DevSecOps — What’s it all about ? Part 3

Pools-App architecture
Pools-App Jenkins Pipeline

Vulnerability Scanning

We have looked for vulnerabilities in our application during the DAST phase, however it is important to scan our infrastructure for vulnerabilities. Tools and techniques used in this largely depend on the type of infrastructure you have. There is a wide array of tools available to achieve the required outcome. You should ensure that the tools used scan for latest know vulnerabilities in your infrastructure.

Compliance Scanning (Compliance-as-Code)

Compliance checks are set security standards that need to be maintained in an environment. It is often handled by a dedicated team and there is lot of efforts spent on getting compliance reports. Compliance reports may be required by different teams like legal team, management team, external auditors, etc. Automating it through the pipeline is an obvious choice as compliance checks are required whenever there are any changes or updates to the application or the infrastructure.

Observability

We have numerous scans and tests happening in our DevSecOps pipeline. They are not only restricted to security but also contain application testing, performance testing, build reports, etc. Different teams work on different aspects in the pipeline. However it is important bring everything under a single umbrella to provide a holistic view of the application lifecycle. We need to have a single dashboard or project management tool where everyone from different teams like development, operations, security, management, legal, delivery should come to know about the current status of the applications. Each team on their side can also have additional tools to manage their action items more efficiently, like for eg security team can use Archery to detect and manage vulnerabilities, but it wouldn’t be much helpful for the development team. And DevSecOps aims at bridging the gap between the team to increase efficiency and agility. So based on your existing infrastructure you can use a observability tool that is already been used by some teams or you can select a new one that suits your needs.

Pools-App Dashboard in Grafana
Pools-App architecture
Pools-App Jenkins Pipeline
  1. Go Native. Try to use as much native solutions as possible to avoid movement between platforms. Cloud service provide most of DevSecOps services in their environment. Try to avoid custom implementation and intermediate scripts to connect resources as they open up attack points.
  2. Use tools that can be automated. Tools has a CLI — good, has a REST API — better. Use tools that can be easily integrated into you existing environment. Also check what type of output formats do they support and try to have a consistent format so as to manage everything in a single place.
  3. Use tools that are regularly updated. Security is an ever changing landscape and the tools that you use should be able to keep up with it. We cannot achieve agility if the tool requires frequent manual intervention for updates or gets delayed updates
  4. Integrate ticketing or change management tools. Have a cross team ticketing or change management system. Instead of having different solutions for different team, have a single solution which then you can segregate between teams.
  5. Setup a unified view of the application. Have a common dashboard or view of the application. DevSecOps aims to bring all three of the terms together and not separating it even further.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mr.Pool.404

Mr.Pool.404

Just your friendly neighborhood techie with a mouth !!!