BROUGHT TO YOU IN PARTNERSHIP WITH

Introduction to CONTENTS

öö Introduction

öö Getting Started With DevSecOps

DevSecOps
öö DevSecOps Core Practices

öö DevSecOps Additional Practices

öö Whats Next for DevSecOps?

WRITTEN BY JEFF WILLIAMS

CO-FOUNDER AND CHIEF TECHNOLOGY OFFICER OF CONTRAST SECURITY

Gartner has named DevSecOps one of their fastest-growing areas of interest

What Is DevSecOps?
DevSecOps is an approach to IT security based on the principles of DevOps. and predicts that DevSecOps will be embedded into 80 percent of rapid

The exact formulation is still emerging, but we think it’s useful to capture development teams by 2021. Organizations practicing DevSecOps have

emerging practices for achieving security while building applications and shown impressive results. These early adopters are 2.6x more likely to have

APIs without disrupting high-speed software pipelines. security testing keep up with frequent application updates and show a 2x
reduction in time to fix vulnerabilities.
• DevSecOps is full stack: DevSecOps spans the entire IT stack and includes
network, host, container, server, cloud, mobile, and application security. Understanding the different types of security work and their value to your

Increasingly, all of these layers are turning organization is critical to successful DevSecOps initiatives. Until you truly

into software, which makes application security a critical focus understand the work, it’s going to be difficult to deliver it effectively. You

for DevSecOps. can learn more about this topic and DevOps in general by reading books

• DevSecOps is full SLC: DevSecOps also spans the full software lifecycle, like The Phoenix Project and The DevOps Handbook.

including development and operations. In development, the focus

is on identifying and preventing vulnerabilities, while in operations,
monitoring and defending applications are the goals.
Can you apply DevSecOps practices and tools to non-DevOps projects?
Absolutely. The ideas in this document are applicable to almost any soft-
ware project. If your goal is to produce highly secure software in the most
cost-effective way possible, then DevSecOps is the path forward.
Key DevSecOps Themes
Every DevSecOps program is a little bit different. It’s best to view DevSec-
Ops as a journey in time required to fix. As you progress, you may find that
different teams are at different points along the path. The themes below
aren’t specific activities. Instead, they are guideposts that you can use to
help make decisions along your journey.

Powerful
automation
for your entire
hybrid and
cloud-native estates.
Learn more

1
Say goodbye
to soul-crushing
manual tasks
From automating simple tasks to securing
global infrastructure, Puppet’s products and
open source projects can/will help you:
• Enforce infrastructure configuration and compliance at scale
• Secure your infrastructure and fix vulnerabilities faster
• Deliver cloud-native infrastructure quickly and consistently

Learn more at puppet.com


Development and operations are empowered
to deliver secure applications into production
themselves. Security experts provide support
Empowering
as coaches and toolsmiths, but do not have
Engineering Teams
primary responsibility for security. Make sure
that tools and processes are designed for
developers and operations, not security experts.
In many organizations, security work is hidden,
unknown, and untracked. In the end, the value
Making Security of security is often not easy to understand. In
Visible DevSecOps, we make small security tasks that
can be tracked, tasked, and measured like any
other type of work.
Shifting security “left” means that security
activities start during development and extend
throughout the SLC, with continuous feedback
Shift Left
at every stage from dev to prod. Shifting left
does not mean that security is complete during
development.
Like Continuous Integration and Continuous
Deployment, Continuous Security means that
you respond to continuous threats with security
Security as Code activities that are performed continuously, aas
part of the development and operations process,
and integrated into the tools team members are
already using.
To address continuous threats, security
activities are performed continuously as part of
Continuous Security the development and operations process and
integrated into the tools team members are
already using.
We will never produce perfect code. Nor will
we ever detect or stop all attackers. Therefore,
Prevent and Protect the best security strategies involve a balance of
secure coding during development (DevSec) and
runtime protection during operations (SecOps).
The “Three Ways” of Security
For decades, both software and security have struggled with poor quality
results, cost overruns, and processes that require experts. While DevOps
has shown promise on the software side, security is still being practiced
3 BROUGHT TO YOU IN PARTNERSHIP WITH
INTRODUCTION TO DEVSECOPS
in very traditional ways. DevSecOps is not just shoving traditional security
practices and tools into DevOps.
Instead, we must rethink the security work. We will need new practices
and technologies to perform this work. We can give this transformation
structure using the “Three Ways” from The Phoenix Project. By framing the
problem this way, we can see that we need to get security work flowing,
ensure instant security feedback, and create a security culture.
Most security work is monolithic and attempts
to cover all risks in a single task, like a complete
security architecture or security scan. How do we
get security work flowing?
Get Your Security
• Make the work visible.
Work Flowing
• Work a single security challenge at a time.
• Limit work in process.
• Reduce handoffs.
• Automate everything.
Security is one of the most common causes of
technical debt, and the cost of this work increases
dramatically the farther it progresses across the
SLC. How do we keep security work on track?
Ensure Instant
• Make problems instantly visible.
Security Feedback
• Swarm on the problem.
• Seek the cause.
• Ensure security “findings” are designed for
easy consumption.
Many organizations have a security culture of
blind trust, blame, and hiding that prevents
developers and operations from working with
security. How do we create a culture of security?
• Empower everyone to challenge security
design and implementation.
• Take every opportunity to make security
threats, policies, architecture, and
Encourage a
vulnerabilities visible.
Security Culture
• Trust that engineering teams want to do the
right thing.
• Celebrate the knowledge gleaned from
security issues rather than blaming those
involved.
• Spend more effort on upgrading practices
and preventive measures than vulnerability
remediation and incident response.
If you follow these three ways, you will see security as a concrete output
from your development process. It’s a combination of security features and
assurance, captured in a tangible way. By applying DevOps concepts, we

