contrast=\"none\">today\u00a0<\/span><span data-contrast=\"none\">is that<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">modern<\/span><span data-contrast=\"none\">\u00a0deterministic languages<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0built on platforms designed to be &#8220;secure by default<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">&#8221; give us an advantage. We can combine rich tooling automation with analysis based on the extensive historical data we&#8217;ve discovered during the\u00a0<\/span><span data-contrast=\"none\">I<\/span><span data-contrast=\"none\">nternet\u00a0<\/span><span data-contrast=\"none\">A<\/span><span data-contrast=\"none\">ge<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">to catch software security\u00a0<\/span><span data-contrast=\"none\">issues\u00a0<\/span><span data-contrast=\"none\">and vulnerabilities before they start. The most prevalent practices for adding security into our development pipeline today include:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">Code Scanning<\/span><\/strong><span data-contrast=\"none\">\u202f- inspects code for known coding errors and security holes<\/span><span data-contrast=\"none\">, including<\/span><span data-contrast=\"none\">\u00a0exposed connection strings, secret keys, buffer overruns<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0and more. These tools can be run\u00a0<\/span><span data-contrast=\"none\">to\u00a0<\/span><span data-contrast=\"none\">interactively command lines or IDEs,\u202f<\/span><span data-contrast=\"none\">either\u00a0<\/span><span data-contrast=\"none\">during code commits or during automated builds in the staging pipeline.<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">Dependency Scanning<\/span><\/strong><span data-contrast=\"none\">\u202f- checks a project&#8217;s package dependencies for outdated versions or those with known compromises or vulnerabilities. Checks are done against an\u00a0<\/span><span data-contrast=\"none\">ever<\/span><span data-contrast=\"none\">&#8211;<\/span><span data-contrast=\"none\">growing<\/span><span data-contrast=\"none\">\u00a0database of third<\/span><span data-contrast=\"none\">&#8211;<\/span><span data-contrast=\"none\">party packages that have known documented issues.<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">V<\/span><\/strong><strong><span data-contrast=\"none\">ulnerability Management<\/span><\/strong><span data-contrast=\"none\">\u202f-\u00a0<\/span><span data-contrast=\"none\">offers\u00a0<\/span><span data-contrast=\"none\">tools that create a new branch<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0automatically apply best practice fixes<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0and submit as code commits for the team to approve.<\/span><span data-ccp-props=\"{&quot;134233279&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"none\">The organizational benefits of\u00a0<\/span><span data-contrast=\"none\">shifting\u00a0<\/span><span data-contrast=\"none\">security\u00a0<\/span><span data-contrast=\"none\">left\u00a0<\/span><span data-contrast=\"none\">are well documented.\u00a0<\/span><span data-contrast=\"none\">According to the\u00a0<\/span><a href=\"https:\/\/media.webteam.puppet.com\/uploads\/2020\/11\/Puppet-State-of-DevOps-Report-2020.pdf\"><span data-contrast=\"none\">2020 State of DevOps report<\/span><\/a><span data-contrast=\"none\">,\u00a0<\/span><span data-contrast=\"none\">45% of<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">companies\u00a0<\/span><span data-contrast=\"none\">with<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">security fully integrated into their delivery process are able to remediate critical vulnerabilities within\u00a0<\/span><span data-contrast=\"none\">a single<\/span><span data-contrast=\"none\">\u00a0day<\/span><span data-contrast=\"none\">, compared to just<\/span><span data-contrast=\"none\">\u00a025%\u00a0<\/span><span data-contrast=\"none\">of less evolved\u00a0<\/span><span data-contrast=\"none\">DevSecOps<\/span><span data-contrast=\"none\">\u00a0organizations.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">How to\u00a0<\/span><span data-contrast=\"none\">G<\/span><span data-contrast=\"none\">et\u00a0<\/span><span data-contrast=\"none\">St<\/span><span data-contrast=\"none\">arted<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">Due to the costs of delaying\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">DevSecOps<\/span><span data-contrast=\"none\">\u00a0evolution<\/span><span data-contrast=\"none\">, there&#8217;s no time like the present to get started.