SpiderLabs Blog

The Bug Stops Here: Using DevSecOps Workflows for Pest-Free Applications

Written by David Broggy | Aug 19, 2024 1:00:00 PM

Developers and cybersecurity have an interesting relationship. Developers have no problem with security operations just as long as they’re not involved or adding security doesn’t slow down their development cycle.

Thankfully, well-documented security operations — known as DevSecOps — assist with the software development lifecycle (SDLC) and perform mostly invisibly from the developer’s perspective.

To kickstart the process for any developer, let’s discuss two DevSecOps workflows/frameworks and provide a quick checklist for getting started with DevSecOps.

 

Framework 1: The Azure DevSecOps Workflows

The Azure Cloud Adoption Framework provides a great visual (Image 1 below) for the integration of security with application development. Let’s quickly review some of the highlights:

  • Threat Modeling
  • Static and Dynamic Application Security Testing
  • Continuous Monitoring (to a SIEM)
  • Cloud configuration validation (CSPM)
  • Penetration Testing


Image 1: The Microsoft DevSecOps workflows from their Azure Well Architected Framework

 

Threat Modeling

This occurs early in the workflow chain, at the “Plan and Develop” stage, and a long list of tools, some free and others for a fee, is available to assist with threat modeling design. Modeling tools that provide visualization can offer useful insights and collaboration capabilities to improve planning.


Image 2: Theatmodeler DevSecOps design for Kubernetes

 

Static and Dynamic Application Security Testing

The next two stages of the DevSecOps chain, static and dynamic application testing, provide granular analysis of the application code, inside – at the code level, and out – at the interface or user experience level. Some of these tools are offered by cloud vendors, so it’s a good idea to consider defense in depth with application testing by using a combination of cloud vendor services and third party.


Image 3: Example DevSecOps architecture using Defender for DevSecOps, Defender for Containers, Azure Container Registry, GitHub security and Sentinel for part of the DevSecOps workflow.

 

Continuous Monitoring (to a SIEM)

Logging everything in a development environment can be challenging, but when done properly the developers and the security team benefits. This can be a good reason to consider using a cloud vendor’s DevSecOps and DevOps tools, as there’s a higher likeliness of compatibility. A SIEM offers automation of any activity that shows up in the security and the application logs, so developers can work with SecOps and take advantage of the alerting and reporting capabilities of SIEM for their needs.

 

Cloud configuration validation (CSPM)

CSPM offers controls over the cloud resources DevOps uses as well as specific workloads such as VMs, databases, and clusters. These workload protections are often referred to as CWPP — Cloud Workload Protection Platforms. CSPM is critical for ensuring the applications (and development) environments maintain the expected conformity for security, compliance, and application stability.

 

Penetration Testing

Pen testing typically occurs after an application is in full production. From a DevSecOps perspective, pen testing is used to constantly scan and monitor an application for vulnerabilities that may have been missed by the development process or occurred after the application went live. When a scan finds issues, it can notify the SIEM or be reviewed manually by the SecOps operators.

 

 

Framework 2: The US Department of Defense DevSecOps Workflow

When you compare the image below to the one above from Microsoft, it’s clear there are many similarities. As a result, the same features listed above will also apply to this framework. So, no matter what DevSecOps framework you use, consider how a cloud vendor and/or third-party tools will play into your architecture. Interoperability between both DevSecOps and DevOps tools is key.


Image 4: DevSecOps Phases from the US Department of Defense DevSecOps Fundamentals Guidebook.

AI and DevSecOps

The advent of AI has created a new role for security people in DevOps. As developers depend more on AI to help them write code, there are risks of hallucinations causing errors in code and accidental downloads of malicious code. It has been proven that developers have downloaded and included malware in their code based on poor advice from an AI. However, in a good DevSecOps process, malformed code would be caught before it made it to the production phase or as soon as it was synced with a repository (“commit the code” and “build and test” stages shown in Image 1 above).

 

Summary

DevSecOps architecture plays an important part in the DevOps process—even when the developers don’t know it exists. Integration/compatibility of DevSecOps and DevOps tools can provide some advantages to both the security and development teams.

 

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.