can produce this concrete security continuously and effectively as a part of
normal software development.
Getting Started With DevSecOps
Traditionally, security has been performed as a series of massive tasks
spanning all risks. For example, writing comprehensive security require-
ments, designing a comprehensive security architecture, performing a
comprehensive security test, etc. But agility requires a risk-based approach.
To accomplish security work in a DevOps organization, we can prioritize our
security tasks and break them into small pieces
for implementation.
In this diagram, we show how security fits into the normal DevOps cycle at
a very high level. Notice that these security augmentations are designed to
fit naturally into the process. No extra steps, no gates, no delays. Instead,
we will cycle quickly on small security tasks that are structured to be deliv-
ered by the development and operations teams using the tools they already
use. We will explore these core practices in detail later.
“HELLO, WORLD!” A FIRST STEP TOWARDS DEVSECOPS
Let’s use a very simple example to demonstrate. Imagine that we have a
web application being built by a DevOps project. All we know is that the ap-
plication didn’t do well on a recent security scan. There is no threat model
or security architecture. How should we get started with DevSecOps?
We’re not going to try to secure everything at once.
The most critical scan findings indicated that this
1. Analyze: Identify application has obvious SQL injection problems.
Your Next Most We want to make tangible progress quickly, so we
Critical Security decide to deal with this first. We’re going to build
Challenge our defenses and assurance over time in small
pieces, not all at once. We create a JIRA ticket to
address SQL injection.
Now we need to build our defense. Our strategy
to prevent SQL injection is to use input validation
2. Secure: and parameterized queries everywhere across
Implement a our codebase. We may want to break this task up
Defense Strategy into even smaller pieces. We fill out the details
of our defense strategy in our ticket(s) and start
implementing them.
4 BROUGHT TO YOU IN PARTNERSHIP WITH
INTRODUCTION TO DEVSECOPS
We use simple tools to ensure that non-
parameterized queries are eliminated from our
3. Verify:
Automate Security
codebase. We deployed a tool to warn developers
in their IDE if they violate this rule. We also
Testing
automatically re-verify during CI/CD as well as
perform a final check prior to deployment.
Finally, we want to be aware of any attackers that
4. Defend: Detect target us with SQL injection attacks. For visibility
Attacks and and protection in production, we implemented
Prevent Exploits runtime application self-protection (RASP) and
established a process for managing attacks.
Once we are done with this security challenge, we can start in on the next
one. Each time we complete a challenge, we leave behind the infrastructure
to make sure it stays secure. Note that we don’t want to create a fragment-
ed set of individual defenses, so it’s important to make good decisions over
time about security architecture.
In DevSecOps, we don’t let perfect be the enemy of good. We’re looking to
improve our security story on every iteration. Your first attempt might be a
partial solution with sampling instead of a rigorous defense and complete
testing. Our goal is to get this cycle running and make measurable progress
over time.
CREATING YOUR DEVSECOPS PIPELINE
A DevSecOps pipeline is the set of tools and processes that continuously
performs security work as code is written, integrated, tested, deployed,
and operated. While there’s really just one delivery pipeline, having a
security “view” of your pipeline may help you understand the security
value stream separately, revealing bottlenecks and inspiring confidence
in the results. The DevSecOps pipeline spans the full lifecycle, handling
both development (vulnerabilities) and operations (attacks).
The goal of the security part of our pipeline is to provide vulnerability in-
formation to development team members in real time, through the tools
they are already using. As we move into operations, our goal is to create
visibility into who is attacking,what attack vectors they are attempting
to exploit, what systems they are targeting, and whether the attacks are
being prevented successfully.

