267

CONTENTS

•  About DevSecOps
−  Security: Then vs. Now

Getting Started
−  A Simple DevSecOps Framework

•  DevSecOps Key Methods and Techniques

−  Success Metrics

With DevSecOps −  Defect Discovery and Testing

−  Teamwork
−  Proactive Techniques
−  The "Three Ways" of Security
−  The "Five Ideals"

•  DevSecOps Checklist

CAROLINE WONG •  Conclusion and Additional Resources

CSO, COBALT

DevOps is a modern approach to software development. As companies For DevOps companies, secure software is business-critical. Old-school
today are being born into DevOps — and companies with more enterprise software companies consider security to be a cost center,
traditional approaches to software development are starting to but DevOps requires security as a strategic business driver — both in
experiment with, and even adopt, DevOps — the way in which security terms of preventing unplanned work and rework and during the actual
is being done at these organizations is constantly changing. sales process when security requirements are specified as part of a
vendor security assessment.
If we're going to talk about why security matters for DevOps, the first
thing we should talk about is why DevOps matters. Security is about Organizations often insist that their software vendors perform
protecting value, and so first, you must figure out what you have that DevSecOps activities because these vendors extend their attack
is valuable enough to protect. For example: You've been tasked with surface and change their risk profile. DevSecOps is a common talking
building and/or improving a DevSecOps program. How do you go about point during the sales process, and vendors may be required to
it? There are many frameworks and models that you could use (e.g., provide evidence (e.g., penetration test results) before formal business
BSIMM, CSA CCM, ISO27017). Upon closer inspection, you might find agreements are put in place.
these to be extremely long, overly complicated, and often challenging
Cybersecurity has become a must-have for organizations that want to
to implement.
establish and maintain trust with their customers and partners, and
Web apps have become more complex, cloud apps are increasingly DevSecOps has become a differentiator among competing software
API driven, and code is being deployed faster and faster. The attack vendors. Security breaches, and associated news headlines, damage
surface has changed, and traditional DevSecOps has evolved. customer trust and have the potential to devastate businesses.
Someone might ask, "Won't the security team just take care of it?" In
DevOps, developers have more power, and changes happen quickly,
which means there is not always time for the traditional large security
review from the security team. This means that it is critical for security
to be built into development culture and into the development and
deployment processes.

ABOUT DEVSECOPS
Over the last several years, security shifted from being viewed as a cost
center to being an explicit business driver. SaaS companies are often
described as "easy come, easy go," and business transactions now
involve security as part of the actual sales process in order to evaluate
security, compliance, and trust. A DevOps company that wants to do
business with an enterprise client is going to encounter vendor security
assessments, which insist upon meeting certain security requirements
before a business deal is completed.

© DZONE | REFCARD | APRIL 2024 1

 REFCARD | GETTING STARTED WITH DEVSECOPS

Regulations like PCI, HIPAA, GDPR, FedRamp, and SOC2 suggest methodology. Security problems exist in two broad categories — bugs
or require DevSecOps practices to be in place for organizations in and flaws. You can think of bugs as code-level security issues and flaws
particular industry verticals or those that handle certain types of data. as design-level security issues.

SECURITY: THEN vs. NOW FIX

Cybersecurity has changed dramatically in the last few decades. In To do DevSecOps well, you must fix security issues. It is not good
Table 1, learn about some of the key differences between security enough to just focus on finding security issues — the quality of software
"then" and security "now." The "then" timeframe refers to before–2010, does not improve until the problems are addressed or eliminated.
and the "now" timeframe refers to 2011–present. Fixing security issues requires effective communication, coordination,
and integration with development teams and processes.
Table 1

AREA SECURITY THEN SECURITY NOW

PREVENT
To do DevSecOps well, you must prevent security issues from happening
Stages Security gates required Security activities occur
in the first place. The people who build software must understand
for each phase of the throughout different cyclical
Waterfall software phases of the DevOps SDLC. why vulnerable code is insecure. Developers must be empowered with
development model. tech-stack-specific knowledge and tools to help them avoid creating
Controls Security practitioners Security practitioners adopt security bugs and flaws. Ideally, good programming practices and
focus on securing the a "zero trust" perspective well-designed frameworks make it easier for developers to write secure
perimeter — without and assume that malicious
software by default and harder for them to make mistakes. Cloud
mature controls "on the actors may be present in any
inside." and all trust zones. environments must be configured correctly in order to prevent security
vulnerabilities from being exploited, and attacks must be discovered
Incident Security practitioners Security practitioners
management attempt to prevent recognize that incidents are and stopped as early as possible in order to minimize damage.
incidents from occurring. happening at all stages, all
the time. DEVSECOPS KEY METHODS
Team impact Development and DevSecOps teams recognize
AND TECHNIQUES
operations teams that security is everyone's job. There are several key methods and techniques that can be used
assume that security is to incorporate DevSecOps into the SDLC. Less mature DevSecOps
the security team's job.
programs use a few; more mature DevSecOps programs use several.
Data storage Software companies Software companies operate
operate on on-premises in an interconnected SUCCESS METRICS
systems in private ecosystem enabled by SaaS In DevSecOps, one size doesn't fit all. Standards and controls are built
data centers. and the cloud.
based on years of practical security experience at real organizations,
Cost Security is perceived as Security is understood to be but this is something that is constantly changing. Today, every
considerations a cost center. a business driver.
DevSecOps practitioner needs to know how to optimize their unique
program using data, metrics, and risk management objectives.
A SIMPLE DEVSECOPS FRAMEWORK
Fundamentally, DevSecOps is about designing, building, and Like any business initiative, a DevSecOps program should have
maintaining secure software. Good software helps organizations, and objectives and measurements to determine if those objectives are
bad software hurts organizations. There are four main categories of being met. An example of a risk management objective for DevSecOps:
DevSecOps activities — Govern, Find, Fix, and Prevent. "Reduce the probability of attackers causing critical applications to
stop functioning." A typical measurement that organizations use to
GOVERN help measure DevSecOps success is defect density, meaning the
To do DevSecOps well, you must govern the DevSecOps program. There number of vulnerabilities divided by lines of code (lines of code are
are a number of high-level factors to consider when you are thinking typically indicated by the 1000s).
about DevSecOps, including compliance regulations, relationships
with other organizations, and having a solid understanding of what A security metric often measures activities to provide decision

you're supposed to be securing in the first place. It's also important support to perform functions better in the future. This data can help

to define metrics up front so that you can demonstrate the success of answer questions that an executive or operator might have about a

your program over time. particular area, such as source code review, using evidence-based
information instead of opinion or anecdotes.
FIND
It's often said, "If you can't measure it, you can't manage it." It is
To do DevSecOps well, you must find security issues. There are
indisputable that measuring results and performance is crucial to an
many ways to find security problems at different points in any SDLC,
organization's effectiveness, and this definitely applies to DevSecOps.
whether your organization follows a Waterfall, Agile, or DevOps

© DZONE | REFCARD | APRIL 2024 2

 REFCARD | GETTING STARTED WITH DEVSECOPS

DEFECT DISCOVERY AND TESTING team is a critical stakeholder when it comes to prioritizing the fixes,
Penetration tests (also known as "pen tests") are a type of manual remediating the issues, and ideally, preventing the same issues from
security testing that provides insight into an app's security by coming up again.
systematically reviewing its features and components. This type
One of the best ways to get security bugs fixed is to integrate with
of exercise improves the security coverage of an app because
developer tools and processes. Now that you have your software
the test is intended to explore the complete app rather than just
inventory and identified security issues, you'll want to keep track
focus on one type of vulnerability or one particular section. Pen
of what has been tested, by what means, and when. Keep track of
tests follow methodologies related to topics like input validation,
the findings from each security test and prioritize any necessary bug
authentication, and access controls in order to identify flaws in the
fixes or feature enhancements. In doing so, use business context to
app's implementation.
better understand which issues matter the most and work with
Closed-box testers operate with limited knowledge and open-box development teams to fix those first.
testers utilize as much information as they can to inform their approach.
Make sure you always know which issues are open and which
Pen Testing as a Service (PTaaS) provides on-demand manual have been addressed and can be closed. Then, report summary
penetration testing for web applications, mobile applications, and information to the relevant stakeholders so that everyone is always
APIs. Findings are delivered through a platform that integrates with aware of the current status.
developer tracking systems like JIRA and GitHub. A SaaS platform
also facilitates collaboration between pen testers, security team PROACTIVE TECHNIQUES

members, and development teams to not only find but also fix issues. The best DevSecOps training for developers is based on real security
findings, whether these trainings are demonstrated during an actual
Security scanners can be programmed to identify certain kinds of security incident or found via manual penetration testing. The OWASP
vulnerabilities automatically. DevSecOps scanners come in two flavors: Top 10 contains a list of common DevSecOps risks; however, each

•  SAST scanners ("S" for "static" DevSecOps testing) examine the organization will have its own unique top 10 list. Within your own

source code, binary, or byte code of an application. organization, use this information to prevent entire categories of
security vulnerabilities by implementing developer-focused training.
•  DAST scanners ("D" for "dynamic" DevSecOps testing) examine
the application from the outside when it is running. There are two common types of DevSecOps problems: bugs and flaws.
Bugs are code-level mistakes, and flaws happen at the design level.
The most interesting and important security findings cannot be
Threat modeling is a type of design-level security assessment that is
discovered via automated means alone. Human intelligence and
intended to examine the way an application system works to identify
creativity are necessary to discover security flaws in business logic.
potential flaws. The process involves analyzing assets, security c
There are entire classes of security issues (authentication and session
ontrols, and threat agents in the context of an application system.
management) that cannot be discovered using automated tools.
When flaws are detected using threat modeling before software
Code review is the manual review of one developer's code by another implementation, some security problems can be avoided.
developer. It's intended to find mistakes and improve code quality.
A few examples include:
Similarly, secure code review is a manual code review by a security
expert. This is intended to find coding errors that may introduce •  Cross-site request forgery tokens prevent cross-site request
security vulnerabilities. Secure code review is a manual process that forgery attacks.
often leverages SAST technology. Every so often, a security researcher •  A content security policy defines open-list assets that the
not directly associated with an organization will discover and report a browser allows to load and execute, thus minimizing the impact
security vulnerability, which is called vulnerability disclosure. of cross-site scripting exploits.

A bug bounty is a type of vulnerability disclosure program that •  HTTP Strict Transport Security encrypts data in transit and
leverages a crowd of globally sourced researchers in competition. In a prevents fallback to non-HTTPS traffic.
public bug bounty, anyone in the world can submit a potential security
Other security issues can be avoided by securely configuring the
vulnerability to an organization, and the first to find a valid bug will be
software environment, for example, by following the Amazon CIS
paid a "bounty."
benchmark to harden AWS accounts and cloud services. There are
various tools meant to protect an application by identifying and
TEAMWORK
stopping malicious activity while the application is running:
Once you have performed security testing to find as many issues
as possible, the next step — and by no means a trivial one — is to •  Web application firewall (WAF) examines web traffic to identify
communicate issues to the development team. The development and block suspicious activity, such as comment spam, XSS, and
SQL injection attacks.

© DZONE | REFCARD | APRIL 2024 3

 REFCARD | GETTING STARTED WITH DEVSECOPS

•  Runtime application self-protection (RASP) operates in the −  Take every opportunity to make security threats, policies,
runtime environment to monitor, detect, and alert in real time. architecture, and vulnerabilities visible
•  Interactive application security testing (IAST) works inside an −  Allow everyone on the team to participate in security
application, typically in a QA environment, to analyze code and −  Trust that engineering teams want to do the right thing
report vulnerabilities. −  Celebrate the knowledge gleaned from security issues
rather than blaming those involved
Both WAF and RASP can be run in either "detect and alert" or "detect,
−  Spend more effort on upgrading practices and
alert, and block" mode. They are most effective at preventing security
preventive measures than vulnerability remediation
issues when running in "detect, alert, and block" mode. However, this
and incident response
forces the business to risk blocking legitimate application activity as
−  Plan trainings and conduct workshops to maintain
well as malicious activity.
continuous security throughout all teams
THE "THREE WAYS" OF SECURITY
By following these core approaches, teams will see security as a
For decades, both software and security have struggled with poor
concrete output from the development process. It is a combination of
quality results, cost overruns, and processes that require experts.
security features and assurance captured in a tangible way. By applying
While DevOps has shown promise on the software side, security is
DevOps concepts, we can produce this concrete security continuously
still practiced in very traditional ways. DevSecOps is not just shoving
and effectively as a part of standard software development.
traditional security practices and tools into DevOps.
THE "FIVE IDEALS"
Instead, we must rethink the security work. We will need new practices
Six years after The Phoenix Project was released, The Unicorn Project
and technologies to perform this work. We can give this transformation
was published in 2019. The Unicorn Project is not the sequel to The
structure using the "Three Ways" from The Phoenix Project. By framing
Phoenix Project. In fact, the stories of both novels take place along the
the problem this way, we can see that we need to:
same timeline and provide two different perspectives. The Phoenix
•  Get security work flowing – Most security work is monolithic Project introduces the "Three Ways" of security, whereas The Unicorn
and attempts to cover all risks in a single task, like a complete Project introduces "The Five Ideals."
security architecture or security scan.
Gene Kim, the author of both books, introduces "The Five Ideals" to
•  Ensure instant security feedback – Security is one of the most
frame today's modern business and engineering challenges. Let's
common causes of technical debt, and the cost of this work
explore these five concepts further:
increases dramatically the further it progresses across the
SDLC. Several reasons include a lack of knowledge and limited 1. Locality and simplicity relates to the degree to which a
security specialists. development team can make local code changes in a single
location without impacting various teams.
•  Create a security culture – Many organizations have a
security culture of blind trust, blame, and hiding that prevents −  We need to design things so that we have locality in our

developers and operations from working with security. systems and the organizations that build them; we need
simplicity in everything we do.
Let's learn how to tackle the "Three Ways" of security:
−  The last place we want complexity is internally, whether it's
1. Get your security work flowing in our code, organization, or processes.
−  Make the work visible
2. Focus, flow, and joy is all about how our daily work feels.
−  Work a single security challenge at a time
−  Is our work marked by boredom and waiting for other
−  Limit work in progress and reduce handoffs
people to get things done on our behalf?
−  Automate everything
−  Do we blindly work on small pieces of the whole, only
2. Ensure instant security feedback seeing the outcomes of our work during deployment when
−  Increase awareness about the importance of security everything blows up, leading to firefighting, punishment,
−  Identify potential problems and burnout? Or do we work in small batches, ideally single-
−  Make problems instantly visible piece flow, getting fast and continual feedback on our work?
−  Swarm on the problem and seek the cause −  These are the conditions that allow for focus and flow,
−  Ensure security "findings" are designed for easy consumption challenge, learning, discovery, mastering our domain, and
−  Focus on providing a solution rather than exaggerating even joy. This is what being a developer means.
the problem 3. Improvement of daily work addresses paying down technical
3. Encourage a security culture debt and improving architecture.
−  Empower everyone to challenge security design and −  When technical debt is treated as a priority and paid down,
implementation and architecture is continuously improved and modernized,

© DZONE | REFCARD | APRIL 2024 4

 REFCARD | GETTING STARTED WITH DEVSECOPS

teams can work with flow, delivering better value sooner, risk profiles. An application that uses third-party software
safer, and happier. components — including open-source components — takes on
−  The business ultimately wins when developers can deliver the risk of potential vulnerabilities in those dependencies. These
on enterprise performance goals. should be identified, tracked, and accounted for in the same way

4. Psychological safety is one of the top predictors of team as every other software component, as described above.

performance. If a software vendor is selling their application to a buyer, that

−  When team members feel safe to talk about problems, buyer may require specific security activities for the app, such as
problems can not only be fixed but also prevented. Solving manual penetration test results, a response to a vendor security
problems requires honesty, and honesty requires an questionnaire, or evidence of certain security policies.
absence of fear.
CONCLUSION
−  In knowledge work, psychological safety should be treated with
DevSecOps is very much a team effort. Security professionals can't do
the same importance as physical safety is in manufacturing.
it alone — they must collaborate with development teams. A holistic
5. Customer focus relates to the difference between core and
approach that matches DevSecOps talent and resources with the right
context as defined by Geoffrey Moore.
technology is required to run the program. This is both a science and an
−  Core is what customers are willing and able to pay for, the art. Each organization will have a business-specific context for different
bread and butter of your business, while context is what they resource allocation trade-offs, program-level metrics, and KPIs.
don't care about and what it took to get them that product,
including all of an organization's back-end systems (e.g., HR, Today's requirements for DevSecOps activities include:
marketing, development). •  Cost that enables higher frequency testing and greater coverage
−  It's critical to look at these context systems as essential, across an application portfolio
as mission-critical, and fund them appropriately. Context
•  Access to quality security talent who can perform manual
should never kill core.
testing on demand

