DevSecOps is a practice that better aligns security, engineering, and operations and infuses security throughout the DevOps lifecycle. This checklist shares some best practices to help you secure the development environment and processes, produce secure code and applications, and move towards realizing DevSecOps.
Continue improving your security with Sqreen's monitoring and protection platform. It just takes a few minutes to get started.Try Sqreen now
Make security part of the entire development process
Bring security in early in development and throughout the whole cycle. Give its requirements the same weight as the functional requirements. This involves adding security controls and processes, as well as automating the core security tasks in the workflow. This enables developers to address known vulnerabilities up front, hence provide secure and resilient software.
Test your security throughout the development cycle
Make security testing a continuous process and an integral part of the entire app development cycle. Perform tests on applications, APIs, containers, data, processes, and microservices. The earlier you catch flaws, the easier they are to fix, but being able to identify flaws everywhere from development through to production will ensure that you’re able to stay on top of vulnerabilities no matter where they surface.
Automate as many processes as you can
Automating security, configuration management, testing, and other tasks reduces the workload for your teams while providing a faster way of doing things. Automate functionality and non-functional security tests; application, infrastructure and configuration security tests, as well as application logic security tests.
Monitor your processes, infrastructure, and apps
Gathering real-time intelligence enables you to make better decisions, and accurate enforcement. Collect and analyze relevant metrics, event logs, and machine data to gain real-time insights across the application lifecycle. Monitor your applications in production to ensure that you detect new vulnerabilities and security events. Pursue the opportunity to fix issues, earlier, faster and at little cost.
Generate actionable alerts when there are issues
Develop a strong security culture
A strong security culture among developers, operations, and security is essential. Develop openness, clear communication pathways, as well as strong feedback loops. Additionally, shift the responsibility for security to all of these teams as opposed to the traditional approach where it was solely the work of the security department. If you make security come from a place of “yes, let’s figure out how to do this securely” rather than “no, you can’t do that for security reasons,” security will move from a blocker to an enabler.
Develop a Security-as-Code culture
Introduce a security-first mindset without affecting the agile practices the developers rely on to produce apps. Encourage your developers to add security to the code as they build the applications by making the secure actions the easiest actions wherever possible.\
Provide training and tools to developers
Ensure that the developers have the required training, support, and tools to perform their tasks efficiently. You should also promote knowledge sharing and create a decision-making process among the different departments to promote team autonomy.
Secure and monitor your entire physical and virtual environment
Security needs to be integrated across your environment. Take steps to secure your entire infrastructure, including on-premise and cloud environments, networks, CI/CD pipeline, code, data, operating systems, applications, and software. Use sustainable processes and tools to identify and block internal and external attacks, and malicious traffic and files.
Gather metrics to gauge success
Security is a journey that never ends, so focus on making progress. Collect and act on security and compliance information from on-premise and cloud environments. Use both the high-value and supporting metrics to get insights and determine the effectiveness of your security processes. Iterate whenever things change.
Secure and harden your containers
Follow best container security best practices. Secure authentication and authorization. Inspect, scan, and provide file, image and container security. Use private registries such as GCR or quay. Also, build from trusted and verified container images.
Isolate Dockers and Kubernetes
Secure and isolate your containers early, often, and continuously. Isolate and segment containers using tools such as Apparmor, Seccomp, SELinux. Create isolation layers between different applications as well as between applications and hosts. This reduces the host’s surface area, hence restricting access and protecting it as well as the co-located container.
Perform threat modeling exercises
A threat modeling exercise identifies the design flaws and components that are most at risk, and should provide the security team with the opportunity to prioritize and address flaws according to their impact. In particular, threat modeling helps teams to understand the type of assets they are protecting, the sensitivity levels, potential threats, and their impact.
Automate infrastructure configuration and management
Automate and simplify the configuration and management of servers, infrastructure, compliance, and applications. Use tools such as Puppet, Chef, and Azure Automation Desired State Configuration and other DSCs. These tools can help you further DevSecOps through functionality like automatically provisioning an environment, applying security settings, and deploying apps.
Harden your cloud deployments
Cloud environments can provide a secure infrastructure if implemented properly. Review the teams and individual roles and permissions you’ve allocated. Grant access to only what each individual or team needs to perform their jobs. Enforce two-factor authentication for everyone. Check the security groups, standard AMIs, IAM roles, MFA tokens, etc.
Code security into your apps
Create secure code from the start of development all the way to the deployed application. Ensure that security is integrated into the code instead of adding it as an afterthought. This requires involving the security teams throughout the development process. Keeping the code and implementations as simple as possible avoids complexities that may compromise security. Implement processes and best practices that make it easy and straightforward for developers to make secure decisions.
Continuously review code at every stage
Review the code and standards at each stage to ensure that they comply with security best practices. Use SAST and DAST to analyze code, and other automatic tools to track dependencies and scan all third party and open source codes. Perform pre-commit, commit-time, build-time, test-time, and deploy-time checks in your CICD pipeline.