The main cycle in the DevSecOps pipeline involves security tools, an ana-
lytics hub, and integrations with development and operations tools. The
security tools at the bottom of the diagram identify vulnerabilities in appli-
cations and APIs across development, test, and production environments.
In production, other tools monitor and prevent attacks. The telemetry from
these tools feeds into an analytics system for historical tracking, analysis,
and notifications. Common events include:
• Custom code vulnerabilities.
• Known vulnerabilities in libraries and frameworks.
• Attacks on custom code vulnerabilities.
• Attacks on libraries and frameworks.
• Application inventory, including all libraries and frameworks.
• Software architecture details.
In general, DevSecOps favors the use of notifications (real-time integrations
into normal development and operations tools) over PDF reports. However,
for some purposes, such as compliance, PDF reports may be generated.
Notifications alert team members who need to know about security events
immediately through the tools they are already using as part of their
normal job. While a single analytics system would be ideal, today, you may
need separate systems for vulnerabilities and threat events.
Think of all your security testing and attack moni-
toring as a set of sensors that is instrumenting your
software development organization and systems. The
Sensors best instrumentation runs continuously, has extreme-
ly high accuracy, and provides instant feedback. Sen-
sors can be custom-built test cases, built-in rules in an
analysis or protection technology, custom rules, etc.
All the telemetry reported from sensors: inventory,
libraries, vulnerabilities, attacks, etc. should be stored,
measured, and tracked over time. You could start
Security with a spreadsheet or a custom database, but it's
Analytics better to use a tool designed to support a DevSecOps
pipeline. The ideal analytics repository tracks issues
(both vulnerabilities and attacks) over time, manages
notification rules, and provides great reporting.
DevSecOps is built on APIs and notifications. The goal
is to get information about new CVEs, custom code
vulnerabilities, misconfigurations, patches, probes,
and attacks to the people that need them through the
Notifica-
tools they are already using. This includes plugins and
tions
integrations for tools like Eclipse, IntelliJ, VisualStu-
dio, JIRA, GitHub, Jenkins, Bamboo, Gradle, Maven,
Splunk, ArcSight, PagerDuty, VictorOps, Docker,
Kubernetes, AWS, Azure, and Pivotal.
5 BROUGHT TO YOU IN PARTNERSHIP WITH
INTRODUCTION TO DEVSECOPS
Implementing a notification infrastructure encourages downstream secu-
rity stakeholders (developers, testers, operations, audit, executives, etc.)
to work closely with upstream providers (like security testers) to ensure
that the work is optimized for them. Your DevSecOps pipeline should be
designed for very tight feedback loops — think seconds, not hours, weeks,
or months. The faster you can get feedback to the people that need it, the
more secure and cost-effective your DevSecOps pipeline will be.
When you start, your DevSecOps pipeline will only verify a few simple
things about your software. But over time, as you address challenges, you
will automate verification of more and more of your security strategies and
defenses. Over time, the goal is to migrate from manual security testing to
a fully automated pipeline capable of deploying secure code directly into
production without gates.
CHOOSING SECURITY TOOLS AND TECHNOLOGIES
Here are a few of the attributes to consider when choosing security tools
and technologies to build your DevSecOps pipeline across the entire SLC.
Please note that there is no one set of best tools for DevSecOps. The tools
you choose should match the way that you build software, your goals, your
culture, and the other technologies you use.
First and foremost, you must confirm that the tool
Policy actually covers the risks you need it to cover. Many
Coverage products have surprising shortcomings in this area. See
the OWASP Benchmark Project for help.
Accuracy (eliminating both false positives and false
negatives) is critical. Inaccuracy means humans have to
Accuracy fix results which will destroy your pipeline. You should
carefully test your tools to be sure they accurately
verify what you need.
You need to test whether tools are fast enough to work
as a part of your DevSecOps pipeline. That may be
Speed
microseconds, seconds, or minutes…but probably not
hours and certainly not days.
Consider the size of your application portfolio and
whether the tools you select are capable of operating
Scale continuously, in parallel, and across the entire portfolio.
Be sure to factor in the number of people you will need
to make that work.
You should verify that the tools are useful without a
complex installation process. When well-meaning se-
curity folks buy tools for development and operations
Process Fit teams, it can cause friction if they aren’t compatible
with their technology stack or workflow. Engage the ac-
tual users in the evaluation process and conduct pilots
to confirm they will be easy to install and use.
 INTRODUCTION TO DEVSECOPS

