DevSecOps — What Security Controls exist and when to implement them?

In this short article, I tried to overview what Security Controls exists, what stage it can be added to the CI/CD process, and what benefits we receive. In simple words, DevSecOps is about adding different security controls at every step of your CI/CD process. The goal is to identify potential security issues as early as possible during the development process.

Let imagine the following workflow

The list of Security Controls that can be added:

1. Linters
2. Detecting secrets tool
3. Static application security testing (SAST)
4. Software Composition Analysis (SCA)
5. Container Security checks
6. Dynamic Application Security Testing (DAST)

Now, let’s go through each security control listed.

1) Linters

Linter - is a tool that analyses source code to flag programming errors, bugs, stylistic errors, and suspicious constructs.

What advantage does it give to us?

• Detect errors
• Detect formations of styling issues
• Maintains the code easier
• Suggests the best practice

When can we add Linter?

2) Detecting secrets

Detecting secrets - is a process of detecting secrets(usernames and passwords, tokens, etc.) in the codebase.

Why should we detect secrets?

• Sensitive data should not be hardcoded
• Sensitive data should not be unencrypted
• Sensitive data should not be stored in the source code

What tools can be used for that: pre-commit hooks, truffleHog, etc.

When can we add the Detecting secrets tool?

3) Static application security testing (SAST)

Static application security testing (SAST) — is a testing methodology that analyses source code to find security vulnerabilities.

What advantage does it give to us?

• Detecting security vulnerabilities with an apparent pattern
• Detecting secrets

Disadvantages?

• High level of false positives

What tools can be used for that: SonarQube, Synopsys

When can we add the SAST tool?

Note: read more about How to start Static Application Security Testing(SAST) with SonarQube?

4) Software Composition Analysis (SCA)

Software composition analysis (SCA) — is an automated process that identifies the open-source software in a codebase.

• What advantage does it give to us?
• We know what dependencies we use
• We know what vulnerabilities exists in the dependencies we use
• We can select the dependencies versions with fewer vulnerabilities
• We know can if we can fix the vulnerability by updating some dependency to the lasted version

What tools can be used for that: Snyk, OWASP dependency track

When can we add the SCA tool?

5) Container Security checks

Container Security checks - is a process of comparing the container with the policy.

What we can check here:

• Is the OS out of date?
• Does the container contain vulnerable open-source libs(focus on critical and high)?
• What about the file system permissions?
• Are there Open ports?

What advantage does it give to us?

• Detect incorrectly configured containers
• Detect the updated operating system
• Detect vulnerable libraries

What tools can be used for that: Docker Scan, Clair, Anchore

When can we add the Container Security checks?

Note: read more about How to Start with Container Security?

6) Dynamic Application Security Testing (DAST)

Dynamic application security testing (DAST) — is a method of AppSec testing that examines an application while it’s running.

What advantage does it give to us?

• Detect some common vulnerabilities
• Detect some known misconfigurations
• Detect some vulnerable software/components used

What tools can be used for that: OWASP ZAP, Burp Suite Pro, Netsparker

When can we add the DAST?

In the feature articles, I will explain in more detail each step, so subscribe to do not miss!

Also, read Implementing Application Security on your project

Follow me and stay secure!