DevSecOps Overview ()
DevSecOps Overview
Author Rob Campbell
Last Update 29/4/2020
Version 1.01
Deployment
Container Management
Build
Build Tool
Internal Repo
Development
Software Composition Analysis Plugin
Code Firewall
Integrated Development Environment (IDE)
To control the number of security vulnerabilities in the development lifecycle
Control the number of vulnerabilities through error and poor coding
Source Code Review Process
Software Composition Analysis (SCA) Tooling
Static Application Security Testing (SAST) Tooling
Dynamic Application Security Testing (DAST) Tooling
Penetration Testing Process
Source Code Control
Container/Hypervisor Platform
Container/VM Registry
Container/VM Orchestration
Seccomp Policy
App Armour Policy
Pre Production Nodes
Deployment Target (POD)
Service Mesh
Micro Service
Production Nodes
Deployment Target
Service Mesh
Micro Service
Container/VM Instance
Pre Packaged Container (inc signature)
Container/VM Image (inc Signature)
Pre Packaged App (inc signature)
Control the number of vulnerabilities introduced through the use of 3rd party components.
Virtual Machine
Contrainer Platform
Ensure use of components are properly licenced
Package Security Testing
Container Validation
White Box Testing
Security Unit Tests
Composition Analysis
Security Unit Tests
Composition Analysis
Black Box Testing
Functional Tests
Functional Security Tests
Container Deployment
3rd Party Package and Dependancy Checking
Container Validation
Release Management
Developer Desktop
Private
3rd Party Packages
Source Code
Build Scripts
Test Code
Private Repo
Secure delivery of code into the production environment
CONSTRAINT -The traditional Pentest process was designed to work in a Waterfall project methodology and doesn't support the fix fast, fix often approach taken by modern Agile software development practices.
RISK - Developers utilise code fom public repositories. Something like 85 to 98% of code is someone elses work. The reliance on public repositories is a concern for security as the code could be badly written, have licencing implications or contain malicious code.
RISK - If developers use code or packages which is open source licenced then under the AGP/GPL licence the product they are writting also becomes open source and cannot be sold and must be freely distributed.
Continuous Integration Continuous Delivery (CICD)
Public Repositories
3rd Party Packages
Source Code
Build Scripts
Test Code
Public Repo
Policy based blocking of vulnerable code
Vulnerability Scanner
Build Tool Container/Hypervisor Platform
Internal Repo Source Code Control
New or changed code Internal Repo Code Firewall
Software Composition Analysis Plugin Integrated Development Environment (IDE)
Code Firewall Integrated Development Environment (IDE)
Code Firewall Package Security Testing
Integrated Development Environment (IDE) Package Security Testing
Integrated Development Environment (IDE) Source Code Control
To control the number of security vulnerabilities in the development lifecycle Control the number of vulnerabilities through error and poor coding
To control the number of security vulnerabilities in the development lifecycle Control the number of vulnerabilities introduced through the use of 3rd party components.
Source Code Review Process Integrated Development Environment (IDE)
Source Code Review Process Control the number of vulnerabilities through error and poor coding
Software Composition Analysis (SCA) Tooling Control the number of vulnerabilities through error and poor coding
Software Composition Analysis (SCA) Tooling Container/VM Registry
Software Composition Analysis (SCA) Tooling Ensure use of components are properly licenced
Software Composition Analysis (SCA) Tooling Source Code Control
Software Composition Analysis (SCA) Tooling Software Composition Analysis Plugin
Software Composition Analysis (SCA) Tooling Control the number of vulnerabilities introduced through the use of 3rd party components.
Software Composition Analysis (SCA) Tooling Container/VM Orchestration
Software Composition Analysis (SCA) Tooling Container/Hypervisor Platform
Software Composition Analysis (SCA) Tooling Integrated Development Environment (IDE)
Software Composition Analysis (SCA) Tooling Build Tool
Software Composition Analysis (SCA) Tooling Internal Repo
Static Application Security Testing (SAST) Tooling Build Tool
Static Application Security Testing (SAST) Tooling Container/Hypervisor Platform
Static Application Security Testing (SAST) Tooling Control the number of vulnerabilities introduced through the use of 3rd party components.