tures, pay down some technical debt, make an architectural improvement,

Verify that the tool integrates with the tools that fix defects/vulnerabilities, or do something to improve the team’s tools or
people in your DevOps toolchain are already using. practices to improve quality, security, or productivity.
Look for well-documented, supported REST APIs and
Integrations SDKs in a variety of languages, IDE plugins, webhook It’s important that the team use their threat model and security architec-

support, ChatOps integrations like HipChat and Slack, ture to make an informed decision about the next most critical security

notifications with PagerDuty and VictorOps, and SIEM challenge. What is the cost to the company of certain kinds of attacks? What

integrations like Splunk. is the cost of implementing preventive measures for those attacks? Try
to use data from both internal and external sources to figure out the next
thing to do that will most effectively reduce risk.

DevSecOps Core Practices

You may find yourself without a threat model or security architecture.
DevSecOps takes a very agile approach to security, breaking down massive
Fortunately, in DevSecOps, these artifacts are created one step at a time.
security tasks into incremental improvements that are performed as nor-
When you’re starting out, it’s easy to identify your top challenges: the prob-
mal development tasks. These small batches of work include continuous
lems that are the most likely to be found, be exploited, and cause serious
verification so that security builds over time instead of repeatedly starting
damage like injection, authorization problems, known vulnerabilities, etc.
over from scratch.
Consider all the different layers of your application stack:
Once we’ve identified the next security challenge, our normal engineering
process can execute on the improvement. In this section, we explore four
Applications Do you have proactive controls in place? Are you
core practices to any DevSecOps initiative. Of course, your DevSecOps pro-
and APIs susceptible to common vulnerabilities?
cess might be considerably more complex. See the next section for more
ideas or add your own practices to this basic cycle.
Are your libraries and frameworks up-to-date and
Libraries and properly configured? Do you have a complete up-to-
Frameworks date inventory (with exact version numbers) of all
the software you are running across all your servers?

Have you hardened your platform configuration

Container and
and kept it up-to-date? Are your cloud environ-
Cloud
ments configured correctly?

Do you have strong network security defenses in

Network
place and monitored for attacks?

Use a risk-based approach to decide what to work on next. Be sure to con-

Fundamentally, it’s the constant tension between creating defenses and
sider whether there’s a viable connection between a threat agent, attack
attempting to break them that actually makes organizations more secure.
vector, weakness, technical impact, and business impact in your enterprise.
The faster you can repeat this DevSecOps cycle, the faster you can improve
OWASP depicts this connection as follows:
security. Over time, you’ll build a complete security story that will provide
assurance both internally and externally.

1. ANALYZE: IDENTIFY YOUR NEXT MOST CRITICAL SECURITY

CHALLENGE
Why should you always focus on your most critical security challenge? Gen-
erally, working on anything else won’t change your security posture very
much. It doesn’t help to close the attic window when the garage and front
door are wide open. In DevSecOps, we get the work flowing by creating
small batch sizes. So, in most cases, we want to work on the most critical
security challenge to our enterprise first. Still, don’t be afraid to choose Going forward, you should practice a combination of threat intelligence

a partial measure or a tiny improvement to your most critical challenge. and security research to continuously zero in on your next most critical se-