\u00a0<\/span><span data-contrast=\"none\">Current\u00a0<\/span><span data-contrast=\"none\">tools are designed\u00a0<\/span><span data-contrast=\"none\">to be integrated directly into your build and deployment\u00a0<\/span><span data-contrast=\"none\">pipeline<\/span><span data-contrast=\"none\">,<\/span><span data-contrast=\"none\">\u00a0so the barrier to entry is quite low. Here are some options for choosing an implementation policy<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">\u2013<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">from good to better to best:<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">Good:\u00a0<\/span><\/strong><strong><span data-contrast=\"none\">Run interactively<\/span><\/strong><span data-contrast=\"none\">\u202f<\/span><strong><span data-contrast=\"none\">as time allows during development<\/span><\/strong><strong><span data-contrast=\"none\">\u00a0\u2013<\/span><\/strong><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">This approach is solid<\/span><span data-contrast=\"none\">\u00a0if you are starting out and\/or have\u00a0<\/span><span data-contrast=\"none\">a\u00a0<\/span><span data-contrast=\"none\">legacy code base and anticipate\u00a0a large number of\u00a0issues to address. You can prioritize them and knock them down over time.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">Better:\u00a0<\/span><\/strong><strong><span data-contrast=\"none\">Scheduled sweeps<\/span><\/strong><span data-contrast=\"none\">\u202f<\/span><strong><span data-contrast=\"none\">of the code base<\/span><\/strong><strong><span data-contrast=\"none\">\u00a0\u2013<\/span><\/strong><span data-contrast=\"none\">\u00a0This option can be u<\/span><span data-contrast=\"none\">sed in a governance capacity to get regular reports of exposure level<\/span><span data-contrast=\"none\">\u00a0and<\/span><span data-contrast=\"none\">\u00a0gauge risk to an organization.\u00a0<\/span><span data-contrast=\"none\">It\u2019s a better<\/span><span data-contrast=\"none\">\u00a0choice for internal software in an IT organization where external exposure is not a big concern.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong><span data-contrast=\"none\">Best:\u00a0<\/span><\/strong><strong><span data-contrast=\"none\">Fully integrated into pipeline<\/span><\/strong><strong><span data-contrast=\"none\">\u00a0\u2013<\/span><\/strong><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">T<\/span><span data-contrast=\"none\">h<\/span><span data-contrast=\"none\">is<\/span><span data-contrast=\"none\">\u00a0most<\/span><span data-contrast=\"none\">&#8211;<\/span><span data-contrast=\"none\">stringent but\u00a0<\/span><span data-contrast=\"none\">strongest<\/span><span data-contrast=\"none\">\u00a0option ensure<\/span><span data-contrast=\"none\">s<\/span><span data-contrast=\"none\">\u00a0your code base has an established baseline of secure practices applied to every code<\/span><span data-contrast=\"none\">\u00a0check<\/span><span data-contrast=\"none\">&#8211;<\/span><span data-contrast=\"none\">in from the beginning throughout the lifetime of a project.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"none\">Hopefully this short article has provided insight into how security can be integrated directly into your development stream<\/span><span data-contrast=\"none\">\u2013<\/span><span data-contrast=\"none\">in a way that provides benefits quickly with low friction and cost.<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">For even more examples and strategies,\u00a0<\/span><span data-contrast=\"none\">reach ou<\/span><span data-contrast=\"none\">t<\/span><span data-contrast=\"none\"> to 3Cloud<\/span><span data-contrast=\"none\">\u00a0and<\/span><span data-contrast=\"none\">\u00a0take a look\u00a0at the services\u00a0<\/span><span data-contrast=\"none\">Git<\/span><span data-contrast=\"none\">H<\/span><span data-contrast=\"none\">ub<\/span><span data-contrast=\"none\">\u00a0is now providing to customers with strong security concerns.\u202f<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">See\u202f<\/span><strong><span data-contrast=\"none\">DevSecOps<\/span><\/strong><strong><span data-contrast=\"none\">\u00a0in\u00a0<\/span><\/strong><strong><span data-contrast=\"none\">Git<\/span><\/strong><strong><span data-contrast=\"none\">H<\/span><\/strong><strong><span data-contrast=\"none\">ub<\/span><\/strong><span data-contrast=\"none\">.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/architecture\/solution-ideas\/articles\/devsecops-in-github\"><span data-contrast=\"none\">https:\/\/docs.microsoft.com\/en-us\/azure\/architecture\/solution-ideas\/articles\/devsecops-in-github<\/span><\/a><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>For\u00a0most developers,\u00a0the words\u202f\u201cSecurity Policy Review\u201d\u00a0can\u00a0stir up images of long meetings late in a project,\u00a0with corporate&mldr;<\/p>\n","protected":false},"author":21,"featured_media":11330,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[381,292],"tags":[],"class_list":["post-11239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-app-experience","category-app-innovation","topics-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/posts\/11239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/comments?post=11239"}],"version-history":[{"count":0,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/posts\/11239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/media\/11330"}],"wp:attachment":[{"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/media?parent=11239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/categories?post=11239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/3cloudsolutions.com\/wp-json\/wp\/v2\/tags?post=11239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}