DevSecOps Introduction

STIPΞNSTIPΞN
4 min read

What is DevSecOps?

DevSecOps is a term derived from the acronym for development, security, and operation. It's not something new in the secure software development lifecycle, it's just an art to involve a security perspective from the beginning of the application development until the application release needs to meet the security requirements. So every process that occurs in application development must have security controls.

Why do need to implement DevSecOps?

Based on the objective of the secure software development lifecycle, the big challenge that faced was to make everyone in the application development process aware and pay attention to every matter about security. DevSecOps is not just implementing security tools in every process in the development, but also bringing habits in the mindset, process, and behavior to create the security culture into realization.

How to implement DevSecOps?

Practically DevSecOps has adopted the culture of DevOps CI/CD pipeline with a security perspective / "Secure DevOps". It's involving some security phases in the CI/CD pipeline, besides the security posture that has been decided in the planning phase, here are some phases that need to be involved too :

  • SAST (Static Application Security Testing)

  • DAST (Dynamic Application Security Testing)

  • IAST (Interactive Application Security Testing)

Static Application Security Testing

Static application security testing (SAST) is a testing methodology that focuses on analyzing an application's source code, including data flow analysis, and control flow analysis to find any holes that may lead the application vulnerable to certain attacks.

There are many SAST tools available in the market, both open-source and commercial. Here are some examples:

  • SonarQube - an open-source tool for continuous code quality inspection.

  • PMD - an open-source tool that can be used to analyze source code for various programming languages.

  • RIPS - an open-source tool that specializes in PHP application security.

  • ESLint - an open-source tool for JavaScript code analysis and testing.

  • njsscan - an open-source tool for Node.js code analysis and testing.

  • Bandit - an open-source tool for Python code analysis and testing.

  • Checkmarx - a commercial tool that supports multiple languages and frameworks.

Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) is a testing methodology that focuses on analyzing the behavior of the application when it is running. It is used to identify vulnerabilities in runtime by simulating real-world attacks.

There are many DAST tools available in the market, both open-source and commercial. Here are some examples:

  • OWASP ZAP - an open-source tool for web application security testing.

  • Burp Suite - a commercial tool that is widely used for web application security testing.

  • Acunetix - a commercial tool that offers both DAST and SAST capabilities.

  • WebInspect - a commercial tool that is used for web application security testing and vulnerability scanning.

  • AppSpider - a commercial tool that is used for DAST, API testing, and mobile application security testing.

  • Netsparker - a commercial tool that offers both DAST and SAST capabilities.

  • Qualys - a commercial tool that offers a range of security testing capabilities, including DAST.

Interactive Application Security Testing

Interactive Application Security Testing (IAST) is a testing methodology that combines the benefits of both SAST and DAST. That is focused on analyzing the source code of an application, and also performing simulated attacks and monitoring the application's runtime behavior to identify any vulnerabilities that may exist in a real case.

IAST tools use instrumentation to collect information about the application's runtime behavior, such as data flow and control flow. There are a number of IAST tools available in the market. Here are some examples:

  • Contrast Security - a commercial tool that offers IAST and RASP (Runtime Application Self-Protection) capabilities for web and mobile applications.

  • Sqreen - a commercial tool that offers IAST and RASP capabilities for web applications.

  • AppSealing - a commercial tool that offers IAST capabilities for mobile applications.

  • WhiteHat Security - a commercial tool that offers IAST and DAST capabilities for web applications.

  • NexPloit - a commercial tool that offers IAST and DAST capabilities for web applications.

  • PVS-Studio - a commercial tool that offers IAST capabilities for C/C++ applications.

  • Kiuwan - a commercial tool that offers IAST, DAST, and SAST capabilities for web and mobile applications.

Are You Ready to DevSecOps?

Sample of DevSecOps Architecture

0
Subscribe to my newsletter

Read articles from STIPΞN directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevSecOpsDevOps JourneyDevOps trendsDevops articlesssdlc

Written by

STIPΞN
STIPΞN