In most organizations, the transition to DevSecOps cannot happen without tools. A DevSecOps stack is a set of security tools that facilitate fast, automated security checks at every stage of the software development lifecycle (SDLC). This article covers the key principles of a successful DevSecOps stack, and the primary technologies that typically comprise the stack.
DevSecOps is a new organizational model, adopted by organizations that must achieve fast development velocity without compromising on security. In a nutshell, it is the merging of DevOps and security organizations. DevSecOps is a cultural and organizational phenomenon, but in most organizations, the transition cannot happen without tools.
A DevSecOps stack is a set of security tools that facilitate fast, automated security checks at every stage of the software development lifecycle (SDLC). In this article, I’ll explain the key principles of a successful DevSecOps stack, and cover the primary technologies that typically comprise the stack.
Essential Elements of a Successful DevSecOps Security Stack
You cannot successfully use tools without first defining their business objectives. What can tools help you achieve in a DevSecOps environment? Here are three objectives that can help you evaluate current and future tools:
- Time—the main motivation for transitioning to a DevSecOps organization is to respond to threats faster, and preferably, prevent attacks in the first place through secure product design. Evaluate how tools can help you detect vulnerabilities and threats as early as possible in the software development lifecycle (SDLC) and fix them quickly—for example, by helping developers quickly find an issue in the code and remediate it.
- Attack vectors—a DevSecOps toolset cannot be siloed and limited to specific threats or layers of the IT environment. DevSecOps tools are measured in their ability to holistically protect the environment and protect against a wide range of known and unknown threats, leveraging state of the art threat intelligence.
- Simplicity and automation—DevSecOps teams must work fast to be effective, because a main promise of the model is to integrate security into fast-paced development pipelines. DevSecOps tools must be simple to operate for all three teams—for example, they must be useful to developers and accessible from within their IDE environment. Tools must also be automated, to enable rapid response to security issues without causing bottlenecks in the pipeline.
Building Blocks of a DevSecOps Security Stack
While every DevSecOps stack is different, the following are basic technological building blocks likely to be used by most organizations, now or in the future.
Security Information and Event Management
Security information and event management (SIEM) solutions aggregate security data from multiple sources. The goal is to provide a centralized location for correlation and analysis.
You can use SIEM technology to consolidate log data and network traffic into dashboards that provide meaningful visualizations. A SIEM system can manage massive amounts of security data.
SIEM solutions usually provide analytics capabilities and visualizations that enable security teams to detect suspicious patterns, and find correlations between activities and events within the environment.
SIEM solutions can consolidate data into reports, providing a clear and understandable risk profile for the organization.
How it supports DevSecOps: SIEM makes it possible for stakeholders at all skill levels and knowledge to understand the information, helping developers, operations, and security collaborate around one source of truth.
SAST, DAST and IAST
By contrast to WAF, application security (AppSec) technologies take a white box approach, helping developers identify and remediate vulnerabilities in software during and after its development.
Static application security testing (SAST) solutions analyze the source code of an application, to find security vulnerabilities and weaknesses that can be exploited by malicious actors. Developers can use SAST to find and fix issues in their application's source code during early stages of the software development lifecycle (SDLC).
Dynamic application security testing (DAST) solutions enable developers to analyze web applications during runtime, whether in testing, staging, or production environments, to identify security vulnerabilities and weaknesses. Testers use DAST to analyze running applications and attack them like hackers would. DAST tools provide developers with valuable insights into application behavior, helping them identify where hackers can launch attacks, and find out how they can eliminate these threats.
Interactive application security testing (IAST) solutions, a hybrid of SAST and DAST, use dynamic testing (also known as runtime testing) technology to help organizations identify and manage vulnerabilities discovered while web applications are running.
IAST uses software tools to monitor how applications operate and perform in the wild, by deploying agents and sensors, and continuously analyzing interactions with the application—either from real traffic, or from manual or automated tests. This combination of inputs can help identify vulnerabilities in real time.
How it supports DevSecOps: AppSec technologies are the staple of DevSecOps, making it possible to test software automatically at every stage of the SDLC, and receive actionable alerts and remediation recommendations. Develops and operations staff can and should run SAST, DAST, or IAST during early development, after every build, in testing and staging environments, and continuously when software is running in production.
Extended detection and response (XDR) solutions can support a prevention-first approach with detection and response technology. They help responders achieve proactive security, by gaining a comprehensive understanding of security events from multiple security silos. Additionally, automation of security processes, from alert classification to threat hunting, can help teams in a more timely and effective manner.
