DevSecOps – How to Ensure Application Security within the DevOps Process

Hello! Today, as Innokrea, we want to tell you how to ensure product security within the DevOps process, what SAST, DAST, and SCA are, and how they can contribute to improving security. We also recommend our articles on IaC (Infrastructure as Code), Docker, and SDLC.

SDLC vs SSDLC

SDLC (Software Development Lifecycle) is a model that describes how the entire software development process should proceed—from planning to testing, deployment, and maintenance. However, traditional approaches to SDLC often lack explicit consideration of security as an integral part of the process. As a result, the security department may be perceived by developers as an obstacle to the rapid delivery of new features. Consequently, application security may be overlooked or treated as a secondary concern. The solution to this is an extended version of the SDLC process: SSDLC (Secure Software Development Lifecycle).

SSDLC integrates security practices at every stage of the software lifecycle, emphasizing collaboration between development, DevOps, and security teams. This ensures that security becomes part of the culture of software creation rather than an obstacle to its development.

Figure 1 – SDLC vs SSDLC, source: medium.com

The stages of the Secure Software Development Lifecycle (SSDLC) can be described as follows:

• Planning and Security Requirements – During the planning phase, it is important to conduct risk analyses, identify potential risks stemming from the technologies used or the business domain of the problem being addressed. Legal regulations such as GDPR and applicable security standards should also be considered at this stage.
• Secure Design and Prototyping – In this phase, security measures should be incorporated to minimize the attack surface and ensure the system’s resilience to potential threats. Applying the principle of least privilege is highly recommended.
• Secure Software Development – This step involves using tools like Static Application Security Testing (SAST) and Software Composition Analysis (SCA) to detect vulnerabilities in the code and its dependencies. Many SSDLC solutions provide plugins for development environments, enabling code analysis and fixes with the assistance of artificial intelligence.
• Application Security and Testing – This phase employs techniques such as unit testing, integration testing, end-to-end (E2E) testing, fuzz testing, and Dynamic Application Security Testing (DAST). Functional security features, including authentication, authorization, and encryption, should also be tested. Penetration testing may be conducted at this stage as well.
• Secure Deployment – At this stage, ensure the environment is properly configured across multiple layers, including Infrastructure as Code (IaC), cloud settings, secrets management, and YAML files. Automation using CI/CD reduces the risk of errors during application deployment. Tools for analyzing YAML files and Terraform (IaC) code can also be used to enhance security.
• Management and Monitoring – Even after implementing all the steps to improve security, continuous monitoring of the application is essential. This includes log collection, properly configured alerts, and defined incident response procedures. Since zero-day vulnerabilities are constantly emerging, technical teams should be equipped to respond effectively.

The SSDLC process is often managed by a DevSecOps team—a DevOps team augmented with security expertise.

Modern Application Technology Stack

Modern applications often consist of dozens or even hundreds of components, including code dependencies and external tools. This significantly increases the attack surface and complicates security management. In the example diagram below (Figure 2), we can see numerous components involved in managing an application within the Azure cloud environment. These include:

• Cloud applications supporting the system/application – Examples include Azure AD, Azure Monitor, and Azure Container Registry, which are used for access management, monitoring, and image building. Cloud configuration definitions often rely on IaC. Errors in this area are usually caused by user misconfigurations rather than cloud provider issues.
• Deployment-supporting applications – CI/CD tools that integrate with container registries and GIT repositories.
• Cluster – The main application deployed using containers operates on a cluster (often managed within a specific cloud). The cluster should include application monitoring and logging tools to enhance observability of what is happening in the application.
• Code – Modern application code often contains numerous dependencies, including open-source ones. Each dependency may, in turn, rely on other dependencies. A potential attack vector is a supply chain attack, where an attacker gains control of a repository or library relied upon by the application. This can lead to unintentional deployment of vulnerabilities through the application’s dependencies. Developers may also make mistakes, such as exposing keys/secrets in the code, which need to be detected, protected, and removed (e.g., when sharing code through a repository).
• Agile/Business – Throughout all these processes, it’s crucial to maintain smooth security management without disrupting the business operations of the application or hindering developers from introducing new features.

