Think about security early with DevSecOps
When do your DevOps teams start the process of checking for security vulnerabilities? In a new white paper from Sogeti and Microsoft, we argue that visibility into application security as early as possible in development is essential in today’s world of increasingly rapid software delivery.
The paper 6 tips to integrate security into your DevOps practices advocates integrating your security team with the existing DevOps team to create DevSecOps. In a series of blog posts, we’re giving you a flavor of all 6 tips, including: Tip 2: Integrate security in the early stages of the development cycle.
Avoid the roadblocks
The white paper urges DevSecOps teams to think about security upfront to help them avoid vulnerabilities and common roadblocks. That’s because choosing a security solution at the end of the development process offers limited protection for critical code, data, and software supply chains.
So, how do DevSecOps teams shift security left? The paper states that it’s time to evolve past the batch approach currently used by many security teams to scan for vulnerabilities. Batch scanning not only requires human involvement, it’s also prone to errors and cannot work on demand. Moreover, these security checks occur independently from the developer team — limiting the context for security professionals. Delays may occur between software lifecycles and feedback often arrives late.
A metric for quality — Qualimetry
Gathering a holistic understanding of the quality of your enterprise’s delivery pipeline, code, and applications is called “Qualimetry.” Using static and dynamic scans together helps to outline the Qualimetry of your enterprise’s continuous integration pipelines. Consistently looking at quality indicators helps reduce the risk of drift and technical debt. Further, you allow the development team even greater autonomy to address code quality. These CI pipeline quality checks harden the security of the whole system.
Unfortunately, static analysis is a source of “false positives”. So, once you perform SAST against applications and infrastructure, it’s important to continue dynamic application security testing (DAST) to correct the false positives. From your CD pipeline, deploy a temporary environment and start dynamically checking security breaches against this temporary environment. You can then integrate a vulnerability assessment solution purpose-built for this task like Azure Defender. When performed on a temporary environment, you lower threat risk against critical data and systems while preventing a potentially dangerous new deployment.
Regular and consistent scanning
Along with an illustration of how cultivating holistic vulnerability threat analysis looks in practice, Tip No. 2 offers further advice, such as the need to address updates as they appear rather than during elongated reviews prior to each production release. In essence, scan regularly and scan consistently.
Find common vulnerabilities and exposures (CVEs)
Often the most common application vulnerabilities scanned for remediation are the OWASP Top 10 vulnerabilities. A tool like the Azure Security Center’s regulatory compliance dashboard scans your Azure subscription in search of these vulnerabilities.
Expand your scans for compliance
Enterprises that don’t scan for compliance or advanced threats leave themselves open to modern threats. The answer is to scan for more comprehensive vulnerabilities including compliance readiness using best practices like the NIST framework or the CIS Benchmark.
Detect early, fix early
Set processes to scan container images and infrastructure as code files for CVEs before they launch to ensure that no vulnerabilities go into production and remediation occurs as early as possible.
Build efficiency within your enterprise by switching to automated processes that find and remediate issues faster by scanning whenever a new change occurs, all while requiring no human intervention.
Improve the traceability
Ensure every step of the pipeline generates data that can later be used for auditing or trend analysis.
Manage by the metrics
Generate reports that grade your enterprise on the total CVE in your enterprise’s infrastructure, level of code smell, and duplicated code.
Use quality gates to ensure compliance
Before each release, use a security gate to measure the quality of code against prescribed standards. If the code does not meet quality standards, pause the release to fix the vulnerabilities immediately before approving.
Download the white paper 6 tips to integrate security into your DevOps practices.