DevSecOps evolved to address the need to build in security continuously across the SDLC so that DevOps teams could deliver secure applications with speed and quality. Incorporating testing, triage, and risk mitigation earlier in the CI/CD workflow prevents the time-intensive, and often costly, repercussions of making a fix postproduction. This concept is part of “shifting left,” which moves security testing toward developers, enabling them to fix security issues in their code in near real time rather than “bolting on security” at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.
Security has always been a patchwork approach. If the DevSecOps wishes to change that what new does it bring to the table.
There are 5 principles for DevSecOps:
Automate Security In
Integrate to fail quickly
No false alarms
Build security champions
Keep operational visibility.
DevOps and DevSecOps workflow
A developer creates code at intervals a version control management system.
The changes are committed to the version control management system.
Another developer retrieves the code from the version control management system and carries out an analysis of the static code to spot any security defects or bugs in code quality.
A surrounding is then created, using an infrastructure-as-code tool, like a cook. the appliance is deployed and security configurations are applied to the system.
A take a look at the automation suite is then dead against the newly deployed application, as well as a back-end, UI, integration, security tests, and API.
If the appliance passes these tests, it’s deployed to a production surrounding.
These new production surroundings are monitored endlessly to spot any active security threats to the system.
DevSecOps Best Practices
Here are just a few best practices that will make the DevSecOps process run smoothly –
Automation is good - DevOps is all about speed of delivery, and this doesn't need to be compromised just because you are adding security to the mix. By embedding automated security controls and tests early in the development cycle, you can ensure fast delivery of your applications.
Use DevSecOps for efficiency - You are only adding security to your workflows. By using tools that can scan code as you write it, you can find security issues early.
Carry out threat modeling - Threat modeling exercises can help you to discover the vulnerabilities of your assets and plug any gaps in security controls. Azure Sentinel can help you to identify the riskiest events occurring across your infrastructure and to build the necessary protection into your DevSecOps workflows
Azure Active Directory (AD) can be configured as the identity provider for GitHub. Multi-factor authentication can be enabled for extra security.
Developers commit to GitHub Enterprise, driven by work items and bugs tracked with Azure Boards.
GitHub Enterprise can integrate automatic security and dependency scanning through GitHub Advanced Security and GitHub Open Source Security.
Pull Requests trigger CI builds and automated testing in Azure Pipelines.
The CI build in Azure Pipelines generates a Docker container image that is stored to Azure Container Registry, which is to be used at release time by Azure Kubernetes Service.
Upon uploading to the Azure Container Registry, Microsoft Defender for Cloud will scan the image for Azure-native vulnerabilities and for security recommendations for the pushed image.
A release on Azure Pipelines integrates the Terraform tool, managing both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB.
Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service, by accessing the Container Registry through a secure service connection.
Azure Policy can be applied to Azure Pipelines to enforce post-deployment gateways, and can be applied directly to the AKS engine for policy enforcement.
Azure Key Vault is used to securely inject secrets and credentials into an application at runtime, abstracting sensitive information away from developers.
End users can authenticate with Azure AD B2C, required to use MFA for extra security, and be routed through an Application Gateway that can load balance and protect core services.
Continuous monitoring with Azure Monitor extends to release pipelines to gate or rollback releases based on monitoring data. Azure Monitor also ingests security logs and can alert on suspicious activity.
As addition and final part of a DevSecOps flow, Microsoft Defender for Cloud will be able to do active threat monitoring on the Azure Kubernetes Service, on both Node level (VM threats) and internals.
Azure Active Directory provides identity and access management services for your organization, allowing control over access to the resources inside Azure, GitHub Enterprise, and Azure DevOps.
Source code is hosted on GitHub Enterprise, where developers can collaborate within your organization and the open-source communities. GitHub Enterprise offers advanced security features to identify vulnerabilities in the code you write and in open-source dependencies
Use Azure Boards to plan work and track its progress, using Agile tools such as Kanban boards.
Azure Pipelines is a service that provides Continuous Integration and Continuous Delivery jobs, to build and release your application automatically.
Host your Docker container images on Azure Container Registry. This service includes container image scanning with the integration with Microsoft Defender for Cloud.
Azure Kubernetes Service offers a Kubernetes cluster that is fully managed by Azure, to ensure availability and security of your infrastructure.
Terraform is a third-party product developed by HashiCorp that allows infrastructure automation on Azure, as well as on other environments.
Azure Policy lets you create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. It integrates with Azure Kubernetes Service too.
You can use Azure Key Vault to store certificates, connection strings, tokens, and other secrets. This sensitive information is read by your application at run-time, so it's abstracted away from your developers.
Azure Cosmos DB is a globally distributed, multi-model database service, that is fully managed and compatible with multiple APIs, including MongoDB, Cassandra, SQL.
Azure Application Gateway is a Layer-7 load balancer with support for advanced routing rules and a Web Application Firewall (WAF).
Using Azure Monitor lets you get insights on the availability and performance of your application and infrastructure. It also gives you access to signals to monitor your solution's health and spot abnormal activity early.
Using Azure AD B2C you can provide identity services to consumers (end-users) of your application, even if they're not part of your organization.