CONSULTING
BUSINESS VISION
Building a security framework to enhance our CI/CD pipelines to allow for secure code quality from IDE to application retirement can be challenging. This will require to implement either an async process or a fully automated system in the CI/CD pipeline with issues tracked to be aligned with release strategy.
SPECIFICATIONS
Full CI/CD integration process needs to be driven by the Research and Development (R&D) team under the cybersecurity architecture team supervision.
​
Development often use open source libraries while developing software products. There are still many companies in the industry without an existing cybersecurity policy in place to control this behavior and there is no way for developers to check and verify these libraries for security.
​
Development and operations need to see DevSecOps as a mantra to make everyone accountable for security with the objective of implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.
​
Introducing the Culture, Automation, Measurement, and Sharing (CAMS) concept for a DevSecOps success.
​
Cyberock team believes that you will be successful doing DevSecOps within your organization by making sure that:
We all understand that Cybersecurity is Everyone's Responsibility.
We need to change the mindset
We need to be able to educate developers to write secure code
We need automation of software security testing (automate SAST, SCA, OSA, IAST to run security scan activities in each phases of our CI/CD pipeline)
We need a solution that can integrated into developer’s work environment
We don’t want to change the developer’s workflow
We need a solution that provide developers with great experience and prescriptive guidance in the IDEs
We also need a solution that offers easy rules customization for cybersecurity team (To configure the tool and reduce the noises caused by False Positives)
We need a solution that provides effective and efficient security test feedback to developers
We need relevant Training covering all OWASP Top 10 vulnerabilities such as (SQL, XSS, CSRF, Security Misconfiguration, Broken Authentication, Insufficient Logging, etc.)
If application can move to cloud why can't security testing?
-
We all need to understand that cybersecurity is everyone's responsibility.
-
We need to change the mindset
-
We need to be able to educate developers to write secure code
-
We need automation of software security testing (automate SAST, SCA, OSA, IAST to run security scan activities in each phases of our CI/CD pipeline)
-
We need a solution that can integrated into developer’s work environment
-
We don’t want to change the developer’s workflow
-
We need a solution that provide developers with great experience and prescriptive guidance in the IDEs
-
We also need a solution that offers easy rules customization for cybersecurity team (To configure the tool and reduce the noises caused by False Positives)
-
We need a solution that provides effective and efficient security test feedback to developers
-
We need relevant Training covering all OWASP Top 10 vulnerabilities such as (SQL, XSS, CSRF, Security Misconfiguration, Broken Authentication, Insufficient Logging, etc.)
-
If application can move to cloud why can't security testing?
-
We need to have the security tools in the container and move it to the cloud. Then, the sky is the limit! We can scale it to any level of tests we want.
-
-
We need bug tracking. the cybersecurity team should not bypass the project manager (PM) and dictate work to developers:
-
So, we need to raise tickets to Jira and have these assigned to the project manager. The project manager will then assign the ticket to the developer to fix it as part of the next Sprint.
-
BUSINESS EPICS
The integration of static analysis into the SDLC eliminates finding security flaws late in the development process when they are riskiest and costliest to fix. It helps improve development cycles to increase productivity and effectiveness. Finally, it enables development teams to scan source code and systematically find and eliminate software security vulnerabilities.
Static Code
analysis in
IDE
Static Code
analysis in
the Cloud
Static Code
analysis during PR
Dynamic
security
scans
Static Code
analysis during build
Educations and Training
SOLUTION CONTEXT
Automation... Automation... Automation!!!
​
Without automation your company cannot effectively scale, establish consistency, and enable confident iteration into our CI/CD pipeline and cloud environment. Cyberock has created a Security Code Scan Lifecycle chart to clearly define the different automated security scan activities, scan frequencies, and metrics gathering within our CI/CD pipeline. The goal is to ensure a secure code quality from the IDE's (Pre-commit phase) to application retirement (Post-deployment phase).
Break the build, by sending notifications to DevOps and gather the metrics. Both Defect Tracking and Bug Tracking (Jira) need to be automated.
Current Context
The SDLC security process of the future is the one that shifts all the way left in the software development pipeline process.
Today, many companies don't have any visibility in the security status of their codes and cannot provide any metrics or reports to improve codes quality.
Goal Context
Cyberock believes, security should not be an after thought process. In order to mature your CI/CD pipeline, you need to integrate and automate effective security solution within all the phases of your code development.
High-Level Solution
Our cybersecurity architecture has completed the high level (Input/Output) expectations for the scan activities. This highlights the main events taking place before and after a scan has been triggered in each phases of the CI/CD pipeline.