The DevSecOps Security Checklist

This security checklist aims to give engineering teams a list of DevSecOps security best practices they can follow to help with the implementation of DevSecOps.

Categories

Get the PDF version

APIs

  • Apply security policies to APIs

    Approach the API security from both the consumption and exposure perspectives. Manage identity, security keys, and tokens, certificate policies, authentication and authorization policies. Do not forget to log and audit keys, policies and logs stores.

    API attacks

  • Authenticate and authorize API users

    Use API IDs and API keys to identify and authenticate users, devices or applications. Use an access control framework such as the OAuth to control the APIs that authenticated users or specific API keys can access.

    REST Security Cheat Sheet

    OAuth

  • Prevent API parameter tampering, attacks and hijacks

    Tampering enables the reverse engineering of the API, such that it exposes data or become vulnerable to DDoS attacks. Protecting them ensures that your web, cloud and mobile applications are secure and safe. Monitor the APIs, infrastructure and external services to detect and prevent DDoS attacks.

    Understanding API Connectivity to Resolve App DDoS Attacks

    Automated security for your web apps

  • Secure all the transmission paths

    • Encrypt all connections to prevent Man in the Middle attacks,
    • Enforce SSL/TLS

    SSL Server Test

    Observatory by Mozilla

  • Secure your APIs

    APIs enable interaction and sharing of data between applications and therefore more exposed and prone to security risks. Secure all the APIs the company consumes as well as those it exposes to the public. Use encryption to protect request information in transit while limiting the amount of information in the API error messages.

    DevSecOps for your APIs

  • Use RBAC to manage access to resources and operations

    The Role Based Access Control (RBAC) is a flexible process that simplifies the tasks of assigning users and developers the access rights to resources. Instead of assigning each individual user specific rights, the administrator creates roles which can then be given to a group of users. This is useful in organizations with many users to manage and where there is need to control the API use.

    Role-based access control

    Simple, Secure Role Based Access Control (RBAC) For REST APIs

  • Validate input data, content types, and responses

    Validate all data to prevent application layer attacks. Ensure safe input data from users, database systems, external sources as well as infrastructure. In addition, perform integrity checks as data crosses the boundary between a trusted and a less trusted environment. This ensures that compromised data does not enter into your systems.

    Data Validation

Development

Protection

  • Automate data policy management

    Use an automated policy enforcement to manage the data lifecycle and flow. Create audit logs before and after any security issue. Address all the audit and compliance issues.

    Audit Logs

  • Automate security tasks and practices

    Use existing DevOps tools to automate some security functions. For example:

    • Chef – to automate security testing
    • Puppet – test compliance and enforce security policies
    • Ansible - to define and automate security best practices such as applying custom policies, configuring firewall rules, locking out certain users, etc.
    • SaltStack – to automate security practices

    Combine common tools with a continuous security monitoring platform.

    Automated security testing

    Puppet policy driven development

  • Automate security testing and protection

    Perform automatic security scanning for vulnerabilities in the code, infrastructure, and applications. Use a security solution that can detect and block attacks, such as SQL injections, NoSQL injections, and XSS. The solution must have the ability to secure your on-premise and cloud systems from external attacks that can potentially compromise the apps and overall security.

    Sqreen

  • Block attacks and unusual behavior

    Monitor all traffic to detect and block unusual behavior, including access violation, abuse of functionalities, DDoS and others. This helps to prevent any kind of external or internal attack.

    Block bad actors

    Enhance security using behaviour-based indicators of compromise (BIOCs)

  • Complement automatic testing with creative manual tests

    Automatic testing scripts may fail to recognize or identify visual issues that a human eye can pick up. In addition, a human tester will interact with the software and discover if there are usability or interface issues. Another challenge is when the automated tests scripts contain errors or bugs that give false negatives or positives.

    Reasons Why Manual Testing Can Never Be Replaced

    Why Automated Testing Will Never Replace Manual Testing

  • Deploy post-production protection best practices

    Automate scanning and collects the application level metrics upon deployment. You can use a tool such as Chef to automate the configuration management as well as the provisioning of the runtime environment. Use runtime protection solutions to harden your application code.

    Getting runtime application self-protection launched

    Sqreen

  • Limit the attack surface

    Integrate protection and detection measures in the architecture to limit attack surface, reduce exposure and consequently internal and external threats. Focus on high-risk areas such as web forms, internet facing code, access control and session management codes, data from external sources and other entry points that interface with external networks.

    Attack Surface Analysis Cheat Sheet

  • Protect the entire environment and data

    You need to secure the development and operational environment, code, processes, operating systems, and applications. Besides the code, ensure that you have adequate protection for all the data, infrastructure hardware and software.

  • Use security best practices and tools

    Observe the standard security best practices. Reduce the attack surface (harden the infrastructure and services), encrypt your data, and communications channels, filter and block bad traffic and malware. Don’t forget to perform regular security audits, logging and analyzing events and assesses.

  • Use security tools that continue to evolve

    The security solutions must keep pace with changing application environments and infrastructure. These should have the ability to protect the system and automatically send alerts when there is a security issue.

    Automated security for your web apps

Environment

  • Automate infrastructure configuration and management

    Automate and simplify the configuration and management of servers, infrastructure, compliance, and applications. Use tools such as Puppet, Chef, and Azure Automation Desired State Configuration and other DSCs. For example, Chef is an infrastructure as a code tool that can automatically provision an environment, apply security settings and deploy apps.

    Simplify and expedite server management

    Using Puppet to automatically manage server infrastructure

    Azure Automation DSC

  • Gather metrics to gauge success

    Collect and act on security and compliance information from on-premise and cloud environments. Use both the high-value, and supporting metrics, to get insights and determine the effectiveness of your security processes.

    DevSecOps Guide

  • Harden Cloud Deployments

    Cloud environments can provide a secure infrastructure if implemented properly. Review the teams and individual roles and permissions. Only give them access to only what they need to perform their jobs. Enforce two-factor activation for those requiring more permission. Check the security groups, standard AMIs, IAM roles, MFA tokens, etc.

    AWS security

    Azure security best practices

  • Isolate Dockers and Kubernetes

    Secure and isolate the containers early, often and continuously. Isolate and segment containers using tools such as Apparmor, Seccomp, SELinux. Create isolation layers between different applications as well as between applications and hosts. This reduces the host’s surface area hence restricting access and protecting it as well as the co-located container.

    Isolate containers with a user namespace

    Docker Container: isolation and security

  • Perform threat modeling exercise

    This identifies the design flaws and components that are at most risk, and should provide the security teams with the opportunity to prioritize and address flaws according to their impact. In particular, the threat modeling helps the teams to understand the type of assets they are protecting, the sensitivity levels, potential threats and their impact.

    How to measure risk with a better OKR

    Threat modeling in: The Ultimate DevSecOps

  • Secure and harden the containers

    Follow best container security best practices. Secure authentication and authorization. Inspect, scan, and provide file, image and container security. Use private registries such as GCR or quay. Also, build from trusted and verified container images.

    Docker Security Best Practices

    Kubernetes Security Guide

    Integrating Docker Solutions Into Your CI/CD Pipeline

  • Secure and monitor the entire physical and virtual environment

    Secure your entire infrastructure including on-premise and cloud environments, networks, CI/CD pipeline, code, data, operating systems, and software. Use sustainable processes and tools to identify and block internal and external attacks, malicious traffic and files.

    App: Sqreen

    Infrastructure: ThreatStack

    Network: Cloudflare

Employee Behavior

  • Check employee security behavior

    Simulate a criminal attack in a controlled way to identify and fix real-world vulnerabilities. Use on-premise attacks to test desktop security and visitor controls. Use red teaming to identify vulnerabilities and their impact on businesses and employees.

    Use red teaming to find real-world vulnerabilities

  • Do a spear-phishing campaign

    Perform a spear-phishing campaign to test employees’ behaviors and responses. You can also try hacking your employees in a controlled manner to assess and address internal risky behavior and preparedness.

    Spear phishing

    Create user awareness and training to prevent phishing attacks

  • Encourage secure employee behavior

    Implement data protection program that combines security best practices and user education. Create awareness for employees towards improving personal security and preventing attacks such as spear-phishing incidences. Always update and patch operating systems and application software and preferably automatically.

    Employee Security Training

Code

  • Code security into apps

    Create secure code from the start of the production all the way to the finished application. Ensure that security is integrated into the code instead of adding it as an afterthought. This requires involving the security teams throughout the development process. Keeping the code and implementations as simple as possible avoids complexities that may compromise security.

    Building Security into Code and Culture

    When DevOps met Security — DevSecOps in a nutshell

  • Continuously review code at every stage

    Review the code and standards at each stage to ensure that they comply with security best practices. Use SAST and DAST to analyze code, and other automatic tools to track dependencies and scan all third party and open source codes. Perform pre-commit, commit-time, build-time, test-time, and deploy-time checks in your CICD pipeline.

    Let’s Talk About Code Reviews

    Codacy - Automated Code Reviews

    The best open-source DevOps security tools, and how to use them

  • Introduce chaos in the comfort zone

    Use chaos to tests the preparedness of the systems to respond to security threats under unfamiliar operational environments. Run scripts to randomly shut down server instances, take down containers in a random manner, disrupt some services, or create unexpected outages in the applications and infrastructure. This helps the teams to provide a moving target defense that protects the systems in a wide range of conditions.

    Chaos Engineering

    Chaos Monkey Unleash the Chaos Monkey

  • Scan and secure open source code and software

    Continuously scan and secure all the open source components of the code. Also, create an inventory of open source software or codes and ensure that they are always up to date and secure.

    DevSecOps: The Open Source Way

  • Start a threat analytics program on your code

    Use threat modeling, penetration tests, and vulnerability testing to confirm that your code is secure. Determine the number of severe vulnerabilities, and how long they last before resolving. Analyze the frequency and scope of automated tests as well as the number and type of attacks on your applications.

    Communicating risk across complex teams

Culture

We’re publishing great new resources every week. Get them sent straight to your inbox.