What is DevSecOps?
DevSecOps (development, security, and operations) is an approach to culture, automation, and platform design that integrates security as a shared responsibility across the organization, and through every phase of the software development lifecycle – from initial design through integration, testing, deployment, and software delivery. It draws from ideas underpinnning DevOps, including agility, continuous integration and deployment, and ensures that security plays an integrated role.
DevOps outlines a software development process and an organizational culture shift that speeds the delivery of higher quality software by automating and integrating the efforts of development and IT operations teams – two groups that traditionally practiced in solos, separately from each other. DevOps principles target rapid and frequent cycles, where work is done in small chunks, called “sprints” with the aim of reducing cycles to weeks or even days. Using this type of pacing, effective security can’t be tacked-on at the end of the project – it needs to be a shared responsibility and integrated from start-to-end of a project, and across the organizaiton. It’s a mindset change that means that Cyber Security resources work in tandem with development and operations resources, building secuirity into the foundation of the development and DevOps processes. (https://www.redhat.com/en/topics/devops/what-is-devsecops)
DevSecOps automatically bakes in security at every phase of the software development lifecycle, enabling development of secure software at the speed of Agile and DevOps. Addressing security issues as they emerge reduces cost (by catching problems before they are pushed into production), as well as the overall risk and attack surface) IBM learn devsecops.
Additional definitions:
Articles/Publications:
DOD: DevSecOps Playbook Highlights:
- Adopt a DevSecOps Culture:
- Stakeholder transparency and visibility
- Complete transparency across team members in real-time
- All project resources easily accessible to the entire team; not everyone needs commit privileges (i.e. principle of least privelege)
- Adopt and embrace ChatOps as the communication backbone for the DevSecOps team
- All technical staff should be concerned with, and have a say in, baked-in security
- Adopt Infrastructure as Code (IaC):
- IT infrastructure supports and enables change, rather than being an obstacle or a constraint
- Mitigates drift between environments by leveraging automation and push-button deployment
- Enforces change management through GitOps with multiple approvers, as needed
- Environmental changes are routine and fully automated, pivoting staff to focus on other tasks
- Quicker recovery from failures, rather than assuming failure can be completely prevented
- Empowers a continuous improvement ecosystem rather than “big bang” one and done activities
- Adopt Containerized Microservices (this approach, in my opinion, should be weighed according to benefits vs effort)
- Componentization via services
- Organized around business capabilities
- Product over project
- Smart endpoints, dumb pipes
- Decentralized governance and data management
- Infrastructure automation support via IaC
- Design for failure
- Evolutionary design support
- Adopt a Capability Model, not a Maturity Model
-
Metric High Performers Med. Performers Low Performers Deployment Freq. On-Demand >1xWeek<1xMnth >1xWeek<1xMnth Change lead time < 1 Hour >1xWeek<1xMnth >1xWeek<1xMnth MTTR < 1 Hour < 1 Day >1xWeek<1xMnth Change failure rate 0-15% 0-15% 31-45%
-
- Drive Continuous Improvement through Key Capabilities
- Continuous Delivery
- use source code repos for all product artifacts
- use trunkbased development methods
- shift-left on security
- implement test automation
- implement continuous intgration
- support test data management
- implement continuous delivery
- automate deployment
- Architecture
- use loosley coupled architecture
- architect for empowered teams
- Cultural
- adopt a Likert scale survey to measure cultural change
- encourage and support continuous learning initiatives
- support and facilitate collaberation among and between teams
- provide resources and tools that make work meaningful
- support or embody transformational leadership
- Product & Process
- gather and implement customer feedback
- make the flow of work visible through the value stream
- work in small batches
- foster and enable team experimentation
- Lean Management & Monitoring
- have a lightweight change approval process
- monitor across application and infrastructure to inform business decisions
- check system health proactively
- improve processes and manage work with work-in-process (WIP) limits
- visualize work to monitor quality and communicate throughout the team
- Continuous Delivery
- Establish a Software Factory
- Design
- Instantiate
- Verify
- Operate & Monitor
- Define a Meaningful DevSecOps Pipeline
- every DevSecOps pipeline is a collection of process workflows and scripts running on a set of DevSecOps tools operating in unison with their associated software factory. The design of each pipeline must clearly identify the process flows and automation activities across the various DevSecOps stages:
- plan
- develop
- build
- test
- release & deliver
- deploy
- operate
- Adopt an Agile Acquistion Policy for Software
- although specific to the DOD, this framework, it is distilled here:Software Acquisition Pathway, using agile software acquisition processes
- Tirelessly Pursue Cyber Resilience
- Cyber Resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on the systems that include cyber resources.”12 A primary goal of DevSecOps adoption is to “bake-in” cyber resiliency into applications as part of the software factory’s DevSecOps pipeline process.
