In this blog post, we discuss how you can manage your security tools in your SDLC.It was great to partner with Daniel Begimher from AWS on this post in The New Stack,
Unlocking the Power of Security Orchestration
We need to add security from the first line of code all the way through runtime in production. But how can you do it all manually? Honestly, you shouldn’t.
As a DevSecOps professional, you’re constantly aware that you need to integrate security best practices and tools into your software development life cycle (SDLC) to reduce risk by improving overall security. This includes identifying and mitigating security threats throughout the entire development process, from design and development through testing, and finally deployment.
However, that may sound easier than actually done. If we look at a modern application stack, it’s composed of a diversity of technologies: programming languages, infrastructure-as-code, cloud environment, containers, APIs, SCMs (source control management), CI/CD pipelines and more. This means that to truly achieve the level of security we all aspire to, we need to add security from the first line of code, all the way through runtime in production and at every step in between. There are several integration points where you might want to integrate security controls:
- IDE — Where the code is first created
- CI — Where the code is tested and merged
- CD — Where the code is deployed
- Runtime — Where your app is running
All of this can become very overwhelming. So how do we practically achieve full coverage of continuous security? Even just deciding which security tools to use, where and when is a process that involves several steps.
When considering which tools we need to integrate, you might want to follow these good practices to make sure you are selecting the right tools for the job:
- Define: The first step in selecting a security tool is to clearly define the security requirements of the organization. This includes identifying the types of threats that the organization is most likely to face, as well as the data and systems that need to be protected.
- Research: Once the security requirements have been defined, the next step is to identify the various security tools available. This can be done through online research, attending industry events or consulting with security experts. You can use pre-made lists prepared by security experts, such as the “Awesome DevSecOps” list and “Ultimate DevSecOps library” (both I’ve bookmarked and referenced many times). You can also review utilities that aggregate such controls tools that run multiple scanning tools, such as the Automated Security Helper (ASH) and use them to learn about popular scanning tools.
- Evaluate: After researching the available options, the next step is to evaluate the tools that seem to be the best fit for the organization’s needs. This evaluation should take into account factors such as the tool’s effectiveness, ease of use, ease of deployment, support to your organization’s tech stack and cost.
- Test: Once a shortlist of potential tools has been identified, the next step is to test them in a simulated environment. This will help to confirm how effective the tool is at detecting and mitigating threats. With scanners, metrics such as true-positive and false-positive rates need to be measured to verify their effectiveness. Creating noise that isn’t helpful in the form of many false-positive alerts will prove counterproductive. Depending on the type of tool, and as part of your tool assessment, you need to use deliberately vulnerable targets (a.k.a Goats), such as vulnerable repos (here is an example for a Python Goat Repo), or this vulnerable web app to see how well the tool performs.
- Select: Based on the test results and the other factors I mentioned above, you should be able to select which tool to use in your stack.
- Implement: After the final decision, you will need to implement the chosen security tool. This is when the integration points noted above become relevant. Starting with the IDE, going through the CI (scanning triggered for every pull request), and continuing through continuous deployment or at runtime. Whatever integration point you choose, you need to make sure that the tool kicks in according to a desired trigger.
- Monitor: Regular performance evaluation should be conducted to check the effectiveness of the tool and to see if it’s still meeting the security requirements.
- Improve: Check for new versions and start again at step 4.
It’s important to note that this process of deciding which security tools to use in the SDLC as part of your security stack is an ongoing process, and you should regularly review and update the security tools as new threats and technologies emerge.
But how are you going to manage to do all of that manually by yourself? Honestly, you shouldn’t.
This is where a DevSecOps orchestration platform is extremely useful, and Jit was built from the ground up to fulfill this vision. Jit will help you automate and streamline many of the security tasks that are typically performed manually. Some of the specific benefits of using a DevSecOps orchestration platform include:
Automation: These platforms automate many of the tedious tasks that bog down DevSecOps teams, such as selecting security tools, testing them and integrating the tools into the SDLC. This can help to reduce the time, manual toil and resources required to perform these tasks, as well as improve their accuracy and consistency.Integration: The work required to wire in new tools is extensive, and this is also an area where DevSecOps engineers invest a lot of time and energy configuring and integrating tools at the right insertion point. An orchestration platform enables you to use a wide range of security tools, such as code scanners, penetration testing tools, cloud misconfiguration scanners, CI/CD security tools and others. This allows DevSecOps teams to quickly ramp up the tools that are most effective for their specific needs, as well as the added benefit of being able to easily switch between tools as needed without too much effort.
Standardization: An orchestration platform standardizes the way that security and development teams work with the different security tools. This leads to more efficient tool management and effective development processes, as well as better security outcomes.Visibility: With such a platform you will have a centralized view of the organization’s security posture, evidence that security jobs are truly running as they should be, remediation actions, as well as developers’ progress on their security improvement journey.Scalability: Orchestration platforms are designed to scale as the organization grows, and as the dev environment becomes more complex with tools, programming languages and other technologies constantly integrated into their stacks. This frees DevSecOps teams up from the manual work resulting from each new system and technology change.Compliance: Organizations today are required to comply with various regulations such as SOC2, PCI-DSS, HIPAA, just to be able to operate their business and these platforms help streamline this significantly. They can provide automated compliance reporting, incident response and remediation actions, which can help organizations to meet regulatory requirements.
Overall, DevSecOps orchestration platforms are powerful and they can help DevSecOps teams to be more efficient and effective in their work by allowing them to focus on the places where human expertise is required. By providing developers and DevSecOps engineers an easy way to adopt the security tools modern engineering organizations require, alongside much-needed automation for common and repetitive tasks, the complexity of securing modern applications is exponentially simplified.
Originally posted on TheNewStack