Static Application Security Testing (SAST) Tooling Control the number of vulnerabilities through error and poor coding
Static Application Security Testing (SAST) Tooling Source Code Control
Dynamic Application Security Testing (DAST) Tooling Deployment Target (POD)
Dynamic Application Security Testing (DAST) Tooling Container/Hypervisor Platform
Dynamic Application Security Testing (DAST) Tooling Deployment Target
Dynamic Application Security Testing (DAST) Tooling Control the number of vulnerabilities through error and poor coding
Dynamic Application Security Testing (DAST) Tooling Control the number of vulnerabilities introduced through the use of 3rd party components.
Dynamic Application Security Testing (DAST) Tooling Build Tool
Penetration Testing Process Control the number of vulnerabilities through error and poor coding
Penetration Testing Process Deployment Target (POD)
Penetration Testing Process Deployment Target
Penetration Testing Process Control the number of vulnerabilities introduced through the use of 3rd party components.
Penetration Testing Process CONSTRAINT -The traditional Pentest process was designed to work in a Waterfall project methodology and doesn't support the fix fast, fix often approach taken by modern Agile software development practices.
Source Code Control Build Tool
Source Code Control Integrated Development Environment (IDE)
Container/Hypervisor Platform Container/VM Registry
Container/VM Registry Container/VM Orchestration
Container/VM Orchestration Deployment Target (POD)
Container/VM Orchestration Deployment Target
Container/VM Orchestration Seccomp Policy
Container/VM Orchestration App Armour Policy
Pre Production Nodes Deployment Target (POD)
Deployment Target (POD) Service Mesh
Deployment Target (POD) Micro Service
Production Nodes Deployment Target
Deployment Target Service Mesh
Deployment Target Micro Service
Container/VM Instance Container/Hypervisor Platform
Container/VM Instance Functional Security Tests
Container/VM Instance Functional Tests
Virtual Machine Integrated Development Environment (IDE)
Virtual Machine Contrainer Platform
Container Validation Container/VM Registry
Container Validation Container/Hypervisor Platform
Container Validation Container/VM Orchestration
White Box Testing Security Unit Tests
White Box Testing Security Unit Tests
White Box Testing Composition Analysis
White Box Testing Composition Analysis
Security Unit Tests Build Tool
Composition Analysis Pre Packaged App (inc signature)
Composition Analysis Pre Packaged Container (inc signature)
Composition Analysis Build Tool
Security Unit Tests Security Unit Tests
Composition Analysis Composition Analysis
Black Box Testing Functional Tests
Black Box Testing Functional Security Tests
Container Deployment Container/VM Orchestration
3rd Party Package and Dependancy Checking Package Security Testing
Container Validation Container Validation
Release Management Container Deployment
Developer Desktop Integrated Development Environment (IDE)
3rd Party Packages Private Repo
Source Code Private Repo
Build Scripts Private Repo
Test Code Private Repo
Private Repo Code Firewall
Secure delivery of code into the production environment To control the number of security vulnerabilities in the development lifecycle
RISK - Developers utilise code fom public repositories. Something like 85 to 98% of code is someone elses work. The reliance on public repositories is a concern for security as the code could be badly written, have licencing implications or contain malicious code. Public Repo
RISK - If developers use code or packages which is open source licenced then under the AGP/GPL licence the product they are writting also becomes open source and cannot be sold and must be freely distributed. Public Repo
3rd Party Packages Public Repo
Source Code Public Repo
Build Scripts Public Repo
Test Code Public Repo
Public Repo Code Firewall
Policy based blocking of vulnerable code Code Firewall
Policy based blocking of vulnerable code Control the number of vulnerabilities introduced through the use of 3rd party components.
Policy based blocking of vulnerable code Control the number of vulnerabilities through error and poor coding
Vulnerability Scanner Deployment Target (POD)
Vulnerability Scanner Build Tool
Vulnerability Scanner Container/Hypervisor Platform
Vulnerability Scanner Container/VM Registry
Vulnerability Scanner Container/VM Orchestration
Vulnerability Scanner Production Nodes