The best practices for implementing Dev Sec Ops in the organization involves
- People training and management
The weakest link in the entire Dev Sec ops is the human element because with humans the chances of errors arise. Raising awareness and training your team for the DevSec Ops is the most important part of the entire set of Dev Sec Ops practices. Your DevSec Ops must embrace the DevOps mindset and should ensure be trained to help with QA and tests, building of the continuous environments (CI), ensure that security doesn’t act as blockers in the development process. The training must be aligned with the goals of the organization and the standards of security that the organizations want to achieve. Continuous auditing of the team skills and regular workshops can facilitate learning in the DevSec Ops team. The teams must be empowered to make security decisions and should work on mitigation strategies with the AppSec team
- Integration of security in the process
In the agile DevSec Ops environment, the integration of security measures must start from the beginning of the DevSec Ops pipeline. The shift left strategy is apt for DevSec Ops security It helps in reducing the cost of production and release by finding out errors and testing them in the early stages of software lifecycle development.
- Implementing continuous security
Proper security tooling and testing is one of the most important practice in DevSec Ops.
There are two types of security testing employed
SAST (Static Analysis Security Testing) – This involves
- Detecting where coding best practices have been violated
- Identifying the security vulnerabilities in the code you posses and those that have been imported from libraries
DAST (Dynamic Analysis Security Testing)-
It involves examining the application externally when it is running
- Proactive incident management
Response to any incident should be proactive so that workflows do not get disrupted. For this action plans and security scripts must be formed in advance and the security measures developed should consistent and repeatable. There should be proper documentation of each incident and the security measures being applied. This tribal knowledge should be shared across the entire DevSec Ops team.
- Using orchestration software, metadata and version control
In the automated environment, the only thing that is constant is change. You must ensure that you have an immutable versioning in place to track the changes. Every change needs a version and should be converted to metadata so that your operations team can track that change.
Using orchestration software, you are able to deploy your infrastructure in a repeatable manner. It also generates a large amount of metadata for any task. Orchestration software combined with versioning can act as a great information source for your operations team.
Orchestration and automation help in making auditing easier by use of metadata generated
- Auditing and scanning
Auditing at application level enables businesses to access their risk posture. Pre deployment and post deployment auditing helps in providing the requirements to the DevSecops team early in the production process and help them access how much the deployment has been successful respectively
Other best practices include
- Checking all coding standards against the most updated and new security recommendations
- Minimizing the attack surface by restraining from running any script, applications and others that are not mandatory for core applications
- Utilizing those security features that are native to the OS ( kernel security modules while working with Linux)