Working in small increments makes sure we stay on track. curity challenge. Note that this process is significantly different from trying
to assess all your threats. Many organizations get overwhelmed trying to
When deciding what to work on next, the team looks at all the potential protect against everything at once.
security “work” available and makes it visible. The team might add new fea-

6 BROUGHT TO YOU IN PARTNERSHIP WITH


DevSecOps Threat Intelligence, Security Research, and
Security Architecture
External sources: ISACs (STIX/TAXII), OWASP, SANS,
BlackHat, DefCon, LASCON, DevSecCon, CISO events,
Threat friendly peer companies, etc.
Intelligence Internal sources: Monitor your systems for attacks
and learn from the data. Understanding actual
attacks is a major factor in prioritizing.
Security research should focus on challenging
security architectures and identifying new strategic
Security
ways to improve security. Where possible, work with
Research
development to enhance the DevSecOps pipeline
with new testing methods.
There is a dearth of great threat modeling and
Security security architecture tools. But some interesting
Architecture projects include OWASP Threat Dragon, IriusRisk,
and Chaos Engineering (Chaos Monkey, ChaoSlingr).
You’ll have to work out your own cadence for re-examining your threat
model. So, increasing your cycle speed will have a direct effect on the level
of security you are able to achieve. And because DevSecOps adds to your
security incrementally with continuous security verification (discussed
below), you have protection against backsliding.
2. SECURE: IMPLEMENT A DEFENSE STRATEGY
Once you’ve decided on a security challenge to tackle, you’ll need to choose
a defense strategy. A defense strategy isn’t a single security mechanism or
product. A defense strategy can combine technical security mechanisms,
secure coding practices, procedural controls, supporting processes, training,
background checks, and more. We are using the term “defense strategy”
broadly to include anything that you rely on to prevent a breach. Your de-
fense strategy for a particular challenge can (and probably should) comprise
one or more primary defenses and a set of supporting defenses as well.
You can capture each security strategy for implementation in a JIRA ticket
that covers each security enhancement that you want to make, including:
The goal is to concisely justify why this is an
important security challenge. This might take
Challenge
the form of a security story or misuse case. The
Description
description should cover the elements shown in
the OWASP diagram above.
This story should detail exactly how the defense
should work. For technical defense mechanisms,
the story should clearly detail how the threat
Defense Story
is countered and why this defense is effective.
For other defenses, how they work to provide
protection should be argued.
7 BROUGHT TO YOU IN PARTNERSHIP WITH
INTRODUCTION TO DEVSECOPS
As part of the defense strategy, you should also
consider how to configure, operate, and use these
Operational
defenses. This guidance should apply to end
Guidelines
users and operations staff, and even indicate how
developers should use the defense effectively.
The final part of the defense strategy is to detail
Security Testing
how you will continuously verify the correctness
Approach
and effectiveness of the defense strategy.
Your strategy is right when you can easily answer with confidence when
anyone asks, “How do you protect against X?” Having a clear, concise, de-
fensible answer to this kind of question can not only provide an easy path
to compliance but can also provide business advantage over competitors.
Your defense strategy doesn’t have to be perfect from the very start. It’s
far better to start with a basic defense and evolve it over time. In fact, after
you implement a basic defense, you may choose to work on another, more
pressing, threat. The key to DevSecOps is to continuously reprioritize based
on the threat and your existing defenses. The ability to respond quickly is
critical for a world of continuously changing threats.
The work of actually implementing the security defense shouldn’t be any dif-
ferent than any other feature, and should, to the maximum extent possible, be
delivered as code or configuration with everything in source control. Managing
security in this way makes it possible to test and redeploy at any time, ensuring
that defenses are in place, working correctly, and properly configured.
3. VERIFY: AUTOMATE SECURITY TESTING
A key part of DevSecOps is ensuring that the defense strategies have been
properly implemented, configured, and operated. Security testing is the
way to verify that your actual security controls match your intended defens-
es. In DevSecOps, we focus on automating those tests by “turning security
into code” so that we can run them frequently without requiring humans,
particularly security experts, in the critical path.
There are many ways to automatically verify the security of a system. There
is no possible way to list them all, but we provide a few examples of popu-
lar tools that have proven themselves to be DevSecOps compatible.
It's not automated if you need humans in
the loop. Don't fall into the trap of thinking
that you've automated security when all
you really did was automate the "scan"
button. Think about the entire process.
Does the tool require human expertise to
Automate Everything
configure or run? Does it require an expert
to interpret and triage the results? We are
looking to eliminate the involvement of
humans in the critical path so that we can
push code to production with both speed
and assurance.