XDR correlates the behavior of users, entities, and actions across all data sources to indicate anomalous activity. It can reduce the complexity of threat hunting by providing powerful search capabilities, rich attribution, and data correlation. XDR uses big data analytics from multiple sources and consolidates threat data into one interface. XDR technology can analyze data from endpoints, networks, clouds, and third-party intelligence and then automate current or historical threat detection.
XDR simplifies workflows and reduces the time and complexity of event triaging, incident investigations, response processes, and threat hunting. It lets security tools and IT systems work together to automatically remediate issues. XDR uses the knowledge gained from each investigation to de-prioritize similar false positives or block similar future threats.
How it supports DevSecOps: In a modern security environment there is no time for a prolonged incident response process with investigation, mitigation, and remediation that can take weeks. Incidents must be identified, triaged, and contained in seconds. XDR can support this rapid process, blocking threats and providing the deep forensic data needed to remediate vulnerabilities in production systems.
Web applications are a critical asset for many modern organizations. Web application firewalls (WAFs) protect business-critical applications against malicious traffic, such as zero day threats, OWASP Top 10 vulnerabilities, and other web application layer attacks. WAF technology analyzes HTTP interactions, typically for the purpose of blocking malicious traffic before it can reach a server for processing.
A WAF offers more visibility into sensitive data communicated via HTTP/S, compared to traditional firewalls. It can look inside network packets, preventing application layer attacks that can bypass traditional firewalls. It can also protect web-based applications without accessing or analyzing the source code, taking a black box approach.
How it supports DevSecOps: When security vulnerabilities are discovered, remediation is not immediate. WAF provides a first line of defense that can help you detect and block exploits, while development teams are remediating the underlying vulnerabilities.
Security Automation, Orchestration, and Response (SOAR)
SOAR technology has two main components:
- Automation—SOAR solutions automate manual security tasks, such as vulnerability scans and logs querying, as well as deprovisioning inactive accounts and provisioning new users. SOAR automates other processes, including response to alerts according to predefined incident response playbooks. This is highly useful in handling large amounts of alerts and filtering out false positives generated by SIEM systems and other tools.
- Orchestration—SOAR technology helps orchestrate operations that involve the use of multiple security tools. It integrates and correlates outputs from various security tools, providing automation for event analysis.
SOAR speeds up response processes, helping systems and security experts respond in a timely manner. Fast response can help reduce risks, ensuring threats are blocked and mitigated before escalating.
SOAR frees up time, ensuring security analysts are not burdened by routine manual tasks and can apply their skills to more challenging threats. It ensures experts have the time to work through complex responses that cannot be automated.
How it supports DevSecOps: Security teams in a DevSecOps operation need to invest time in supporting development and operations activities. SOAR can reduce manual tasks and free up time for analysts to collaborate with DevOps teams.
A threat intelligence platform can provide SIEM solutions and other security tools with context for alerts. Once integrated with SIEM, a threat intelligence platform can analyze data and prevent alert fatigue. The platform uses correlated SIEM data and attempts to identify alerts indicating serious suspicious activity. It then provides context that analysts can use to determine the origin of the alert, and other systems affected by the same threat.
Threat intelligence platforms correlate suspicious activity from threat feeds. This capability can help identify the threat each activity represents. Threat intelligence platforms can significantly speed up detection and analysis of known threats. Additionally, it ensures analysts can quickly perform deeper investigations to uncover unknown threats.
How it supports DevSecOps: Threat intelligence is the “brains” of a DevSecOps organization. Everyone, from developers identifying a security flaw in early development, to security staff responding to an incident, can benefit from relevant, context-sensitive threat data.
Beyond DevSecOps Tools: The Importance of a Single Source of Truth
In the past, developers, operations, and security teams were perfect strangers. They had conflicting goals, different mindsets, and were often rivals within the organization. DevSecOps is changing all that, turning these three teams into partners with common goals.
The transition to a DevSecOps organization is far from easy to achieve. It requires a clear decision by management, cultural changes, and also training, needed to provide each of these roles with new skills.
A prerequisite for DevSecOps is a shared toolset that can be accessed by all three teams. But this is not just a matter of purchasing and deploying so-called “DevSecOps tools”. To ensure your development process is transparent and well understood by all teams, each team must record project data in a consistent manner, and this data should be collated into a central dashboard.
Having a central source of truth, agreed by teams, management, and other stakeholders, is a critical element of DevSecOps. Technically, this single source of truth can be simple—any collaboration or analytics system will do. The complex part is to convince all teams to start measuring and reporting their progress in one place.
This creates a database of actionable project data that reflects real work done, exposes challenges, and enables reflection and improvement.