Category Archives: DevSecOps

DevSecOps posts

Automated Security Testing Using CI Tools

With evolution of DevOps and CI/CD tools, security testing does not need special treatment. Using tools like Jenkins Security testing can be automated. Many security open source tools can be integrated as plug-in into CI tools to perform code scans and scan target URL’s.

OWASP ZAP proxy is an open source web application security testing tool that can used to identify the know OWASP to 10 security issues.

Reference: https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin

Ideally automated security scans must be automated into the software development lifecycle process. Every time the code is checked into the source code repository the CI tools must invoke the scan on the source code and if any issues are identified the developers and security team must be notified about the issues. This creates and quick feedback loop which would eventually create security awareness amount the development teams. Also, give the security team to verify and work with the developers proactively rather than in the final stages of the project lifecycle.

One scan per day is a good baseline and the developers would get feedback in early hours of the day where they could fix the issues and check-in the code.

Automated Security Testing into the Development Life-cycle is not hard when planned and implemented correctly.

DevSecOps?

There is a great deal of confusion among Traditional Security Teams on what DevSecOps means to them? I am sure most of us are catching up with this evolution and this new trend on how we do security in DevOps world. I am sure there is lot of discussions happening around this space. Personally I believe DevSecOps means { Dev=”Developers”, Sec=”Security as Code”, Ops=”Operations”}. To an extent security must be automated as controlled gates in the process of CI/CD.

Please share your thoughts…