Every tool that you adopt means additional
process steps, a full set of integrations, and
a team of people to configure, run, and
Avoid “Tool Soup” interpret. Choose powerful platforms that
will allow you to address many different
types of security challenges using an
integrated framework.
Security testing tools vary greatly in their
ability to test real applications for a broad
range of issues. The only way to know how
well a particular tool will work on your
applications and APIs is to try it. Consider
Test Your Testing Tools
temporarily adding “tool canaries” in your
applications to verify that real vulnerabili-
ties are being discovered and false alarms
are not being flagged. See the OWASP
Benchmark project for details.
Below is a DevSecOps security testing funnel to help you choose a security
verification technique for the particular security challenge we are working
on. This may seem obvious, but don’t blindly rely on the wrong tool. Take a
minute to select the simplest, fastest, most accurate way to check that your
defense implementation is correct, complete, and configured.
For example, testing for proper clickjacking protection is easy if you simply
examine HTTP responses for the proper security headers. But it would be
very difficult to verify this by looking at the source code, as there are so
many ways that this might be accomplished.
DevSecOps Security Testing Funnel
Think carefully about exactly what you want to
test and the results you want. Direct, complete
What are we trying
verification of application behavior is always
to test?
best, but you can use sampling, fuzzing, design
analysis, and other techniques.
Probably, yes. But you should clearly prioritize
things that are the most critical to security and
Do we need to test it?
the most likely to be discovered and exploited
by an attacker.
Are we able to verify that the application always
follows a known good pattern of execution
Positive or negative (positive security) or will we have to resort
testing? to trying to verify that the application never
follows any of the known bad patterns of
execution (negative security)?
8 BROUGHT TO YOU IN PARTNERSHIP WITH
INTRODUCTION TO DEVSECOPS
You may be using a security testing tool
that covers this risk. It's critical to verify that
Do we already test for it?
your tool does a good job of accurately and
efficiently verifying your security defense.
Perhaps you just need to enable a rule in a
Do we already have a
tool you're already using. Or maybe you can
platform that will allow
use an existing tool as a platform for creating
us to test this easily?
a custom rule.
Can we test it by writing If we can't use a security testing platform,
custom tests? can we create a custom test case?
Network: nmap, sslyze, ssh_scan, Tenable,
Qualys.
Cloud/container: Aqua, Twistlock, Redlock,
ThreatStack.
Is there another tool on
Libraries/frameworks: OWASP Dependency
the market that can help
Check, retire.js, Contrast Assess, Snyk,
test this?
Sonatype, BlackDuck.
Application: OWASP ZAP, Arachni, sqlmap,
Burp, Contrast Assess, Micro Focus, CA
Veracode, Synopsys, Checkmarx.
While the goal of DevSecOps is to minimize
the number of things that you need
human experts to test, bug bounties
bounties, red team exercises, and manual
Do we need human penetration testing can provide useful
experts to test it? insight into defenses that are difficult
to test automatically. Ensure that these
efforts deliver rules, test cases, and other
automation, not PDF reports.
Examples: BugCrowd, HackerOne
It’s impossible to know everything, so
certain kinds of testing rely on volume and
Are we also testing for
randomness to try to force applications
what we didn’t think of?
to behave badly. Fuzz testing and chaos
engineering tools can help here.
Any security issues discovered during testing should feed into the DevSec-
Ops management infrastructure described above to notify all the people
that need to know through the tools they are already using.
4. DEFEND: DETECT ATTACKS AND PREVENT EXPLOITS
DevSecOps organizations recognize that you can never test yourself secure,
so, they adopt a balanced approach that focuses on minimizing vulnerabil-
ities during development and on identifying and preventing vulnerabilities
 INTRODUCTION TO DEVSECOPS

from being exploited in production. While these two activities have tradi- STANDARD DEFENSES AND ENTERPRISE SECURITY AR-
tionally been separate, DevOps has brought them together and DevSecOps CHITECTURE

projects support the full software lifecycle. Generally, DevSecOps organizations — particularly those with large
application portfolios — prefer standard security defenses that are heavily

