DevSecOps — What Security Controls exist and when to implement them?
In this short article, I tried to overview what Security Controls exists, what stage it can be added to the CI/CD process, and what benefits we receive. In simple words, DevSecOps is about adding different security controls at every step of your CI/CD process. The goal is to identify potential security issues as early as possible during the development process.
Let imagine the following workflow
The list of Security Controls that can be added:
- Linters
- Detecting secrets tool
- Static application security testing (SAST)
- Software Composition Analysis (SCA)
- Container Security checks
- Dynamic Application Security Testing (DAST)
Now, let’s go through each security control listed.
1) Linters
Linter - is a tool that analyses source code to flag programming errors, bugs, stylistic errors, and suspicious constructs.
What advantage does it give to us?
- Detect errors
- Detect formations of styling issues
- Maintains the code easier
- Suggests the best practice
When can we add Linter?
2) Detecting secrets
Detecting secrets - is a process of detecting secrets(usernames and passwords, tokens, etc.) in the codebase.
Why should we detect secrets?
- Sensitive data should not be hardcoded
- Sensitive data should not be unencrypted
- Sensitive data should not be stored in the source code
What tools can be used for that: pre-commit hooks, truffleHog, etc.
When can we add the Detecting secrets tool?
3) Static application security testing (SAST)
Static application security testing (SAST) — is a testing methodology that analyses source code to find security vulnerabilities.
What advantage does it give to us?
- Detecting security vulnerabilities with an apparent pattern
- Detecting secrets
Disadvantages?
- High level of false positives
What tools can be used for that: SonarQube, Synopsys
When can we add the SAST tool?
Note: read more about How to start Static Application Security Testing(SAST) with SonarQube?
4) Software Composition Analysis (SCA)
Software composition analysis (SCA) — is an automated process that identifies the open-source software in a codebase.
- What advantage does it give to us?
- We know what dependencies we use
- We know what vulnerabilities exists in the dependencies we use
- We can select the dependencies versions with fewer vulnerabilities
- We know can if we can fix the vulnerability by updating some dependency to the lasted version
What tools can be used for that: Snyk, OWASP dependency track
When can we add the SCA tool?
5) Container Security checks
Container Security checks - is a process of comparing the container with the policy.
What we can check here:
- Is the OS out of date?
- Does the container contain vulnerable open-source libs(focus on critical and high)?
- What about the file system permissions?
- Are there Open ports?
What advantage does it give to us?
- Detect incorrectly configured containers
- Detect the updated operating system
- Detect vulnerable libraries
What tools can be used for that: Docker Scan, Clair, Anchore
When can we add the Container Security checks?
Note: read more about How to Start with Container Security?
6) Dynamic Application Security Testing (DAST)
Dynamic application security testing (DAST) — is a method of AppSec testing that examines an application while it’s running.
What advantage does it give to us?
- Detect some common vulnerabilities
- Detect some known misconfigurations
- Detect some vulnerable software/components used
What tools can be used for that: OWASP ZAP, Burp Suite Pro, Netsparker
When can we add the DAST?
In the feature articles, I will explain in more detail each step, so subscribe to do not miss!
Also, read Implementing Application Security on your project
Follow me and stay secure!