Below is the comprehensive listing of various security dimensions to be dealt under DevSecOps
Security Dimension | |
1 | Application Security Testing (SAST, DAST, IAST, SCA, IaC testing, Supply chain security, etc.) |
2 | Vulnerability Management |
3 | Dependency management |
4 | Secrets Management |
5 | Endpoint security (Malware protection, Workload protection) |
6 | Security Observability |
7 | Compliance Audit |
8 | Policy as code |
Application Security Testing – Application Security Testing (AST) is the process to analyze and test applications for security vulnerabilities. Capabilities of AST include:
- Static AST (SAST): Analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically during the programming and/or testing phases of the software development life cycle (SDLC).
- Software composition analysis (SCA): Used to identify open-source and, much less frequently, commercial components in use in an application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.
- Dynamic AST (DAST): Analyzes applications in their running (i.e., dynamic) state during the testing and operational phases. DAST simulates attacks against an application (typically web-enabled applications, but increasingly application programming interfaces [APIs] as well), analyzes the application’s reactions and determines whether it is vulnerable.
- Infrastructure-as-code (IaC) testing: Gartner defines IaC as the creation, provisioning and configuration of software-defined compute (SDC), network and storage infrastructure as source code. IaC security testing tools help ensure conformance with common configuration hardening standards, identify security issues associated with specific operational environments, locate embedded secrets, and perform other tests supporting organization-specific standards and compliance requirements.
- Interactive AST (IAST): IAST tools initiate and equip a running application (e.g., via the Java Virtual Machine [JVM] or the .NET Common Language Runtime [CLR]) and examine its operation to identify vulnerabilities. Most IAST implementations are considered passive, in that they rely on other application testing to create activity that the IAST tools then evaluate.
- Software supply chain security (SSCS): Functions intended to identify and manage risks associated with software supply chains. They may include:
- Proactive analysis of software from external sources (open source or commercial) to identify components that may pose an unacceptable risk (e.g., poorly maintained projects, inadequate security controls, presence of malware or malicious code, etc.).
- Creation and management of artifacts to enable software users to evaluate the security of software produced by an organization (such as software bills of materials [SBOM] or application security attestations).
- Ensuring the integrity of source code and other development or deployment artifacts, and the underlying systems used to produce them, to prevent direct attacks on the development process.
Vulnerability Management– This is about scanning any artifacts (libraries, packages, etc.) for known vulnerabilities, below are the key capabilities
- Application package vulnerabilities – scanning for the known vulnerabilities
- Container image scanning – scanning container images for known vulnerabilities from the vulnerabilities databases (NVD, etc.), Linux security advisories and from other sources
Dependency Management – This is about updating the dependencies automatically for a given source code repository. Keeping the dependencies updated to the latest version is one of the key aspects of security. There are tools which can automate the process of updating the dependencies by creating PRs which can be configured to run periodically.
Secrets Management – This is about managing the passwords and other secrets in the application, it should also implement secrets rotation, expiry and other best practices.
EndPoint Security
Malware protection – This is about scanning container images, running Docker containers, and filesystems to find indicators of malware that match known malware signatures, and may indicate that the container or filesystem has been compromised.
Workload protection, Ransomware protection – This is about protecting the workloads at runtime and continuously detect unexpected behavior, configuration changes, intrusions, and data theft in real-time
Security Observability – This is about gaining visibility in to the security vulnerabilities of the applications and infrastructure during runtime.
Compliance audits – This is about auditing the software supply chain stack for security compliance based on a security benchmarks like the new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time
Policy-as-Code – Policy-as-code is an approach to policy management in which policies are defined, updated, shared, and enforced using code. Policy as code is the idea of writing code in a high-level language to manage and automate policies. By leveraging code-based automation instead of relying on manual processes to manage policies, policy-as-code allows teams to move more quickly and reduce the potential for mistakes due to human error.