At the core of our work is the incorporation of DevSecOps methodologies, which inform the foundation and structure of every project we undertake and product we build for our clients, including for MOJ and DWP. Implementing DevSecOps is crucial for businesses to maintain the security of their software and applications while also increasing their speed to market.
Another key aspect of our approach is the integration of "Secure by Design" principles, which means considering security as an integral part of the early solution design and build process, rather than an afterthought to be addressed later on. It is important to understand that security is not a one-time task that can be completed and forgotten about. New security issues can arise at any time, and once a security breach occurs, it can be extremely difficult, if not impossible, to recover from the resulting damage to data and reputation. That is why it is crucial to incorporate security measures into DevOps practices and CI/CD pipelines from the start, alongside Secure by Design application design and development practices. By taking these steps, we can ensure the protection of our clients' data, assets, and reputation from the very beginning of the development process.
We understand that security is an ongoing concern, and that new issues can arise at any time. To protect our clients and organisation, we aim to incorporate additional layers of security into our DevOps practices and CI/CD pipelines.
DevSecOps is a new way of approaching application security and taking it seriously rather than as an afterthought. It is an approach to securing the software development process and applications by integrating security into the software development lifecycle (SDLC). With the emergence of DevSecOps, there has been a shift in how we think about security and react to threats. While it focuses on shifting left in the software development lifecycle, it also ensures that security is everyone’s job.
You could test the code changes for security vulnerabilities through a CI system even before any artefact is created, and then you could test again in between each stage to make sure the true artefacts are being passed to the next stage. DevSecOps aims to prevent security threats before they occur by implementing best security practices throughout the SDLC with more secure code.
One way to do this is through the use of tools at various stages of the pipeline, from code on a developer's laptop to code in production. For example, linting tools and pre-commit hooks can help identify messy code that may contain security vulnerabilities, while Trufflehog searches for sensitive information in Git commit history and Semgrep, CodeQL and SonarQube perform static analysis and security testing. Infrastructure as Code analysis is a recent addition to SonarQube, which is why the pipeline also includes TFSec, a static analyser for Terraform. TFSec can output findings as Junit files for easy integration into reporting. All of the pre-build tools are run in parallel, but the build will not progress until all of them have completed successfully. This is also important for identifying vulnerabilities before they reach production. Additionally, scanning docker images for vulnerabilities before they are pushed to a repository can save time and resources.
Once code is in production, it is important to continue monitoring for security issues. This can be done through the use of runtime security tools, such as AWS IAM Access Analyzer and AWS Security Hub, as well as regular penetration testing. By implementing these measures, we aim to ensure the security of our clients' data, assets, and reputation from the earliest stages of development.
Another aspect to consider when building pipelines is the security of the infrastructure and tools being used. In the case of the pipeline, it is hosted on an agent within the AWS account. To ensure the security of this agent and tooling, we have implemented the patch manager feature in AWS Systems Manager to schedule maintenance windows during times when the pipeline is not in use. The EC2 instances are added to a patch group and given a set of security patches appropriate for their operating system. By automating this process of applying security patches, we can continuously maintain the security of the system and reduce the burden on administrators.
Organisations can expect to see significant benefits from implementing a DevSecOps process, including:
DevSecOps helps to address security concerns by integrating it into the development process and securing the development environment. This is essential for protecting against cyber attacks. Some strategies for tackling and mitigating security issues in DevSecOps include:
Another significant concept in DevSecOps is employing CI/CD. CI/CD helps development teams automate code commits, build and test the code, and deploy it to the specified environment. In addition, developers can automate testing to find security issues in their application code by integrating application security as part of their production environment pipeline.
Another vital aspect of DevSecOps is the culture of automation and ownership. Developers need to be given the freedom to automate processes independently, but they also need to own their code. This means they are responsible for everything in their code, including the security risks.
Implementing DevSecOps is crucial for businesses in order to maintain the security of their software and applications while also increasing their speed to market. The benefits of adopting DevSecOps are numerous, as it allows for the identification and resolution of security vulnerabilities at all stages of the development process. From writing code to testing and deploying applications, DevSecOps requires a holistic approach to ensure the security of the final product. If you need help with DevSecOps please contact us.