Introduction
Around the year 2010 the Software Engineering had been transfomred by the invention of DevOps methology. Its main focus was to bring the Developers (Dev) and server Admins (Ops) to close cooperation in order to ensure that software products get a quick a steady release.
DevOps changed the landscape of software creation by providing tools to automate CI/CD pipelines, terraforming or maintaining server and network instances as a code, procedures and protocols for automating unit and e2e testing. It also gave us the role of DevOps Engineer, a fairly new position in the IT world, that focuses on the tasks mentioned above.
Enter DevSecOps
Small and big businesses have adopted quickly the DevOps methodology. In 2022 DevOps Engineers are essential IT personnel in delivering products / local software instances to its online environments. As these practices became standard, businesses have switched their focus from delivering fast to trying to delivering fast but secure software.
Cyber crime is on the steady rise, data breaches, ransomware, phishing, supply attacks, “evil competition” ddos attacks, social engineering attacks, the list goes on and on. For more stats about cyber crime you can read this article.
In the past security teams were mostly reactive and not involved in the development phase. Security specialists would focus on audits, reports and scans on already made electronic products, then they would go back to dev teams or product owners for remediation actions. This approach can be very problematic, features or functions based on insecure solutions need time to be rewritten or adjusted, sometimes already paid and delivered products need now additional work in order to comply with security standards.
DevSecOps tries to remediate this problem, by involving the Security team in the development process. Sometimes this is refereed to as “shifting left” in the industry. This move tries to shift the responsibility of secure coding into the developer domain by providing necessary tools and procedures to the DevOps cycle.
DevSecOps OWASP model
In my current position (Dec, 2022) as web application architect and team leader, I have adopted the the DevSecOps model proposed by the OWASP organization https://github.com/OWASP/DevSecOpsGuideline
The DevSecOps model helps in producing:
- automation to create short feedback loops to developers
- breaking down the silos between development, security, and operations
- breaking down security work into small pieces to create flow
- making decisions based on threat intelligence from operations
- establishing a culture of security experimentation and learning
Threat Modeling
The first step in running a successful DevSecOps model is to do a threat analysis on the planned developed software. What are the essential points of your application that need to be protected ? This mental exercise will help you determine on which aspects of your software you need to focus on. It will also help you plan any remediation steps or procedures that need to be developed in order to minimize damage when things go sideways.
In my opinion it will always look better if some security procedures and emergency plans fail, them have no plans at all.
The most common sensitive points are:
Data breach / Data corruption
Customer or business data deemed sensitive need extra application security focus. Protecting users data like credit cards, home addresses, emails and passwords are imperative from a business and reputation point of view. Who in the right state of mind would like to share their private information with an amateur or insecure application.
Another huge risk these days in terms of data and system protection is ransomware. All systems should have proper back up plans, paying up ransom so the system can continue to operate