DevSecOps Attack Detection and Prevention Tools tested for correctness and effectiveness. Don’t reinvent authentication,
authorization, encryption, etc. for every application and API you build. This
reduces the amount of security work that has to be done and simplifies the
RASP uses application instrumentation to add attack
organization’s security architecture. Achieving effective enterprise security
detection and prevention directly to applications
Runtime architecture in a DevSecOps manner is beyond the scope of this document,
regardless of where or how they are deployed.
Application but these guidelines are good first steps.
DevSecOps projects can use RASP to achieve
Self Protection
accurate attack-blocking and the flexibility to easily
(RASP)
deploy in cloud/container environments. You should generally use popular, well-tested libraries
for security features, as it is dangerously easy to
Examples: Contrast Protect, Prevoty, Immunio.
make small but disastrous mistakes writing your own.
Security Probably the best approach here is to assemble your
WAFs have been on the market since the early
Libraries own enterprise security API that implements, extends,
2000s and have a history of complex configuration
wraps, or is based on existing security libraries like
and spotty protection. Nevertheless, a DevSecOps
Web Application Spring Security, OWASP ESAPI, BouncyCastle, OWASP
project might be able to use a WAF for basic
Firewall (WAF) Encoder, AntiXSS, AntiSamy, Jasypt, etc.
protection or as a platform for virtual patches.

Examples: ModSecurity, Imperva, F5, Signal

To the highest extent possible, you want a standard
Sciences.
approach to security, and you should use the security
Standardize
There are a variety of network-, container-, and host- features provided by your software stack. This makes
Network on a Standard
level protections against attacks. Seek out products security invisible or automatic and reduces the
Intrusion Software Stack
that can be deployed and managed as part of your likelihood of mistakes. Don't assume they're working,
Detection and
standard technology stack. though; you have to continuously test these defenses.
Prevention
(IDS/IPS) Examples: Snort, Suricata, Bro, Kismet.
Consider the extent to which you can turn security
SIEM tools provide real-time analysis of security defenses into high assurance services that can
Security
alerts generated by applications and network be invoked by your applications. This creates the
Information
hardware and are important to handling attacks in possibility of upgrading security across many
and Event Security
DevSecOps. applications without having to recode, retest, and
Management Services
redeploy. In the spirt of DevOps, make sure there is
Examples: Splunk, ELK, SumoLogic, LogRhythm,
(SIEM)
a self-service way for your empowered engineering
ArcSight.
teams to consume them without needing central
approval or provisioning.
The threat and attack data gathered should feed directly into the next
DevSecOps cycle to be used by security research to help choose the next
most critical security challenge. MANAGE THE SOFTWARE SUPPLY CHAIN
Libraries have serious vulnerabilities, most of which have not yet been
DevSecOps Additional Practices discovered by the good guys. And attacks now start within a day or so of
There are additional sets of security challenges that emerge when an en- new vulnerabilities being disclosed. So, every DevSecOps project must pay
terprise has hundreds or thousands of applications in their portfolio. Doing attention to the security of their supply chain.
security at this scale is far beyond what a small dedicated security team can
accomplish. DevSecOps is a technique for distributing this work effectively Your software stack is composed of thousands of libraries, frameworks,
across development and operations. modules, and components written by unknown developers all over the
world. Using this software can allow you to create software much more
It’s worth noting that in most organizations, only a small percentage of rapidly, but the cost is that you must take full responsibility for the security
projects are very far along in their DevOps journey. So, managing the of all that software.
transition to DevSecOps across an entire application portfolio is a key part
of the challenge. In practice, this translates to a few best practices:

9 BROUGHT TO YOU IN PARTNERSHIP WITH

 INTRODUCTION TO DEVSECOPS

Be cautious about the libraries and

frameworks that you adopt. Stick to projects
Show Some Restraint that demonstrate a solid security program,
evidence of security testing, and effective
response to new vulnerabilities.
Perimeters are no longer effective at stopping
attacks, so the first step is to break up your
Explode
monolithic internal infrastructure into smaller
distributed workloads.

DevSecOps organizations must know the Finally, re-establish continuous security for each of
exact version of every library, framework, your newly virtualized workloads by selecting and
Reload
application, and API that is running on deploying modern protection technology at the
every server in every environment. The best application, library, container, and network layers.
Self-Inventory approach is to enable all your systems to self-
inventory by reporting their “bill of materials”
This strategy is very compatible with DevSecOps, as it allows for efficient
to a central database. This “always up to date”
centralized security management with distributed enforcement for
inventory will enable you to respond quickly
speed and accuracy.
to novel attacks.

