The DevSecOps

Security Checklist
INTRODUCTION
Damn, but security is hard.

It’s not always obvious what needs doing, and the payoffs of good security are at best
obscure. Who is surprised when it falls off our priority lists?

DevSecOps is a practice that combines security engineering, science, compliance and

operations. We’d like to offer a little help if you don’t mind. And by « help » we don’t
mean « pitch you our product »—we genuinely mean it.

Sqreen’s mission is to empower engineers to build secure web applications. We’ve put our
security knowledge to work in compiling an actionable list of best practices to help you
get a grip on your DevSecOps priorities. It’s all on the following pages.


We hope your find if useful. If you do, share it with your network. And if you don’t, please
take to Twitter to complain loudly—it’s the best way to get our attention.

The Screen Team

@SqreenIO
[email protected]

!1
DEVELOPMENT

✔ Make security part of the entire development process

Integrate security early in the development and throughout the whole cycle. Give its
requirements the same weight as the functional requirements. This involves adding
security controls, processes, as well as automating the core security tasks in the workflow.
This enables developers to address any vulnerability, hence provide secure and resilient
software.

Read more:
Building security into your DevOps processes
Incorporate Security into DevOps to Reduce Software Risk
Integrating Security into the CI/CD Pipeline: Step-by-Step Recommendations
Introduction to DevSecOps Best Practices for Adoption

✔ Test security throughout the development cycle

Make security testing an integral part and a continuous process of the entire app
development cycle. Perform tests on applications, APIs, containers, data, processes, and
microservices. Address all flaws during the development process since it is easier and less
costly.

Read more:
Three Effective Ways to Make Application Security Testing a Successful Part of Your
DevOps Program
Secure SDLC: Integrating security into your software development life cycle
The DevSecOps Approach to Securing Your Code and Your Cloud

!2
✔ Automate all processes
Automating security, configuration management, testing and other tasks reduces the
workload for the teams while providing a faster way of doing things. Automate
functionality and non-functional security tests; application, infrastructure and
configuration security tests, as well as application logic security tests.


Automated Security Testing in a Continuous Delivery Pipeline

✔ Monitor the processes, infrastructure, and apps

Gathering real-time intelligence enables you to make better decisions, and accurate
enforcement. Collect and analyze relevant metrics, events logs and machine data to gain
real-time insights across the application lifecycle and hence the opportunity to fix issues,
earlier, faster and at little cost.

Sqreen - App Security Monitoring

SumoLogic - Log Monitoring

✔ Generate actionable alerts when there are issues

Deploy a tool that notifies the team when there is an issue. This should have the ability to
send actionable alerts to the relevant people.

2 Key Principles for Creating Meaningful Alerts

!3
CULTURE

✔ Develop a strong security culture

A strong security culture among developers, operations, and security is essential. Develop
openness, clear communication pathways, as well as strong feedback loops. Additionally,
shift the security responsibility to all the teams as opposed to the traditional approach
where this was solely the work of the security department.

Shifting Security Left: 3 DevSecOps Challenges and How to Overcome Them

Building a DevSecOps Culture - from a Technical Perspective

✔ Develop Security-as-Code culture

Introduce security-first mindset without affecting the agile practices the developers rely
on to produce apps. Encourage the developers to add security to the code as they build
the applications.

DevSecOps: 3 Things Infrastructure Pros Should Know

Security as Code DevSecOps 101

✔ Provide training and tools to developers

Ensure that the developers have the required training, support and tools to perform their
tasks efficiently. You should also promote knowledge-sharing and decision making process
among the different departments to promote team autonomy.  

Read more:
How to build a strong DevSecOps culture
How to Overcome Cultural Challenges and Transform to True DevSecOps
How to build in DevSecOps: Grow culture from the ground up
Overcoming Culture of "No" - All Day DevOps  

!4
ENVIRONMENT

✔ Secure and monitor the entire physical and virtual environment

Secure your entire infrastructure including on-premise and cloud environments,
networks, CI/CD pipeline, code, data, operating systems, and software. Use sustainable
processes and tools to identify and block internal and external attacks, malicious traffic
and files.

Infrastructure: ThreatStack
App: Sqreen
Network: Cloudflare  

✔ Gather metrics to gauge success

Collect and act on security and compliance information from on-premise and cloud
environments. Use both the high-value, and supporting metrics, to get insights and
determine the effectiveness of your security processes.

Measuring Effectiveness and Success

DevSecOps Guide

✔ Secure and harden the containers

Follow best container security best practices. Secure authentication and authorization.
Inspect, scan, and provide file, image and container security. Use private registries such as
GCR or quay. Also, build from trusted and verified container images.

Docker Security Best Practices

Kubernetes Security Guide
Integrating Docker Solutions Into Your CI/CD Pipeline

!5
✔ Isolate Dockers and Kubernetes
Secure and isolate the containers early, often and continuously. Isolate and segment
containers using tools such as Apparmor, Seccomp, SELinux. Create isolation layers
between different applications as well as between applications and hosts. This reduces the
host’s surface area hence restricting access and protecting it as well as the co-located
container.

