Photo by Leonard von Bibra on Unsplash

DevSecOps Best Practices

Our top advice for secure development across the SDLC

By Jason Chavarría | August 11, 2022 | Category: Philosophy

DevSecOps best practices ensure the implementation of security into software development and operations. Organizations that follow these practices enable their teams to work cooperatively, build more secure software and increase development speed.

In this blog post, we will share our selection of DevSecOps best practices that you can start implementing or enhancing now.

Enable collaboration across teams

Adopting a DevSecOps culture and mindset means that people in development, operations and security teams work together to release secure software at speed. The whole point of this shift is to allow seamless communication and teamwork, thus encouraging ownership and accountability.

Implementing DevSecOps should mean that every developer is as responsible as anyone on the security team for the security of the software. Further, they can increase their secure coding knowledge by fixing the issues found by continuous security tests. The role of the security team is to provide training, as well as additional help and guidance. They no longer carry the whole load of security on their shoulders.

Encourage cybersecurity awareness for everyone

As mentioned before in our DevSecOps series, cybersecurity involves not only technology but also people. Security experts are responsible for implementing and monitoring security tests to profile cyber risk, deliver solutions and assess their effectiveness. They are also responsible for defining and complying with the organization's policies. A DevSecOps mindset is one in which everyone is responsible for security.

As the continuous task of risk management must contemplate that everyone agrees on their shared responsibility, organizations need to integrate cybersecurity awareness efforts to lower the risk of cyberattacks and other incidents.

And what does it mean to foster cybersecurity awareness? It involves encouraging everyone to recognize cybersecurity problems and respond accordingly with actions that have been previously set officially as appropriate. The following are recommended efforts to promote security awareness:

  • Communicate the organization's security policies to everyone in the organization.

  • Educate them about the meaning of the terms that you are using.

  • Inform them of their role in protecting information and reporting suspicious activity.

  • Keep them up to date on the different attack vectors and their mitigation strategies.

Some of the things you can teach your team include cybersecurity definitions, the value of information, access control mechanisms, password management, social engineering, malware, safe computing and physical security mechanisms.

Train in maintaining a secure development process

When it comes to training developers, these are some actions that should be executed by the most reliable team of security experts in your organization:

  • Teach developers the importance of updating software dependencies.

  • Teach developers to identify potential vulnerabilities in the software design, encouraging secure coding.

  • Teach developers to fix code vulnerabilities shortly after they're written, which is known as the just-in-time approach. This involves taking a look at somebody's code through static application security testing (SAST), software composition analysis (SCA) or dynamic application security testing (DAST) and then giving education relevant to what it is that they're doing wrong.

The software engineering experts that may help you in carrying out this approach are commonly known as Security Champions, who sometimes have the position of DevSecOps engineers.

Implement shift-left testing

DevSecOps is all about integrating security into every part of information systems engineering as early as possible in the software development lifecycle (SDLC). This is in contrast to conducting security testing only in the traditional software testing and production stages.

To achieve the shift-left security approach, organizations should have security scans built into the developers' workflow performed along with continuous manual penetration testing to search for known vulnerabilities in the code they've just written. Having a timely report of security issues, developers can remediate them soon after they arise.

Launch small code changes quickly and securely

Having security ingrained in all stages of development does not slow it down. On the contrary, DevSecOps enables developers to run a combination of automated and manual tests on their code and fix any issues promptly, which minimizes security bottlenecks (i.e., there are less issues for the security team to solve) and maximizes speed to launch. In addition, developers may become more proficient in secure coding, which further saves precious time. Overall, ensuring that all small changes to code are early tested helps development to progress steadily and, ultimately, faster.

To learn more about the challenges and drivers in implementing DevSecOps, click here.

Combine manual testing along with automated tools

Process automation is key in the DevSecOps culture. By automating security testing, you get the advantage of speeding it up for fast software delivery, but relying on automation alone and not combining it with the expertise of ethical hackers means low accuracy, i.e., high rates of false positives and false negatives. Automated tools should help experts do the following:

  • Categorize and monitor risk across the SDLC.

  • Create tickets or issues when vulnerabilities are found.

  • Track vulnerability history.

Below are the three most popular assessment methods that can be executed repeatedly during development to increase efficiency and security.

Static application security testing (SAST)

SAST analyzes the application source code. Early in the SDLC, these tests can pinpoint the exact location of vulnerabilities. They are especially useful to detect issues such as those concerning lack of data validation, which open the possibility for an injection attack.

