Based on this course
DevSecOps build on the idea that cross-functional teams must work together and that everyone is responsible for security. The DevOps mantra of "automate everything" is central to DevSecOps. Areas where we can automate security:
- Software version control
- Continuous integration
- Continuous testing
- Configuration management and deployment
- Continuous monitoring
- Containerization
- Container orchestration
- Deployment frequency
- Lead time (code to cash cycle)
- Detection of threats, vulenrabilities and malware
- Mean time to repair and remediation
- Efficiency of rollback and recovery
After applications and services are deployed to production, they are continuously monitored for vulnerabilities. Based on thos findings, we may decide to rollback changes or remediate them by changing the applications, its dependencies or the underlying infrastructure.
It's the collection of points (attack vectors) where an unauthorized user (attacker) may enter to inject data or extract data from an environment.
- You should keep attack surface small
It's a malicious software that attackers may deploy to infect individual computers or an entire digital network. Malware exploits system's vulnerabilities.
- Dynamic scanning. It's a method of code analysis that indentifies vulnerabilities in a runtime environment. It monitors system memory, functional behavior, response time and the overall performance of the system.
- Static scanning. It inspect program code for all possible runtime behaviors and seek our flaws and potentially vulnerable code.
The cloud security alliance (CSA) has defined control IDs to uniquely identify vulnerabilities. Cloud control matrix (CCM) and a security self-assessment for both cloud consumers and providers.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
Federal Information Processing Standards (FIPS) are security standards developed by the U.S federal gov. It defines minimum security requirements for the use of cryptographic modules.
Common vulnerabilities and exposures (CVE) is a dictionaty-style list of standardized names for vulnerabilities and other information related security vulnerabilities. This is maintained by the National vulnerabilities database
What is considered a vulnerability?
A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety) .- National vulnerabilities database
The national checklist program (NCP) repository provides secure configurrion for specific software components.
It's the process of granting or restricting access to computing resources for individual users, groups, or systems.
- Authentication
- Authorization
- User management
- Credentials repository
Key concepts:
- Identity repositories. Systems that store information about all users and groups within an enterprise in a single place.
- Access keys. Encrypted keys that enable apps to securely access servers.
- Signatures and certificates. They allow programs to verify the source and authencity of digital assets.
- Vaults. Store secrets and encrypt login credentials.
Server hardening. It's the process of enhancing each server's security. You can use tools such as OpenSCAP to review possible server vulnerabilities.
Application hardening. It's the process of enhancing the application or framework's security according to a provider's recommendation.
CI. It's a practice that encourages developers to check in their code daily to ensure that one change does not introduce a defect into the shared code base.