DevSecOps. Let's make it DevSecOps! It seems overnight we went from DevOps to DevSecOps. We need cybersecurity in our DevOps implementations, but you can’t simply insert a source code checker in the CI/CD pipeline and declare victory. With DevOps heavily focused on development and generation of high‐quality, stable code, it's easy for security to be an afterthought.
A proper DevSecOps approach gives equal importance to the development, security, and operation of an application. Cybersecurity doesn't fit neatly into the middle of development and operations— secure architectures, tools, and security controls need to be considered and implemented throughout the software development lifecycle (SDLC) to make an application secure.
How do we get there? Here are some tips to consider:
At PSI, we established Communities of Excellence (https://www.linkedin.com/feed/update/urn:li:activity:6757305814580625408) which provides a collaboration space for subject matter experts and technical practitioners to exchange information, share tools and experiences, and keep up with the latest technology news. This keeps our software development, testing, quality assurance, cybersecurity, and IT operations professionals working interactively and aware of what kind of work people are doing in each part of the CI/CD pipeline.
Apply multi‐factor authentication (MFA) and the principle of least privilege everywhere you have access control. This includes your virtualization or cloud hosting platform, source code repository, build system, operating systems, databases, containers, and the application itself.
Use Single Sign‐On (SSO) to limit the number of accounts in use in your environment. Use Role‐based Access Control (RBAC), Attribute Based Access Control (ABAC), and Access Con‐trol Lists (ACL) to mange permissions.
Encourage professional development for your team members. Training and certifications help team members better understand the technology they are using and how to make it secure.
Learn about and apply security configurations. There are several sources, such as the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) and Security Requirements Guides (SRG), Center for Information Security (CIS) Benchmarks, and National Institute of Standards and Technology Special Publications (800 Series).
Collect logs from everything, analyze them, and generate alerts for suspicious behavior. Sus‐picious behaviors include logins from unknown/foreign locations, repeated login attempts with bad credentials, failed attempts to access ports or files, etc.
Watch your front doors and back doors. Use IP whitelists to limit remote access and restrict egress traffic to prevent command and control (C2) connections in case your application does get compromised. See my previous TechTip about egress traffic (https://www.linkedin.com/feed/update/urn:li:activity:6747150924587900928).