Dynamic application security testing (DAST)

DAST does not require access to the application source code. It involves assessing running applications by sending attack vectors to their endpoints. These tests can detect vulnerabilities in the application deployment configuration as well as authentication and session issues, but they cannot show you the exact location of these security issues in code.

SAST and DAST tools are not advisable on their own, as they produce reports with high numbers of false positives and false negatives. Further, neither SAST nor DAST tools can find access control issues (the number one risk to web applications in the latest OWASP Top 10), whereas manual security testing can. Read on to learn more about its benefits.

Software composition analysis (SCA)

Developing with speed means you are not spending your time reinventing the wheel. Therefore, external dependencies are bound to be used throughout building your technology. In fact, they might be used to such an extent that you probably could not recall each specific dependency. This is a problem when something major happens, like the exploitation frenzy of vulnerabilities found in the popular logging tool Log4j, and everyone has to find out whether or not they use the vulnerable dependency in their applications.

To mitigate the risks posed by code dependencies (especially supply chain attacks), a best practice is to have a complete and updated inventory of the dependencies that make up your software and keep these up-to-date with the latest patches. The answer to this need is SCA.

SCA requires access to your source code. It reveals external software dependencies. So, this analysis can tell you the component licenses, versions and security vulnerabilities, if there are any. When performing SCA combining automatic and manual work, there are no limitations due to coding language, nor is the analysis limited to commonly known vulnerabilities.

In the DevSecOps culture, it's a good idea to perform code dependencies auditing continuously, early and across the entire SDLC to get useful information promptly and continuously about vulnerable open-source or third-party components.

Conduct security audits continuously

As threats are evolving continuously, organizations need to assess their systems thoroughly to check their compliance with best practices, international standards and federal regulations. As you should expect with this scope, the assessment is not limited to checking whether the software in use has the latest patch. A security audit includes evaluating the integrity of the systems' physical components, network security and employee behavior.

We recommend continuous instead of regular security audits, since the latter could allow a time window during which risk exposure could be taken advantage of. By updating your knowledge of the security weaknesses in your systems, compliance can be constantly monitored. By remediating those issues, it's possible to give your systems more adequate protection from cyberattacks.

Conduct manual assessments continuously

We encourage you to have experts assess your systems continuously with techniques such as manual penetration testing. These involve the work of ethical hackers who probe the system to exploit vulnerabilities and bypass defenses or review code manually (at Fluid Attacks, they are aided by AI prioritization), among other things, depending on the phase in the SDLC in which the tests are done. These experts are up to date on tactics used by threat actors and are able to test how secure your technology is against attacks that are tailored for it especially.

Since security reports based on scans made with automated tools have high rates of false positives and false negatives, we immensely value the manual work performed by experts. To give you an idea, our analyses of security tests performed last year in our clients' systems show that 67.4% of the risk exposure was reported by manual methods only. Thus, we argue that penetration testing is a valuable component in favor of accuracy and depth.

In short, we advise continuous penetration tests to validate the security of your technology and test against new techniques used by threat actors. This is in contrast to the common advice to conduct just regular penetration tests for the sake of complying with regulations, among other drives. Continuous assessments support a strong remediation culture, pushing beyond periodic obligations.

Break the build

It is advisable to prevent the deployment of a system if a vulnerability is found in it. In our State of Attacks 2022, we reported that clients who enabled our feature to break the build took almost 30% less time to remediate their systems' vulnerabilities than those who didn't enable it. This is automatic and responds to organization policies that state how severe a vulnerability should be for it to break the build, the grace period before a newly reported vulnerability will break the build, etc. With this example, you can see it's worth it to automate tools and processes.

Try DevSecOps with Fluid Attacks

At Fluid Attacks, we specialize in security testing throughout the entire SDLC, combining automated tools and manual security testing. Our Continuous Hacking Machine Plan allows you to find software vulnerabilities through SAST, DAST and SCA with great accuracy while you develop. If you upgrade to Squad Plan, you can count on our ethical hackers to find complex, more severe vulnerabilities with manual techniques and advise you on how to remediate them.

Using Continuous Hacking, you can enable our DevSecOps agent, the component that will break the build according to your organization's policies. This way we empower you to commit fully to developing secure software at speed.

Wanna try Continuous Hacking Machine Plan? Click here to unbox a 21-day free trial. Contact us if you want more information. We're happy to answer all your DevSecOps questions.

Ready to try Continuous Hacking?

Discover the benefits of our comprehensive Continuous Hacking solution, which hundreds of organizations are already enjoying.

Internal CTA
Start free trial