There is no Security in DevSecOps

There is no Security in DevSecOps

Publish Date : 24-02-2023
Tags :
Author : Open-CISO

Business Challenge: “No security-visibility in the DevOps-CI/CD Pipeline”

Evaluation Approach:

  • Purpose Built Cyber Awareness
  • Threat Modelling and Integrate Security and Testing (Mandatory)
  • Create Mis-Used cases in the Backlog

Solution:

  • DevOps Team comprises of expert category engineers who can configure automation in the software development and deployment - Most Often with little or no insights into Cybersecurity - Hence the goal is to elucidate the need for a Security Engineer to be an integral part of the Team; the role of who is  to ensure Security is embedded right from the design phase.
  • Develop a DevSecOps Framework, Integrate security user stories and Automate testing in the CI/CD pipeline with an in-depth and collective orientation for the team members
  • Model Threats Specific to  the Application being developed
  • Identify systems and assets; their corresponding threats in the existing environment; apply legitimate controls based on the Risk appetite and tolerance levels of the governing body.
  • Outline Security requirements in the User Stories
  • Create Mis-Used Cases; write Security Test-Cases and include them in the Backlog
  • Ensure security is built into entire CI/CD Pipeline using automation tools and audit the process from time to time for configuration assurance.

How it addressed the Business Challenge:

If the Security Test Case Fails - Continuous Deployment would fail ensuring security being embedded during the development and deployment phases

Reference: MITRE DevSecOps Automation Briefing

With expanding IoT - Only DevSecOps can ensure Security in Design, Development and Deployment