10 DevSecOps Implementation Principles
The key to successful DevSecOps is automation of security controls inside the DevOps pipeline.
Join the DZone community and get the full member experience.Join For Free
As I was collecting insights for our upcoming DevSecOps Trend Report to be published in July, I came across the submission by Javed Shah, Director of Product Management for Cloud and DevOps at ForgeRock. In response to my question about the keys to successful DevSecOps implementation, Javed provided the following principles I thought you might find valuable:
Follow the principle of least privilege for all services that process (read, write, or update) data.
Enforce tight access security for API endpoints.
Run SAST (static application security testing) tools as part of the nightly build process and running DAST (dynamic application security testing) tools to identify security defects in running containers.
Scan any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
Automate tests for security capabilities wired into the acceptance test process. These automated tests include input validation as well as authentication and authorization enforcement.
Isolate containers from one another, avoiding any dependencies and keeping them entirely stateless to eliminate high-value targets for attackers.
Automate security updates, such as patches for known vulnerabilities, by means of the DevOps pipeline with an audit log.
Reduce the attack surface by using a secure API gateway that enforces fine-grained and scope-grained access to sensitive API endpoints.
Automate service configuration management, allowing for compliance with security policies and the elimination of manual errors.
Continuous monitoring, audit, and remediation of security defects across the application lifecycle.
Also, firewalls should continue to defend in-depth by isolating services. Intrusion detection is a lot harder using containers, so looking at network behavior helps detect abnormal traffic patterns.
If possible, security tooling should be a gate to deployment (applies to SAST and DAST). However, all this automated flow should still be validated by external pen tests to make sure automation covers all aspects. Additionally, incident response plans should be created and practiced for all new environments to ensure they have the capability to preserve evidence to aid in investigations and staff knows how to execute the plan, either themselves or who to outsource it to.
Opinions expressed by DZone contributors are their own.