Trustwave Government Solutions Attains StateRAMP Authorization. Learn More

Request a Demo

Trustwave Government Solutions Attains StateRAMP Authorization. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

The Bug Stops Here: Using DevSecOps Workflows for Pest-Free Applications

Change theme to light The Bug Stops Here: Using DevSecOps Workflows for Pest-Free Applications
3 Minute Read by David Broggy

Developers and cybersecurity have an interesting relationship. Developers have no problem with security operations just as long as they’re not involved or adding security doesn’t slow down their development cycle.

Thankfully, well-documented security operations — known as DevSecOps — assist with the software development lifecycle (SDLC) and perform mostly invisibly from the developer’s perspective.

To kickstart the process for any developer, let’s discuss two DevSecOps workflows/frameworks and provide a quick checklist for getting started with DevSecOps.

 

Framework 1: The Azure DevSecOps Workflows

The Azure Cloud Adoption Framework provides a great visual (Image 1 below) for the integration of security with application development. Let’s quickly review some of the highlights:

  • Threat Modeling
  • Static and Dynamic Application Security Testing
  • Continuous Monitoring (to a SIEM)
  • Cloud configuration validation (CSPM)
  • Penetration Testing

Image 1 The Microsoft DevSecOps workflows from their Azure Well Architected Framework

Image 1: The Microsoft DevSecOps workflows from their Azure Well Architected Framework

 

Threat Modeling

This occurs early in the workflow chain, at the “Plan and Develop” stage, and a long list of tools, some free and others for a fee, is available to assist with threat modeling design. Modeling tools that provide visualization can offer useful insights and collaboration capabilities to improve planning.

Image 2 Theatmodeler devsecops design for Kubernetes

Image 2: Theatmodeler DevSecOps design for Kubernetes

 

Static and Dynamic Application Security Testing

The next two stages of the DevSecOps chain, static and dynamic application testing, provide granular analysis of the application code, inside – at the code level, and out – at the interface or user experience level. Some of these tools are offered by cloud vendors, so it’s a good idea to consider defense in depth with application testing by using a combination of cloud vendor services and third party.

Image 3 Example DevSecOps architecture using Defender for DevSecOps, Defender for Containers, Azure Container Registry, Github security and Sentinel for part of the DevSecOps workflow.

Image 3: Example DevSecOps architecture using Defender for DevSecOps, Defender for Containers, Azure Container Registry, GitHub security and Sentinel for part of the DevSecOps workflow.

 

Continuous Monitoring (to a SIEM)

Logging everything in a development environment can be challenging, but when done properly the developers and the security team benefits. This can be a good reason to consider using a cloud vendor’s DevSecOps and DevOps tools, as there’s a higher likeliness of compatibility. A SIEM offers automation of any activity that shows up in the security and the application logs, so developers can work with SecOps and take advantage of the alerting and reporting capabilities of SIEM for their needs.

 

Cloud configuration validation (CSPM)

CSPM offers controls over the cloud resources DevOps uses as well as specific workloads such as VMs, databases, and clusters. These workload protections are often referred to as CWPP — Cloud Workload Protection Platforms. CSPM is critical for ensuring the applications (and development) environments maintain the expected conformity for security, compliance, and application stability.

 

Penetration Testing

Pen testing typically occurs after an application is in full production. From a DevSecOps perspective, pen testing is used to constantly scan and monitor an application for vulnerabilities that may have been missed by the development process or occurred after the application went live. When a scan finds issues, it can notify the SIEM or be reviewed manually by the SecOps operators.

 

 

Framework 2: The US Department of Defense DevSecOps Workflow

When you compare the image below to the one above from Microsoft, it’s clear there are many similarities. As a result, the same features listed above will also apply to this framework. So, no matter what DevSecOps framework you use, consider how a cloud vendor and/or third-party tools will play into your architecture. Interoperability between both DevSecOps and DevOps tools is key.

Image 4 DevSecOps Phases from the US Department of Defense DevSecOps Fundamentals Guidebook

Image 4: DevSecOps Phases from the US Department of Defense DevSecOps Fundamentals Guidebook.

 

AI and DevSecOps

The advent of AI has created a new role for security people in DevOps. As developers depend more on AI to help them write code, there are risks of hallucinations causing errors in code and accidental downloads of malicious code. It has been proven that developers have downloaded and included malware in their code based on poor advice from an AI. However, in a good DevSecOps process, malformed code would be caught before it made it to the production phase or as soon as it was synced with a repository (“commit the code” and “build and test” stages shown in Image 1 above).

 

Summary

DevSecOps architecture plays an important part in the DevOps process—even when the developers don’t know it exists. Integration/compatibility of DevSecOps and DevOps tools can provide some advantages to both the security and development teams.

 

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

About the Author

David Broggy is Senior Solutions Architect, Implementation Services at Trustwave with over 21 years of experience. He holds multiple security certifications and won Microsoft's Most Valuable Professional (MVP) Award for Azure Security. Follow David on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Exposed and Encrypted: Inside a Mallox Ransomware Attack
The Willy Wonka World of Application Security Defenses
Deep Dive and Simulation of a MariaDB RCE Attack: CVE-2021-27928

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo