Artboard 1 copy 2.png

CONSULTING

BUSINESS VISION

Asset 2 white.png

Building a security framework to enhance our CI/CD pipelines to allow for secure code quality from IDE to application retirement can be challenging. This will require to implement either an async process or a fully automated system in the CI/CD pipeline with issues tracked to be aligned with release strategy. 

 

SPECIFICATIONS

Full CI/CD integration process needs to be driven by the Research and Development (R&D) team under the cybersecurity architecture team supervision.

Development often use open source libraries while developing software products. There are still many companies in the industry without an existing cybersecurity policy in place to control this behavior and there is no way for developers to check and verify these libraries for security. 

Development and operations need to see DevSecOps as a mantra to make everyone accountable for security with the objective of implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.

Introducing the Culture, Automation, Measurement, and Sharing (CAMS) concept for a DevSecOps success.

Cyberock team believes that you will be successful doing DevSecOps within your organization by making sure that:

Colleagues Working in Office
centang.png
centang.png
centang.png
centang.png

We all understand that Cybersecurity is Everyone's Responsibility.

We need to change the mindset

We need to be able to educate developers to write secure code

We need automation of software security testing (automate SAST, SCA, OSA, IAST to run security scan activities in each phases of our CI/CD pipeline)

We need a solution that can integrated into developer’s work environment

We don’t want to change the developer’s workflow

We need a solution that provide developers with great experience and prescriptive guidance in the IDEs

We also need a solution that offers easy rules customization for cybersecurity team (To configure the tool and reduce the noises caused by False Positives)

We need a solution that provides effective and efficient security test feedback to developers

We need relevant Training covering all OWASP Top 10 vulnerabilities such as (SQL, XSS, CSRF, Security Misconfiguration, Broken Authentication, Insufficient Logging, etc.)

If application can move to cloud why can't security testing?

  • We all need to understand that Cybersecurity is Everyone's Responsibility.

  • We need to change the mindset

  • We need to be able to educate developers to write secure code

  • We need automation of software security testing (automate SAST, SCA, OSA, IAST to run security scan activities in each phases of our CI/CD pipeline)

  • We need a solution that can integrated into developer’s work environment

  • We don’t want to change the developer’s workflow

  • We need a solution that provide developers with great experience and prescriptive guidance in the IDEs

  • We also need a solution that offers easy rules customization for cybersecurity team (To configure the tool and reduce the noises caused by False Positives)

  • We need a solution that provides effective and efficient security test feedback to developers

  • We need relevant Training covering all OWASP Top 10 vulnerabilities such as (SQL, XSS, CSRF, Security Misconfiguration, Broken Authentication, Insufficient Logging, etc.)

  • If application can move to cloud why can't security testing?

    • We need to have the security tools in the container and move it to the cloud. Then, the sky is the limit! We can scale it to any level of tests we want.

  • BUG TRACKING… Cybersecurity Team should not bypass the Project Manager (PM) and dictate work to developers:

    • So, we need to raise Tickets to JIRA and have these assigned to the Project Manager. The Project Manager will then assign the ticket to the Developer to fix it as part of the next Sprint.

BUSINESS EPICS

The integration of static analysis into the SDLC eliminates finding security flaws late in the development process when they are riskiest and costliest to fix. It helps improve development cycles to increase productivity and effectiveness. Finally, it enables development teams to scan source code and systematically find and eliminate software security vulnerabilities.

Static Code

analysis in

IDE

Static Code

analysis in

the Cloud

Static Code

analysis during PR

 

Dynamic

security

scans

 

Static Code

analysis during build 

Educations and Training

5039684.jpg

SOLUTION CONTEXT

Automation... Automation... Automation!!!

Without automation your company cannot effectively scale, establish consistency, and enable confident iteration into our CI/CD pipeline and cloud environment. Cyberock has created a Security Code Scan Lifecycle chart to clearly define the different automated security scan activities, scan frequencies, and metrics gathering within our CI/CD pipeline. The goal is to ensure a secure code quality from the IDE's (Pre-commit phase) to application retirement (Post-deployment phase). 

Break the build, by sending notifications to DevOps and gather the metrics. Both Defect Tracking and Bug Tracking (Jira) need to be automated.

gradient-style-network-connection-backgr
1.png

Current Context

The SDLC security process of the future is the one that shifts all the way left in the software development pipeline process.

Today, many companies don't have any visibility in the security status of their codes and cannot provide any metrics or reports to improve codes quality.

global-technology-background-with-circui
2.png

Goal Context

Cyberock believes, security should not be an after thought process. In order to mature your CI/CD pipeline, you need to integrate and automate effective security solution within all the phases of your code development.

abstract-digital-technology-background-w
3.png

High-Level Solution

Our cybersecurity architecture has completed the high level (Input/Output) expectations for the scan activities. This highlights the main events taking place before and after a scan has been triggered in each phases of the CI/CD pipeline. 

Business Key Performance Indicators

You can't manage what you don't measure.

table Business Key Performance Indicator