Much has already been said about DevSecOps. However, it is important to understand that the appropriate transformation of DevOps into DevSecOps will require knowledge of a number of modern technologies as well as some software security techniques. Let’s take a look at what specific technologies might come in handy.
First and foremost, let’s consider embedding dynamic software security testing tools. Here it is appropriate to mention DAST. Dynamic code analyzers allow you to detect vulnerabilities in code, including buffer overflow, SQL-injections etc., using the black box method. One can say that dynamic analyzers are a considerable step towards DevSecOps practices.
The second point is the self-protection of Runtime applications. We’re talking about a protection tool, used directly at the execution of the program. In practice RASP does the analysis of the behavior of the software, and as a result we can speak about continuous security analysis.
What can you do without interactive security testing? IAST itself allows to analyze the application from inside while it is running. Code execution in memory is monitored and certain events which can lead to a vulnerability are found. Subsequently, these events are analyzed and tested.
Static testing tools also make a difference. When we talk about SAST, we are talking about a way of checking the code without having to run the program itself. It allows you to find potential vulnerabilities directly in the source code, thus preventing the same zero-day vulnerabilities. We can mention one of the most popular classifications, Common Weakness Enumeration (CWE). CWE is basically the official registry of common security flaws that hackers can use to gain unauthorized access. In fact, the use of SAST tools during development will help you avoid getting the bugs to the next level - CVE (Common Vulnerabilities and Exposures), that is, to the database of common security vulnerabilities.
This is where we’re talking directly about code composition analysis. As a result, you can find vulnerabilities in components that have open source code.
So DevSecOps is a way to integrate security into the DevOps methodology. Well, it will require mastering new approaches, tools, and technologies to solve the challenges.