SecDevOps
The implementation of the movement DevOps It has meant an advance in software development processes and their implementation. The increasingly demanding “Time To Market” arises from the need for quality and agility in the Software Development Life Cycle to be increasingly united, and therefore the ideal solution is the automation of all phases of development. construction and testing of the code; or what is the same, Continuous Integration (CI).
This philosophy is increasingly important and reveals maturity during project development, but there is still a key principle to add to this process: security. So the term becomes SecDevOps. In summary, Applying DevOps allows you to improve your implementation times of new services and functionalities.
Following the DevOps life cycle, the security team would begin to apply its controls in one of the last phases, more specifically in the Deployment phase, too late if we take into account that bugs will be found and the development team must solve them in a short period to carry out the new version, which is why on many occasions we find ourselves with delays in delivery times and going against the Agile and DevOps philosophy.
For these reasons, if we implement from the planning phase (Security By Design), and correct defects before the development phase, we reduce the costs of correcting vulnerabilities in more advanced product phases. But, we are going to zoom in more on each of the phases and the security tests applicable in each of them:
- Planning: Being the earliest phase of development, we chose to analyze the type of threats that the project may encounter, attacks on user authentication, the exposure of critical services and the version that is used, encryption, etc.
- Programming: The project manager must ensure that the development team maintains any security problems that may exist and makes use of the good practices and guides available for secure development. Before moving to the next phase we can perform a static code analysis.
- Testing: As in any other development, we carry out functional, unit and integration testing. Designing specific use cases for security.
- Packaging: In the packaging phase we will analyze the external libraries and images (in case of using containers) in search of security problems that do not affect our project.
- Launch: Centralization and the use of repositories that have version control. (GIT, Gitlab, Azure DevOps...)
- Deployment: Prior to deploying the application on the production servers, we will deploy it on a private environment to test the security of the application again.
- Operation: It is already in operation. It is the turn to ensure the security of the application through a security audit or pentesting.
- Monitoring: We never stop doing security tests, technology advances and cybercriminals detect new flaws daily that put the integrity of many of the technologies used daily at risk. In this phase we monitor the application to detect possible vulnerabilities and attacks.
The democratization of cybersecurity is one of our fundamental pillars, including it in software development processes or in any other point related to new technologies. At Auditech we are committed to promoting a default Security policy, where the entire organization takes these concepts into account. Always opt for early implementation like SecDevOps.
In the EIP International Business School You will find the training you are looking for, updated and quality. Request information from us now to learn more about our Master in Cybersecurity.