Development, Security & Operations — that is DevSecOps as the name suggests. But you are not here for that right ? ;) In this three part series i have tried my best to explore the DevSecOps ideology and provide a walk-through of my journey to incorporate it in a DevOps pipeline. To get the most of the series it is great to have some prior knowledge of DevOps.
There are various definitions available for DevSecOps, but the one which i like the most is —
A cultural and engineering practice that breaks down barriers and opens collaboration between development, security, and operations organizations using automation to focus on rapid, frequent delivery of secure infrastructure and software to production. It encompasses intake to release of software and manages those flows predictably, transparently, and with minimal human intervention/effort. — by GSA
One huge misconception that many have is DevSecOps is a technology that has newly emerged. It is instead a process or ideology to incorporate security right from the beginning in software development process. It aims at integrating security into each step of DevOps processes. It tries to bring the security processes inside the DevOps lifecycle, which were previously manged independently, to increase the agility of the process.
Earlier security came into picture at a considerably later stage in DevOps. Due to this the time taken to fix the bugs/issues related to security took considerable time. For eg: if the static code analysis stage in your pipeline reports a security issue then the developer would have to fix it and again go through all the steps of pushing the code through your scm and building it. Also various security operations like VAPT, threat detection and prevention, SIEM, etc. were secluded from DevOps lifecycle. This greatly decreased the agility when it came to security operations and also made the management of security operations cumbersome.
DevSecOps to the rescue !
In DevSecOps, the idea is to bring the security controls as near to the beginning of the lifecycle as possible. It also aims at incorporating more security operations in the automated lifecycle that were previously a separate process.This helps in early detection and early resolution, enabling agility in security operations too.
In this series we will be looking into the following phases of DevSecOps -
- Security at Developer’s workstation
- Secrets Management
- Source Control Security
- SAST & DAST
- Infrastructure Vulnerability Scanning
Enough talk, let’s get right to it !
I will be working on a MEAN stack app which you can find at my github here. For this application i have created a simple jenkins pipeline with no security measures implemented. Also there are some common security flaws in the app which we will try to tackle using our DevSecOps implementation. Also as i wanted to focus more on integrating security, i haven’t implemented different stages like dev, test, prod, etc.
The Jenkins Pipeline looks something like this -
The overall architecture of my deployment looks something like this -
In the next part we will start incorporating security in the above architecture and try to automate as much as possible to develop an end to end DevSecOps lifecycle.