Scribd
Upload
168 views

Dev Sec Ops

The document outlines various security testing techniques that can be used at different stages of the software development lifecycle (SDLC) to implement DevSecOps. It discusses static and dynamic application security testing, software composition analysis, secure code reviews, container scanning, fuzzing, and more. The techniques aim to identify vulnerabilities early and continuously to help developers build more secure software. Runtime techniques like runtime application self-protection and penetration testing are also covered to help secure applications in production.

Uploaded by

mohamed 00
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
168 views

Dev Sec Ops

The document outlines various security testing techniques that can be used at different stages of the software development lifecycle (SDLC) to implement DevSecOps. It discusses static and dynamic application security testing, software composition analysis, secure code reviews, container scanning, fuzzing, and more. The techniques aim to identify vulnerabilities early and continuously to help developers build more secure software. Runtime techniques like runtime application self-protection and penetration testing are also covered to help secure applications in production.

Uploaded by

mohamed 00
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Figure from Six Pillars of DevSecOps: Automation by the Cloud Security Alliance

The Secure SLDC : A Quick Reference

Secure Coding

• Static Application Security Testing (SAST)

o SAST, also referred to as Static Code Analysis, does not require a


compiled application to run - so it can, and should, be run early
in the SDLC. The test reveals vulnerabilities in the code,
specifically those in the OWASP Top 10 like SQL injection.
• Software Composition Analysis (SCA)

o A software composition analysis scans software, as well as its


dependencies, and displays a list of known vulnerabilities as well
as licenses and noting any deprecated dependencies.

• Secure Code Review

o “A secure code review is a specialized task involving manual


and/or automated review of an application's source code in an
attempt to identify security-related weaknesses (flaws) in the
code. It does not attempt to identify every issue in the code, but
instead looks to provide insight into what types of security-
related problems exist and help the application developer
understand what classes of issues are present.” (Mitre)

Continuous Build, Integration, and Testing

• Container and Image Scan

o Checks the build process of your containers and images for


vulnerabilities. This should be done to establish trust with the
base image or container, as well as any composites.

• Dynamic Application Security Testing (DAST)

o DAST is for compiled code / a running application without


knowledge of the environment, simulating a hacker. Since the
code is running for the test, this test is good for identifying issues
with the runtime environment as well. Note that DASTs are only
run on web applications and services.
• Fuzzing

o Testing with unexpected inputs. This can be something like


testing if a non-date is entered in a date field, or even (trying to)
drop a binary file in a text field. The goal is to capture these cases
and ensure that the application does not crash and gives a usable
error message.

• Interactive Application Security Testing (IAST)

o An IAST tests the running application for vulnerabilities during


use, similar to a DAST. Unlike a DAST, an IAST can identify the
line of code that is the source of a particular vulnerability.
Continuous Delivery and Deployment

• Sign

o Verifies both the signature of the code and that the code has not
been tampered with. This can be done for local and/or remote
signatures and uses a cryptographic hash.

• Artifacts and Image Repository Scan

o An artifact scan scans all the artifacts that were created during
development for vulnerabilities, and an image repository scan
scans images when they are pushed to a repository. Any images
that fail the scan are not uploaded.

• Systems, Containers, and Network Vulnerability Scan

o Scans for known vulnerabilities in the systems, containers, and


networks.

Runtime Defense and Monitoring

• Systems, Containers, and Network Vulnerability Monitoring

o Monitoring systems, containers, and networks for known


vulnerabilities with observability tools.

• Runtime Application Self-Protection (RASP)

o Briefly, RASP works by adding sensors into the code so that


execution points to watch for exploits happening in real time.

• Penetration Testing

o Penetration testing, frequently referred to as pen testing, is a


simulated attack to test for vulnerabilities. This type of testing
can be done either black box or white box and can be done on
the applications, services, systems, networks, etc.
Information Source: https://devsecops.pagerduty.com/secure_sdlc/#secure-coding

Image source : https://lnkd.in/dXNFiHCF

Disclaimer: (This post has been shared only for technology education & knowledge sharing
purpose and for understanding views and comments of people on this specific technology. there
is no endorsement of any products or services)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy