There is no Security in DevSecOps

Business Challenge: “No security-visibility in the DevOps-CI/CD Pipeline”

Evaluation Approach:

• Purpose Built Cyber Awareness
• Threat Modelling and Integrate Security and Testing (Mandatory)
• Create Mis-Used cases in the Backlog

Solution:

• DevOps Team comprises of expert category engineers who can configure automation in the software development and deployment - Most Often with little or no insights into Cybersecurity - Hence the goal is to elucidate the need for a Security Engineer to be an integral part of the Team; the role of who is  to ensure Security is embedded right from the design phase.
• Develop a DevSecOps Framework, Integrate security user stories and Automate testing in the CI/CD pipeline with an in-depth and collective orientation for the team members
• Model Threats Specific to  the Application being developed
• Identify systems and assets; their corresponding threats in the existing environment; apply legitimate controls based on the Risk appetite and tolerance levels of the governing body.
• Outline Security requirements in the User Stories
• Create Mis-Used Cases; write Security Test-Cases and include them in the Backlog
• Ensure security is built into entire CI/CD Pipeline using automation tools and audit the process from time to time for configuration assurance.

How it addressed the Business Challenge:

If the Security Test Case Fails - Continuous Deployment would fail ensuring security being embedded during the development and deployment phases

Reference: MITRE DevSecOps Automation Briefing