DevOps is taking the IT world by storm, but the often-overlooked part is that keeping applications secure has become increasingly important. The most important goal is to keep the full development chain secure and within compliance. Within the collaborative framework of DevOps, security is a shared responsibility integrated from end to end, which means that everyone involved in the development process takes responsibility and ownership of security.
At b.fine, we find this joint responsibility to keep our technology secure particularly important. Our in-house development team adopts the DevSecOps method to maximize the security of the b.rx platform at all times. Being a regulatory reporting platform, b.rx processes sensitive banking data, which makes security a top priority in every step of the development process. Our developer Hazem elaborates in this article on how the b.fine development team ensures b.rx’s security with the DevSecOps approach.
DevSecOps is an efficient way of designing secure software. It distinguishes itself from traditional development philosophies by adding security tests at every point along the software development lifecycle. It is an approach to culture, automation, and development design that integrates security as a shared responsibility throughout the entire Software Development Lifecycle (SDLC).
Adapting the DevSecOps philosophy helped b.fine in adopting more agile development practices, automating security and compliance policies in the Software Development Lifecycle (SDLC), and played a part in advancing new security measures. Throughout the development cycle, the code is reviewed, audited, scanned, and tested for security vulnerabilities.
These issues are addressed as soon as they are found. Security issues are fixed before any other vulnerabilities are introduced. This includes Static Code Analysis (SAST), Software Composition Analysis (SCA), and different approaches for testing the code for vulnerabilities (DAST and IAST). In addition, we also automate as much as possible to prevent human errors and create automated gates to prevent having unstable code being sent into production.
The DevSecOps software lifecycle phases start from planning, involving collaboration, discussion, review, and strategy of security analysis. Pre-commit phase checks are used for identifying the security issues before changes are committed into the source code repositories in our CI/CD Orchestrator Gitlab. After the code is pushed from the local machine, it will trigger the pipeline to make sure there is no Credential Exposure. We are running the Secret Scanning test as the first job in the pipeline. Gitleaks is one of the best open-source tools detecting and preventing hardcoded secrets like passwords, Api keys, and tokens in git repos. Then we are using tools like Hadolint for lint & validate docker images. Before building code through the pipeline, we first implement automated security scanning tests for each new deployment. We start with Static Application Security Testing, which scans the entire base of the code for a wide range of risks, including significant risks identified in the OWASP Top Ten like SQL injection or XSS.
Then we use the SonarQube tool to make it easy to integrate in the Gitlab pipeline, while using tools like OWASP Dependency-Check that checks for outdated or vulnerable packages in the applications. Snyk Open Source is widely used to identifies and update known vulnerabilities in code and in software packages. in addition, we also run the Software Composition Analysis (SCA) Fossology, an open-source license compliance software system and toolkit license for scanning and copyrights analysis to make sure that our code and license have no copyright issues.
At this point, the pipeline will start building the containerized application and will go through dynamic scanning for the containers using a tool like Trivy Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets before pre-deployment stage.
The test phase is triggered after building containerized application and pass dynamic scanning and is successfully deployed to the staging environment, where it uses the dynamic application security testing (DAST) tool Zap Proxy to detect live application flows like user authentication, authorization, SQL injection, and API-related endpoints. It helps automatically detect security risks in web applications while developing and testing applications.
Finally, in the release phase of the DevSecOps cycle, the containerized application should already be completely tested. This phase focuses on securing the runtime environment infrastructure by examining environment configuration values such as user access control, network access, and secret data management. For this, we use tools like Zap Proxy and Nmap for network discovery and security auditing on the webserver. Nikto performs comprehensive tests against web servers for multiple security threats, including over 6700 potentially dangerous files/programs. Nikto can also perform checks for outdated web servers’ software, and version-specific problems which help us to keep monitoring our infrastructure to keep it secure and updated by running scheduled pipelines each day.
Continuous monitoring in DevSecOps helps to identify threats to the security and compliance rules of a software development cycle and architecture. Auditing and monitoring methods provide insight into security incidents in production environments.
They can help respond to any incidents faster, by providing detailed forensic information about potential security issues and consequences of the event. Continuous monitoring is immensely helpful to require stronger security measures like threat assessment, quick response to breaches, and cyber-attacks. Moreover, continuous monitoring keeps reports for the Software Development architecture
This approach helps us to prevent security vulnerabilities from reaching production, which reduces the cost of fixing flaws after deployment to production.
Adapting the DevSecOps culture helps align security with DevOps efforts and provides stability, higher performance, and secure software.
Using security tools and fully automated DevSecOps makes the software development process and deployment lifecycle easier and better. With real-time continuous monitoring across pre-production and production environments, and with recommendations and automation that can help manage every stage of the DevOps workflow, it increases efficiency and speed of development, security. We can produce much better performing and more secure software at b.fine.