Introduce chaos in the comfort zone
Use chaos engineering to test how prepared your systems are to respond to security threats under unfamiliar operational environments. Run scripts to randomly shut down server instances, take down containers in a random manner, disrupt some services, or create unexpected outages in the applications and infrastructure. This helps the teams to provide a moving target defense that protects your systems in a wide range of conditions and ensures that something unexpected won’t bring everything tumbling down.
Maintain an inventory of your applications and components
Create and maintain an up-to-date inventory of your application assets. Get visibility into what’s being deployed and what your organization has out there. Maintaining an up-to-date inventory will help you uncover new security insights and prevent you from being caught off guard when something unsecure gets deployed or when security vulnerabilities are uncovered in something old and forgotten.
Scan and secure your open source and third-party components
Start a security analytics program on your code
Use threat modeling, penetration tests, and vulnerability testing to confirm that your code is secure. Determine the number of severe vulnerabilities, and how long they persist before your team resolves them. Analyze the frequency and scope of automated tests as well as the number and type of attacks on your applications.
Secure your APIs
APIs enable interaction and sharing of data between applications and therefore are more exposed and prone to security risks. Secure all the APIs the company consumes as well as those it exposes to the public. Use encryption to protect request information in transit while limiting the amount of information in the API error messages.
Authenticate and authorize API users
Apply security policies to APIs
Secure all your transmission paths
Validate input data, content types, and responses
Validate all data to prevent application layer attacks. Ensure safe input data from users, database systems, external sources, as well as infrastructure. In addition, perform integrity checks as data crosses the boundary between a trusted and less trusted environment. This ensures that compromised data does not enter into your systems indirectly.
Use RBAC to manage access to resources and operations
Role-Based Access Control (RBAC) is a flexible process that simplifies the tasks of assigning users and developers the access rights to resources. Instead of assigning each individual user specific rights, the administrator creates roles which can then be given to a group of users. This is useful in organizations with many users to manage and a present need to manage and control API usage.
Prevent API parameter tampering, attacks, and hijacks
Tampering enables the reverse engineering of the API, such that it exposes data or becomes vulnerable to DDoS attacks. Protecting them ensures that your web, cloud, and mobile applications are secure and safe. Monitor the APIs, infrastructure, and external services to detect and prevent DDoS attacks.
Use security best practices and tools
Observe the standard security best practices. Reduce your attack surface (harden the infrastructure and services), encrypt your data and communications channels, and filter and block bad traffic and malware. Don’t forget to perform regular security audits, logging and analyzing your events and assets.
Detect and block unusual behavior
Monitor your application in production to detect and block unusual behavior, including account takeovers, and suspicious actors. This helps to prevent attacks from your user base.
Automate security testing and protection
Perform automatic security scanning for vulnerabilities in the code, infrastructure, and applications in staging. Use a security solution that can detect and block attacks in production in real time, such as SQL injections, NoSQL injections, and XSS. Ensure that your solution limits false positives and doesn’t block benign traffic.
Automate data policy management
Automate security tasks and practices
Use existing DevOps tools to automate some security functions. For example;
Combine common tools with a continuous security monitoring platform.
Complement automatic testing with creative manual tests
Automatic testing scripts may fail to recognize or identify visual issues that a human eye can pick up. In addition, a human tester will interact with the software and discover if there are usability or interface issues. Another challenge is when the automated tests scripts contain errors or bugs that give false negatives or positives.
Follow post-production protection best practices
Automate scanning and collect application-level metrics upon deployment. You can use a tool such as Chef to automate the configuration management as well as the provisioning of the runtime environment. Use runtime protection solutions to monitor and protect your applications in production.
Limit your attack surface
Integrate protection and detection measures in the architecture to limit your attack surface, and reduce exposure and your internal and external threats. Focus on high-risk areas, such as web forms, internet-facing code, access control, session management codes, data from external sources, and other entry points that interface with external networks.
Use security tools that continue to evolve
The security solutions you put in place must keep pace with changing application environments and infrastructure, as well as with your own growth. These should have the ability to protect your system in real time and automatically send alerts when security issues arise.
Encourage secure employee behavior
Implement data protection program that combines security best practices and user education. Create awareness for employees towards improving personal security and preventing attacks like spear-phishing incidences. Always update and patch operating systems and application software, preferably automatically.
Check employee security behavior
Simulate a malicious attack in a controlled way to identify and fix real-world vulnerabilities. Use on-premise attacks to test desktop security and visitor controls. Use red teaming or pentests to identify vulnerabilities and their impact on businesses and employees.
Do a spear-phishing campaign
Perform a spear-phishing campaign to test employees’ behaviors and responses. You can also try hacking your employees in a controlled manner to assess and address internal risky behavior and preparedness.
Monitoring and protection platform made to be incredibly powerful yet very easy to use.
Unmatched security insights: Access to more detailed security analytics than ever, including applevel incidents you can act on immediately.
Instant Protection: Out-of-the-box modules protect apps against a broad array of threats. Setup takes minutes, no config required.
Easily meet enterprise compliance needs: Get access to the best controls without hiring expensive security teams or consultants.
Want this handbook as a PDF?
Scan the QR-code, or go to: