Monday, May 17, 2021

Integrating Security Controls Within a DevOps Pipeline

 Ref: https://www.mnemonic.no/globalassets/security-report/integrating-security-controls-within-a-devops-pipeline.pdf



Tasks

Tool

More ..

Source

  • Apply security coding standards

  • Compliance requirements 

  • Configure risk thresholds

  • Code review

Cics controls

Mozilla risk assessment and Mirosoft threat modeling 

Atlassian Crucible and GitLab

Paved road

Rapid risk Assessment

Code reviews

Build 

  • Detect bugs or security issues in source code.

  • dependency Analysis /Software Components

  • Scanners are usually not able to detect flaws in business logic so perform unit test . 

SAST:

Checkmarx and Semmle. 

Bandit (Python) and gosec (Go) 

Static application static testing

Dependency Analysis/software components

Security Unit tests( high risk code)

Stage 

  • Dynamic Application Security Testing (DAST)

  • Scans for availability and integrity of data

  • o pentest: discover flaws in architecture, configuration, and business logic

Security attacks

  • Create attack scenarios 

Burp Suite


Gauntlt, utilising external tools such as sslyze, nmap, and sqlmap

Dynamic application security test 

Penetration testing 

Automated security attacks


Production 

  • create audit trails

  •  protect the application runtime

  • use centralised logging of all data sources,

  • Detect security incidents

  • securely store and access secrets

Sysdig/Falco, or Palo Alto Prisma

Run time protection

Secret management

Continuous security monitoring 
at No comments:
Subscribe to: Posts (Atom)