DEVSECOPS CHECKLIST •  Strong integration with development processes and tools in

Here are some key criteria for how to set up a DevSecOps program: order to fix security issues and prevent them in the future

☑  Check for accurate software inventory. It's difficult to

In short, today's DevSecOps activities must be agile, actionable, and
properly secure a piece of software if you don't know it exists or
cost effective.
you're not keeping track of it. Make a list of all your web, mobile,
and cloud applications and APIs. You also need to have an ADDITIONAL RESOURCES
up-to-date, comprehensive list of various software components, Here are some industry recognized standards and frameworks that
dependencies, versions, and open-source tools. describe DevSecOps practices:
☑  Conduct risk ranking. Assign a risk rank to each piece of •  Building Security in Maturity Model (BSIMM) – I like the BSIMM
software. Use criteria such as business criticality, data type, because it's specific. The measures in the BSIMM are activities
and accessibility to group applications. Important and high-risk that a development organization actually does to produce
apps should have more (and perhaps different) security activities secure software. Another key differentiator of the BSIMM is that
applied to them than less important and/or low-risk apps. it's real-world. The creators of the BSIMM made a rule that no
☑  Adhere to compliance and governance requirements. Many activity would be included in the BSIMM unless at least one of the
organizations are subject to security requirements organizations they interviewed actually performed that activity.
because of an application's business function (e.g., payments),
•  ISO and IEC standard for information security (ISO/IEC
type of data stored or processed (e.g., healthcare data), or
27001) – The ISO27017 and ISO27034 standards are examples
geographical location (e.g., regional requirements for data
of where controls, additional to those in ISO/IEC 27001, have
privacy and protection).
been defined to meet the requirements of the specific sectors
Others may be required to perform specific security activities concerned. These recommendations provide controls and
due to contractual obligations. Due to the nature of compliance implementation guidance for both cloud service providers and
requirements, certain security controls may not be optional. cloud service customers.
Determine these requirements and ensure your organization
•  Cloud Security Alliance Cloud Controls Matrix (CSA CCM) –
meets the appropriate standards.
The CCM, the only meta-framework of cloud-specific security
☑  Beware third-party components. While it'd be nice to say, controls, is mapped to leading standards, best practices, and
"Vendor security goes both ways," an organization's DevSecOps regulations. CCM provides organizations with the needed
is affected by both buyer requirements and by vendors'

© DZONE | REFCARD | APRIL 2024 5

 REFCARD | GETTING STARTED WITH DEVSECOPS

structure, detail, and clarity relating to information security

tailored to cloud computing. CCM is currently considered a de WRITTEN BY CAROLINE WONG,
CSO, COBALT
facto standard for cloud security assurance and compliance.
Caroline Wong is the Chief Strategy Officer at Cobalt.
Additional DZone Refcards for further reading: She has 17+ years of cybersecurity leadership,
including practitioner roles at eBay and Zynga.
•  Software Supply Chain Security: Core Practices to Secure Caroline authored the award-winning textbook, Security
Metrics: A Beginner's Guide, in 2011. She also teaches cybersecurity
the SDLC and Manage Risk courses on LinkedIn Learning and hosts the Humans of InfoSec podcast.

•  Getting Started With CI/CD Pipeline Security

•  Cloud-Native Application Security: Patterns and Anti-Patterns

3343 Perimeter Hill Dr, Suite 100
•  Threat Modeling: Core Practices to Securing Applications Nashville, TN 37211
888.678.0399 | 919.678.0300
•  Threat Detection: Core Practices to Manage Risks
At DZone, we foster a collaborative environment that empowers developers and
and Vulnerabilities tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
the status quo and value diverse perspectives so that, as one, we can inspire
•  Advanced Cloud Security: Continuous Security Strategies
positive change through technology.
for Cloud Infrastructure
Copyright © 2024 DZone. All rights reserved. No part of this publication may be
•  IaC Security: Core DevOps Practices to Secure reproduced, stored in a retrieval system, or transmitted, in any form or by means
Your Infrastructure as Code of electronic, mechanical, photocopying, or otherwise, without prior written
permission of the publisher.

•  Continuous Delivery Pipeline Security Essentials

© DZONE | REFCARD | APRIL 2024 6