Below is by no means a full comprehensive list (only subset) as securing DevOps also includes pipeline security. Most importantly, getting the organization on board (psychological acceptance) seems to be the most challenging aspect to securing software at the component level. Getting buy- in for process improvement and change requires many stakeholders’ involvement which can be difficult to accomplish unless presented in the proper context. Below is the list of items for some perspectives of DevSecOps listed from most to least important.
Communication and Collaboration
Security Conscious Culture
- Instilling a security-
Effective Communication amongst all Stakeholders
- Removal of functional “silos” is key to ensure that communication top-to-bottom (or vice-versa) resounds across the organization and that value-added and documented business processes are carried out in repeatable and secure fashions.
Micro learning culture on security
- Proactive learning ecosystem that welcomes security awareness woven into business process(es) that fosters an organization that readily adapts to evolving cyber threat landscape.
Infrastructure as Code
Environment(s)
- An operational environment that is security-conscious to operate within the proper context that meets business needs
A Hardened Operating Environment
- Infrastructure operates in a manner that aligns with proper policy and procedure (ie hardened OS instances and baselined secure network configurations)
Security Infrastructure Code Scanning
- Tooling with automated configuration management tools such as Chef, Salt, and/or Ansible to provide visibility into any compliance risk that may be present and mitigate in a more readily fashion.
- Remediation can be in more real-time and security-relevant finding(s) can be more easily remedied in less time
ATO and RMF Requirements Documented at the Proper Granularity
- With integrated scanning capabilities of software code and the infrastructure, the operating environment is fully enabled for documenting a holistically secure environment with the proper compelling evidence to submit to validators and responsible AO personnel.
- CodeValor, Sentar’s application security scanner, is an asset to any organization’s DevSecOps environment. Automated code scanning allows you to mitigate vulnerabilities earlier on in the software development cycle and examine the code from the ground-up to speed up your application’s release with confidence.
Continuous Integration & Testing
Automated Security Testing
- The appropriate scanning activities are integrated into pipelines with security scans occurring at the proper iterations (when software builds are generated for example)
Penetration Testing that Meets Organizational Need
- Using the appropriate tooling (there’s a lot out there!) that meets the needs for policy and procedure while enabling the business to find vulnerabilities that exist in apps operationally at runtime execution.
- Test apps and go with what most aligns with business need.
Various Gateways on security testing and verification
- Prototyping the operational environment to test the security posture of the enterprise in an effective manner that provides value-added results.
According to Carnegie Mellon Software Engineering Institute (SEI), DevSecOps is:
“A set of principles and practices that provide faster delivery of secure software capabilities by improving the collaboration and communication between software development teams, IT operations, and security staff within an organization, as well as with acquirers, suppliers, and other stakeholders in the life of a software system.”1
What this means to the organization and how it applies is dictated by the organization’s security practices (for example CMMI or CMMC) and their ability to adapt to change; this is the pulse of DevSecOps.- tooling and business processes that enable Development (Dev) Security (Sec) and Operations (Ops) to work closer together and remove any “silos” or other impediments that exist that can hamper their synchronization.