CREATE A SECURITY CULTURE

When you decide to take on a new library,
Some companies simply seem to have the ability to take security seriously,
Establish Secure standardize how you will use it safely (both
focus, and do a great job. But others — even companies that seem to be
Coding Guardrails positive and negative rules) and turn them into
doing all the same practices and using the same tools — are simply terrible
code so they can be continuously tested.
at security. The difference is culture. And while culture is a difficult thing to
change, there are a few key practices that have worked in organizations and
Before you trust your business to someone
should be part of a DevSecOps program.
else’s code, you must verify that the defenses
Test for Latent that are provided by the libraries and
Vulnerabilities frameworks work as advertised and don't You must have support from the executive
contain undiscovered vulnerabilities. Very few level. They need to make it clear that
Executive
libraries receive adequate security testing. security is everyone’s responsibility and that
Sponsorship
simply getting past the compliance audit is
Modern applications are only fully composed not the goal.
Continuously at runtime, as their dynamic dependencies,
Monitor for New plugins, and injections are fully realized. Everyone needs to understand exactly
Vulnerabilities and RASP tools (discussed above) can proactively what their security responsibilities
Respond prevent both known and unknown Micro-Training actually are. The best way to achieve this
vulnerabilities from being exploited. is by providing instant feedback while they
are doing their job.
EXPLODE, OFFLOAD, RELOAD
While it’s not strictly necessary, many DevOps projects use the cloud,
containers, and APIs. Many organizations have already discovered that Development and operations team members
this is, in fact, the fastest path to securely achieving digital transformation. should be responsible for the security of what
DevSecOps projects should strongly consider Ed Amoroso’s advice to Accountability they produce and operate. Security specialists
“explode, offload, reload.” shouldn't be in the critical delivery path and
should act as coaches and toolsmiths instead.

Perimeters are no longer effective at stopping

attacks, so the first step is to break up your
Explode Make security as visible as possible. Be sure
monolithic internal infrastructure into smaller
that vulnerability and attack data is never
distributed workloads.
used to shame people. Instead, celebrate
Security in Sunshine security risks as the fastest path to learning
Second, take advantage of security and cost and improving. Only when security is visible
Offload advantages by moving these new, smaller workloads can you achieve a culture of making informed
to virtual cloud and container infrastructure. risk decisions.

10 BROUGHT TO YOU IN PARTNERSHIP WITH

 INTRODUCTION TO DEVSECOPS

What’s Next for DevSecOps?

DevSecOps is still in the formative stages. The best way for you to get
involved is to try implementing DevSecOps in your own organization and
publish your experiences. Here are some sources of additional information.

• amazon.com/Phoenix-Project-DevOps-Helping-Business/dp/0988262592

• https://www.youtube.com/watch?v=cIvOth0fxmI

• dzone.com/articles/a-devops-approach-to-building-security

• contrastsecurity.com/continuous-app-sec-cas

• linkedin.com/pulse/lose-security-wheel-edward-amoroso

• ruggedsoftware.org/

• ca.com/content/dam/ca/us/files/msf-hub-assets/research-assets/
integrating-security-into-the-dna-of-your-software-lifecycle.pdf

• whitehatsec.com/news/12th-annual-application-security-statistics-
report

Written by Jeff Williams

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of
Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application
security consulting company acquired by EY. Jeff is also a founder and major contributor to OWASP, where he served
as Global Chairman for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application
Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects.
Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Devada, Inc.
600 Park Offices Drive
Suite 150
Research Triangle Park, NC

DZone communities deliver over 6 million pages each month to
more than 3.3 million software developers, architects, and de-
cision makers. DZone offers something for everyone, including
news, tutorials, cheat sheets, research guides, feature articles,
source code, and more. "DZone is a developer’s dream," says PC
Magazine.
888.678.0399 919.678.0300
Copyright © 2019 Devada, Inc. All rights reserved. No part of this
publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by means electronic, mechanical,
photocopying, or otherwise, without prior written permission of
the publisher.

11 BROUGHT TO YOU IN PARTNERSHIP WITH