- Shift Test and Evaluation (T&E) Left into the Pipeline
- The value of shifting test and evaluation activities into the software factory’s pipeline is that risk is reduced by finding problems early and fixing them fast while the change that created the problem is still in the forefront of the developer’s mind. Integration continues to be difficult to achieve between disparate systems, and the push for access to raw data to feed AI/ML algorithms is increasing, not decreasing. The ability to ensure these integrations work earlier in the process, not as a bolt-on after-the-fact integration, drives the delivery of relevant software at the speed of operations.
NIST: Engineering Trustworthy Secure Systems
CI/CD The What, Why and How Security is hard, even for a multi-billion business like AWS
Tools:
Development Security
(forked from the toniblyx repo:)
| Name | URL | Description | Popularity | Metadata |
| :———- | :———- | :———- | :———- | :———-: |
| CFN NAG | https://github.com/stelligent/cfn_nag | CloudFormation security test (Ruby) ||
|
| Git-secrets | https://github.com/awslabs/git-secrets | |
|
|
| Repository of sample Custom Rules for AWS Config | https://github.com/awslabs/aws-config-rules | |
|
|
| CFripper | https://github.com/Skyscanner/cfripper | “Lambda function to ““rip apart”” a CloudFormation template and check it for security compliance.” |
|
|
| Assume | https://github.com/SanderKnape/assume | A simple CLI utility that makes it easier to switch between different AWS roles |
|
|
| Terrascan | https://github.com/cesar-rodriguez/terrascan | A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate |
|
|
| tfsec | https://github.com/liamg/tfsec | Provides static analysis of your terraform templates to spot potential security issues |
|
|
| Checkov | https://github.com/bridgecrewio/checkov | Terraform, Cloudformation and Kubernetes static analysis written in python |
|
|
| Yor | https://github.com/bridgecrewio/yor | Automatically tag and trace infrastructure as code frameworks (Terraform, Cloudformation and Serverless) |
|
|
| pytest-services | https://github.com/mozilla-services/pytest-services | Unit testing framework for test driven security of AWS configurations and more |
|
|
| IAM Least-Privileged Role Generator | https://github.com/puresec/serverless-puresec-cli | A Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles. |
|
|
| AWS Vault | https://github.com/99designs/aws-vault | A vault for securely storing and accessing AWS credentials in development environments |
|
|
| AWS Service Control Policies | https://github.com/jchrisfarris/aws-service-control-policies | Collection of semi-useful Service Control Policies and scripts to manage them |
|
|
| LambdaGuard | https://github.com/Skyscanner/LambdaGuard | AWS Lambda auditing tool that provides a meaningful overview in terms of statistical analysis AWS service dependencies and configuration checks from the security perspective |
|
|
| Terraform-compliance | https://github.com/eerkunt/terraform-compliance | A lightweight security focused BDD test framework against terraform (with helpful code for AWS) |
|
|
| Get a List of AWS Managed Policies | https://github.com/RyPeck/aws_managed_policies | a way to get a list of all AWS managed policies |
|
|
| Parliament | https://github.com/duo-labs/parliament | AWS IAM linting library |
|
|
| AWS-ComplianceMachineDontStop | https://github.com/jonrau1/AWS-ComplianceMachineDontStop | Proof of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security Identity & Compliance Services to Support your AWS Account Security Posture |
|
|
| detect-secrets | https://github.com/Yelp/detect-secrets | An enterprise friendly way of detecting and preventing secrets in code. |
|
|
| tf-parliament | https://github.com/rdkls/tf-parliament | Run Parliament AWS IAM Checker on Terraform Files |
|
|
| aws-gate | https://github.com/xen0l/aws-gate | Better AWS SSM Session manager CLI client |
|
|
| iam-lint | https://github.com/xen0l/iam-lint | Github action for linting AWS IAM policy documents for correctness and possible security issues |
|
|
| Regula | https://github.com/fugue/regula | Regula checks Terraform for AWS security and compliance using Open Policy Agent/Rego |
|
|
| whispers | https://github.com/Skyscanner/whispers | Identify hardcoded secrets and dangerous behaviours |
|
|
| cloudformation-guard | https://github.com/aws-cloudformation/cloudformation-guard | A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax. |
|
|
| IAMFinder | https://github.com/prisma-cloud/IAMFinder | Enumerates and finds users and IAM roles in a target AWS account |
|
|
| iamlive | https://github.com/iann0036/iamlive | Generate a basic IAM policy from AWS client-side monitoring (CSM) |
|
|
| aws-allowlister | https://github.com/salesforce/aws-allowlister | Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks. |
|
|
| Leapp | https://github.com/Noovolari/leapp | Cross-platform app for managing AWS credentials programmatically, based on Electron |
|
|
| KICS | https://github.com/Checkmarx/kics | Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code |
|
|
| SecurityHub CIS Compliance Automator | https://github.com/NickTheSecurityDude/AWS-SecurityHub-CIS-Compliance-Automation | Automatically configure your AWS Account to meet 95% of the 200+ controls for CIS Compliance, PCI DSS Compliance and AWS Security Best Practice |
|
|
Additional Resources
- Zero Trust
- Secure Development
- The amazing sottlmarek github DevSecOps repo
- My Arsenal of AWS Security Tools