Figure 2 – Application Architecture Built on Azure Cloud, Source: Microsoft.com

SAST, DAST, SCA, and the Shift-Left Approach

In this article, we’ve discussed SSDLC and the complexities of managing application security due to the sheer number of tools and dependencies in the code. The DevSecOps approach emphasizes addressing security issues as early as possible using the so-called shift-left approach, which integrates testing—especially security testing—into the earliest stages of software development.

Figure 3 – Shift-Left Approach, Source: Medium.com

DevSecOps teams utilize various tools to tackle security issues across different stages of the software development lifecycle. These tools include:

• SCA (ang. Software Composition Analysis) – SCA tools analyze code dependencies and identify vulnerabilities, including second-level dependencies—dependencies of the libraries used in the code. They also assess licenses and suggest fixes, such as updating to newer versions. Additionally, SCA tools can evaluate how updating a dependency might impact the code’s functionality and generate SBOMs (Software Bill of Materials), which provide a comprehensive list of dependencies to estimate the risk introduced by external packages.
• SAST (ang. Static Application Security Testing) – SAST tools perform static code analysis at an early stage to detect vulnerabilities in code created by the organization. These tools identify issues like SQL injection, cross-site scripting (XSS), and unsafe memory operations.
• Secret scanning – These tools focus on identifying patterns related to API keys, secrets, and sensitive information in code or logs. This ensures confidential data remains secure, and if leaked in shared repositories, it can be quickly rotated.
• DAST (Dynamic Application Security Testing) – DAST tools dynamically analyze applications at runtime by simulating attacks on exposed APIs. They attempt to inject payloads into endpoints to identify issues like weak authentication, misconfigurations, and inadequate user input validation.
• AI-Based Plugins – Modern AI-powered tools assist not only in detecting vulnerabilities and unusual patterns but also in automatically fixing vulnerable code. These algorithms can also predict and suggest areas in the codebase most prone to errors.

These tools are often integrated into a unified solution, connected to vulnerability databases. The algorithms evaluate the severity of vulnerabilities, assess potential risks, and prioritize threats for DevSecOps teams or developers to address.

Example DevSecOps Tools

Many tools cater to some or most of the aforementioned challenges. Examples include Dependabot, Snyk, Mend, Semgrep, Fortify, SonarQube, CodeQL, Copilot, and ZAP. While we won’t describe all of them here, let’s highlight how some of these functionalities can be used in specific tools. Such tools are often employed in CI/CD processes to build pipelines for automated testing and application deployment. This ensures the process remains predictable and repeatable.

For example, the well-known juice-shop cybersecurity project provides pre-configured pipelines in GitHub Actions integrated with tools like CodeQL (static analysis), Dependabot (dependency analysis), and ZAP.

Similar ready-made configurations are available for other CI/CD tools using security solutions like Snyk and Semgrep, with scan results delivered to the respective platform for further analysis.

Figure 4 – Screenshot of the Semgrep Console, Source: Semgrep.dev

The implementation of plugins for scanning in the development environment can appear as shown in the screenshot below.

Figure 5 – Automatic Code Fixing Application via Semgrep Extension for Visual Studio Code, Source: Semgrep.dev

Summary

We hope this article has provided insight into the process of managing security from a DevSecOps perspective. DevSecOps teams integrate security into every stage of the software development process, enabling the detection and mitigation of vulnerabilities from the earliest stages of development (shift-left). With tools like SAST, DAST, SCA, and secret scanning, teams can effectively protect applications against modern threats. The SSDLC approach and automation through CI/CD pipelines ensure the consistency and repeatability of the entire security management process. For more technical details, feel free to explore the provided references.

Źródła:

https://medium.com/@usamayaseen/application-security-in-ssdlc-a778205ac810

https://www.innokrea.com/sdlc-and-devops-culture/

https://learn.microsoft.com/it-it/azure/adaptive-cloud/app-solutions/pattern-highly-available-kubernetes

https://semgrep.dev/docs/semgrep-appsec-platform/dashboard