More or less, everyone that works in the software industry should be aware by now of the term DevOps and the life cycle of any application. Something similar to:
- Plan: Gathering requirements.
- Code: Write the code.
- Test: Executing the tests.
- Package: Package our application for the release.
- Release: When the application artifacts are generated.
- Deploy: We make it available to the users (QA, final users, product, …).
- Operate: Take care of the applications needs.
- Monitor: Keep an eye on the application.
All these bullet points are a rough description of the main stages of the application no matter what methodologies we are using.
The thing is that, nowadays, we should not just be aware of the term DevOps, we should be aware and, using or introducing, the term SecDevOps in our environments.
The ‘Sec’ stands by ‘Security’ and, it means, basically to add the security component and the help of security professionals to all the stages in the cycle, not just after the deployment like usually happens.
In addition to the common tasks we have in the different stages, if we add the ‘Sec’ approach, we should be adding:
- Plan: We should be analyzing the Threat Model. For example, user authentication, external servers, encryption, … Here, we will be generating security focus stories.
- Code: In this stage, the security proffesinal should be training and helping the team with the security concepts: tools, terminology, attacks. This will help developers to be aware of possible problems and write some defensive measures integrated in their code or follow best practices and recommendations.
- Test: In this stage, specific tests to check security capabilities will be created allowing us to early detect possible problems.
- Package: Here, we will check vulnerabilities in external libraries, vulnerabilities in our containers or code static analyzers.
- Release: This stage can be combined with the previous one from a security point of view. Some platforms where the containers are stored, for example, integrate vulnerability scanners.
- Deploy: Here, we can run dynamic security tests with typical ethical hacking tools.
- Operate: Here is when the Red Team steps up in addition to resilience checks.
- Monitor: We can analyze all our logs (we hope previously centralized) trying to discover security problems.
I hope this gives us a simplify view of how we can integrate security awareness and processes in our application cycles.