Monday, May 17, 2021

Integrating Security Controls Within a DevOps Pipeline

 Ref: https://www.mnemonic.no/globalassets/security-report/integrating-security-controls-within-a-devops-pipeline.pdf



Tasks

Tool

More ..

Source

  • Apply security coding standards

  • Compliance requirements 

  • Configure risk thresholds

  • Code review

Cics controls

Mozilla risk assessment and Mirosoft threat modeling 

Atlassian Crucible and GitLab

Paved road

Rapid risk Assessment

Code reviews

Build 

  • Detect bugs or security issues in source code.

  • dependency Analysis /Software Components

  • Scanners are usually not able to detect flaws in business logic so perform unit test . 

SAST:

Checkmarx and Semmle. 

Bandit (Python) and gosec (Go) 

Static application static testing

Dependency Analysis/software components

Security Unit tests( high risk code)

Stage 

  • Dynamic Application Security Testing (DAST)

  • Scans for availability and integrity of data

  • o pentest: discover flaws in architecture, configuration, and business logic

Security attacks

  • Create attack scenarios 

Burp Suite


Gauntlt, utilising external tools such as sslyze, nmap, and sqlmap

Dynamic application security test 

Penetration testing 

Automated security attacks


Production 

  • create audit trails

  •  protect the application runtime

  • use centralised logging of all data sources,

  • Detect security incidents

  • securely store and access secrets

Sysdig/Falco, or Palo Alto Prisma

Run time protection

Secret management

Continuous security monitoring 
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Cache Design and patterns

 In this article  we will look at application design and how cache design will be helping to get data from back end quickly.  scope of this ...