This paper introduces computer network security from the software development life cycle security activities. At an organizational level, the security team is often outside the interaction team because the security team is concerned with more than just software delivery. For example, service operation security, supply chain security (in the computer world, this means cloud vendors or software and hardware vendors), privacy rules, compliance with laws and regulations, compliance with audits, software qualification and ISO standards, etc.

So as I understand it, DevSecOps does not incorporate the security team into the delivery team, but rather empowers the ability to deliver the team’s security, bringing security activities up front. This not only greatly reduces the cost of fixing security risks, but also makes the security team’s job much easier.

In many organizations, security risks and vulnerabilities are considered as a measure of software quality, so there is a security quality verification process during the software delivery verification phase. Based on this theory, it is also possible to embed security testing and vulnerability scanning into the automated release process, and even as an important measure of deployment termination.

As various countries pay more attention to security and more and more personal privacy laws are introduced, many customers also start to pay attention to the security capability and security qualification of software suppliers and take it as the decisive consideration index. The importance of security in software development varies from domain to domain.

This also leads to differences in the implementation of security in different areas. In areas such as banking, finance, healthcare and state-owned institutions, software development cannot even take place without controllable security mechanisms. Different areas have different requirements for compliance and different ways of managing and controlling risks.

Therefore, many standards and frameworks have been developed to help organizations implement security control, such as NIST CSF, ISO/IEC 27001, FISMA, HIPPA, PCI DSS, etc. Compliance with these standards becomes one of the factors that measures an organization’s security capabilities. Many software companies and suppliers have invested a lot of effort to prove their compliance and improve their competitiveness in the market. Among them, NIST is the most widely used and authoritative security organization in the industry. It was initiated by the U.S. federal government and established for the purpose of promoting best practices and development of computer network security. Therefore, this article will be shared with reference to NIST standards.

In software development, whether the agile or waterfall model is applied, there are requirements analysis, design, development, test, deployment and operation phases. The length of the delivery cycle does not affect the content of the security activities in the development cycle. This article focuses on security activities in the software development cycle, with detailed discussions in different sections on how each activity can be applied in different development modes. The following table lists the corresponding security activities in each phase.

Software production phase NIST security software development framework Security activities
Demand analysis Security needs, privacy needs, risk as part of that Security requirements assessment and fulfillment
design Review software design and verify compliance with security requirements and risks Threat Modeling
The development of Verify that third party software complies with security requirements and examine/analyze source code to locate vulnerabilities Static Code Scanning (SAST), Third Party Module Detection (SCA)
test Tests executable code to locate vulnerabilities and verify compliance with security requirements DAST/IAST, Penetration Testing
The deployment of Configure the compile and build process to improve the security of executable code Configuration verification, security gate
operations Vulnerability reporting response (continuously locate and identify vulnerabilities, assess and prioritize remediation of all vulnerabilities, analyze vulnerabilities and locate root causes) Security response program, security monitoring, operation environment security protection (firewall)
  • Security requirements assessment and implementation: Simply put, the security team has developed a standardized software security capability as part of the software development requirements, many organizations have security requirements as non-functional requirements or technical obligations, do not want to judge the quality of their approach. From an objective perspective, security requirements are often technical solutions or security control means evolved from ISO/IEC standards or risk information. As an integral part of the software’s functionality, it should be properly positioned and sorted. The scope of security requirements changes depending on the scope of software functionality to be implemented during the cycle.
  • Threat modeling: This is an important part of the design process that is often overlooked and is not a domain-specific security practice. Security requirements cover a wide range of areas and vary from one domain to another. The threat modeling is to locate the threat and analyze the risk in the software design scheme. Such targeted analysis will greatly reduce the risk of later refactoring due to security issues, and also help the software to establish its own risk system. Outline the scope of penetration testing.
  • Static code scanning (SAST) : This is an important part of helping developers to implement secure coding specifications, such as many non-standard coding will affect the quality of the program, unsafe coding specifications will lead to loopholes. Inadvertently leaving a back door for hackers.
  • Third party Module Detection (SCA) : A lot of our code is implemented using existing frameworks, and a lot of feature packs/libraries are introduced for rapid development. Many developers don’t realize that there are risks associated with these frameworks and packages/libraries. Because of the heavy dependencies, these can even become fatal bugs that we can’t easily fix. Many frameworks and libraries also have reference licensing issues, and it is important to detect and address these issues in advance.
  • Dynamic detection (DAST/IAST) : I’m putting DAST and IAST together here because the purpose of detection is similar. Will conduct a negative problem analysis on the execution of the program, simulate attacks. In order to locate problems that cannot be located in static detection.
  • Penetration Testing: It’s an industry, a skill that a lot of security experts, security investigators have. Many people ask why DAST/IAST have penetration testing when we have SAST? The development of DAST/IAST tools has been very close to the capabilities of penetration testing, but it still hasn’t fully reached the capabilities of manual discovery by testers. As a result, most enterprises will develop their own internal penetration testers, and usually hire outside penetration testing companies to perform the process. Because their expertise really helps verify the software’s ability to respond to threats from outside attackers.
  • Configuration verification, security gate: In this case, we refer to the way to control the quality of the software deployment process in accordance with the rules and regulations set by the security department if the automatic deployment capability is available. This can be a terminating deployment constraint with certain conditions. Security enhancements and specifications, especially when infrastructure is deployed and changed in the infrastructure, the code (IaC). Here comes a new concept: security specifications are code. More on this later in this series.
  • Security responder: This program refers to how processes respond to security events. This is similar to the customer support event response. But different but security response, in solving problems at the same time need to join the legal/compliance department, serious cases require the company’s senior management to respond to the customer. Especially when it comes to the company’s reputation.
  • Security monitoring, operating environment security protection (firewall) : This may not be very familiar to developers. But it’s a very important part of the security landscape. Now more and more developers are beginning to contact and configure application firewall (WAF) to protect network applications. This means that as security moves to the left, developers will need to pay more attention to security issues at the operational level. In addition, security monitoring is a big topic. This topic, I will decide whether to give a topic to discuss according to your interest in it. What you need to understand here is that security monitoring is a very professional ecosystem, whether in the cloud environment or in the traditional environment, which is not only used to help locate problems, but also plays an important role in blocking the impact of security incidents.

The original references in English: https://csrc.nist.gov/publica…

Source: DevSecOps SIG


By Nick Yu


Statement: This article is authorized by the author to be forwarded on devopshub. Quality content to share to si whether platform technical partner, such as the original author has other considerations please contact xiaobian delete, thank you.

Every Thursday in July at 8 p.m., [Dong ge said] research and development efficiency tools special, public number message “efficiency” can be obtained address

  • July 8, LEANSOFT- Zhou Wenyang “Azure DevOps tool Chain: Love and Hate”
  • July 15, Ali Cloud Intelligence senior product expert – Chen Xun “Efficiency improvement practice under complex R&D collaboration mode”
  • July 22, Zhang Yang, Solution Architect of GitLab, shared “Exploration of Automated Testing of Infrastructure as Code”
  • On July 29, Bytedance product Manager hu Xianbin shared the book “How to Do both Offense and Defense” in Automated Testing.
  • Aug. 5, Wang Zhi, head of AgoraCICD System, shared the closed-loop of Software Delivery Quality Assurance from 0 to 1.