DevSecOps — What’s it all about? Part 2

Pools-App architecture

Security at Developer’s Workstation

At developers end we can use following measures -
1. IDE extensions: IDE or editor extensions can be very helpful in early detection of security flaws. These extensions provide functionality like Static Code Analysis, Secrets Tracking, etc.
2. GIT hooks: Git hooks provide applying certain rules to various stage like pre-commit, pre-push, etc. They can help detect common errors in the code.

Secrets detection
VulnCost — third party libraries scanning
Talisman — Pre-commit hook

Secrets Management

We talked enough of preventing the secrets in code. But you need secrets to authenticate your application components. Earlier secrets files, environment variables and other similar techniques were used to use secrets. However they do not provide abilities like rotation of secrets and versioning. A Secret Management Tool provides a secure central storage for secrets with capabilities like rotation, accessibility, logging, etc. A good secret management tool should be easily integrated into your environment with least overhead which is mostly achieved through exposing APIs to perform secrets accessibility and management. If you are in a cloud environment then there are native secrets management service available like Azure Keyvault or AWS Secrets Manager. Another approach is to eliminate the use of secrets by using token based authentication. These tokens can be granted based on the user identity, machine identity or any unique identity that can be associated with the application. Azure Managed Identity is a good example of it.

Source Control Security

We are well aware of various hacks where backdoors were implemented into source code. Source Control Management Security is crucial to maintain security posture. Different SCM provide different security measures. Some common controls present are-
1. Secrets Scanning
2. Dependency Security Scanning
3. User validations using git hooks
4. Logging

Static Application Security Testing (SAST) & Dynamic Application Security Testing (DAST)

SAST & DAST are two methods of scanning the application for security. SAST as the name suggests scans the static state of the application. It can be performed before building the application to avoid the overhead of building if there are any security flaws. SAST can also be done in parallel to building the application to avoid long deployment time. SAST should not only check for security vulnerabilities but also check dependencies that your application uses. Security of these packages is also crucial to your security posture. DAST on the other hand deals with testing you applications security once it is built. It needs the application to be built and ideally it should be in a state which is as close to the state that will be seen by the end users as possible. It scans for runtime vulnerabilities and common attacks like OWASP Top 10.

Pools-App Jenkins Pipeline
Pools-App architecture

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store