The New Era of DevSecOps

What is DevSecOps?

DevSecOps represents a shift in mindset where security is treated as an integral part of the software development and delivery process. DevSecOps advocates for the integration of security practices, such as code analysis, vulnerability scanning, and continuous monitoring, into every phase of the development process.

Problem:

Unauthorized users were granted excessive permissions in a GitHub repository, leading to the modification and deletion of critical code. 

❓Why were unauthorized users granted excessive permissions?

‍There was a misconfiguration of permissions in the repository.

❓Why were unauthorized users granted excessive permissions?

There was a misconfiguration of permissions in the repository. 

❓Why was there a misconfiguration of permissions?‍

Solution:

Implement best practices for securing your repository and ensure that the principle of least privilege is enforced to prevent unauthorized access.

DevSecOps Best Practices

Adopting a Shift Left Mindset

‍Shifting left requires a change in mindset and culture within an organization. It involves breaking down traditional silos between teams. The rewards of shifting left are catching vulnerabilities early on before they progress further down the SDLC and make it into production. One of the most critical vulnerabilities is found in hardcoded secrets. Git Guardian recently uncovered 10 million secrets hidden in 1 billion commits in public repositories. GitHub as described in the State of Secrets Sprawl report. And any of those vulnerabilities could have easily gone unnoticed until a major breach occurred. 

The New Way of Securing the SDLC

The Secure Software Development Life Cycle (SSDLC) is a systematic approach to integrating security into the software development process from code to production. Each phase of the SDLC plays a crucial role in ensuring the development of secure and resilient software. 

Here is a step-by-step breakdown of the main phases of the SDLC using a blueprint to construct a house.  

Planning Phase

‍This phase is similar to the architectural planning and design phase of building a house. It involves gathering requirements, understanding the needs of future occupants, and determining the overall vision and scope of the house. Just like in software development, this phase lays the foundation for the entire project, identifying the key features and functionality required. 

IaC Scanning

IaC scanning tools automate the process of analyzing and evaluating infrastructure code against security best practices and predefined security policies. This eliminates the need for manual code reviews and helps prevent misconfigurations. During the scanning process, the infrastructure code is thoroughly analyzed to identify common security flaws, such as weak access controls, insecure network configurations, hardcoded credentials, outdated software versions, or misconfigured security groups.

SAST vs SCA

Although FAST and SCA serve different purposes, they complement each other in identifying and mitigating security risks. Here are a few differences and advantages of SAST and SCA. 

Using Both SAST and SCA tools together greatly enhances an organization’s AppSec posture. 

What are the DevSecOps tools?

‍ DevSecOps tools include static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), IaC scanning, secrets detection, container security, CI/CD pipeline security, and honeytokens.

‍