Isolate containers with a user namespace

Docker Container: isolation and security

✔ Perform threat modeling exercise

This identifies the design flaws and components that are at most risk, and should provide
the security teams with the opportunity to prioritize and address flaws according to their
impact. In particular, the threat modeling helps the teams to understand the type of
assets they are protecting, the sensitivity levels, potential threats and their impact.

How to measure risk with a better OKR

Threat modeling in: The Ultimate DevSecOps

✔ Automate infrastructure configuration and management

Automate and simplify the configuration and management of servers, infrastructure,
compliance, and applications. Use tools such as Puppet, Chef, and Azure Automation
Desired State Configuration and other DSCs. For example, Chef is an infrastructure as a
code tool that can automatically provision an environment, apply security settings and
deploy apps.

Simplify and expedite server management

Using Puppet to automatically manage server infrastructure
Azure Automation DSC

!6
✔ Harden cloud Deployment
Cloud environments can provide a secure infrastructure if implemented properly. Review
the teams and individual roles and permissions. Only give them access to only what they
need to perform their jobs. Enforce two-factor activation for those requiring more
permission. Check the security groups, standard AMIs, IAM roles, MFA tokens, etc.

AWS security
Azure security best practices

!7
CODE

✔ Code security into apps

Create secure code from the start of the production all the way to the finished
application. Ensure that security is integrated into the code instead of adding it as an
afterthought. This requires involving the security teams throughout the development
process. Keeping the code and implementations as simple as possible avoids complexities
that may compromise security.

Building Security into Code and Culture

When DevOps met Security — DevSecOps in a nutshell

✔ Continuously review code at every stage

Review the code and standards at each stage to ensure that they comply with security
best practices. Use SAST and DAST to analyze code, and other automatic tools to track
dependencies and scan all third party and open source codes. Perform pre-commit,
commit-time, build-time, test-time, and deploy-time checks in your CICD pipeline.

Let's Talk About Code Reviews

Codacy - Automated Code Reviews
The best open-source DevOps security tools, and how to use them

✔ Introduce chaos in the comfort zone

Use chaos to tests the preparedness of the systems to respond to security threats under
unfamiliar operational environments. Run scripts to randomly shut down server instances,
take down containers in a random manner, disrupt some services, or create unexpected
outages in the applications and infrastructure. This helps the teams to provide a moving
target defense that protects the systems in a wide range of conditions.


Chaos Engineering
Chaos Monkey

!8
Unleash the Chaos Monkey

✔ Scan and secure open source code and software

Continuously scan and secure all the open source components of the code. Also, create
an inventory of open source software or codes and ensure that they are always up to date
and secure.

DevSecOps: The Open Source Way

✔ Start a threat analytics program on your code

Use threat modeling, penetration tests, and vulnerability testing to confirm that your
code is secure. Determine the number of severe vulnerabilities, and how long they last
before resolving. Analyze the frequency and scope of automated tests as well as the
number and type of attacks on your applications.

Communicating risk across complex teams  

!9
APIs

✔ Secure your APIs

APIs enable interaction and sharing of data between applications and therefore more
exposed and prone to security risks. Secure all the APIs the company consumes as well as
those it exposes to the public. Use encryption to protect request information in transit
while limiting the amount of information in the API error messages.

DevSecOps for your APIs

✔ Authenticate and authorize API users

Use API IDs and API keys to identify and authenticate users, devices or applications. Use
an access control framework such as the OAuth to control the APIs that authenticated
users or specific API keys can access.


REST Security Cheat Sheet

OAuth

✔ Apply security policies to APIs

Approach the API security from both the consumption and exposure perspectives.
Manage identity, security keys, and tokens, certificate policies, authentication and
authorization policies. Do not forget to log and audit keys, policies and logs stores.

API attacks

✔ Secure all the transmission paths

• Encrypt all connections to prevent Man in the Middle attacks,
• Enforce SSL/TLS
• Use a Web Application Firewall with the ability to enforce SSL/TLS, only allow HTTPS
traffic

!10
SSL Server Test
Observatory by Mozilla

✔ Validate input data, content types, and responses

Validate all data to prevent application layer attacks. Ensure safe input data from users,
database systems, external sources as well as infrastructure. In addition, perform integrity
checks as data crosses the boundary between a trusted and a less trusted environment.
This ensures that compromised data does not enter into your systems.

Data Validation

✔ Use RBAC to manage access to resources and operations

The Role Based Access Control (RBAC) is a flexible process that simplifies the tasks of
assigning users and developers the access rights to resources. Instead of assigning each
individual user specific rights, the administrator creates roles which can then be given to a
group of users. This is useful in organizations with many users to manage and where there
is need to control the API use.

Role-based access control

Simple, Secure Role Based Access Control (RBAC) For REST APIs

✔ Prevent API parameter tampering, attacks and hijacks

Tampering enables the reverse engineering of the API, such that it exposes data or
become vulnerable to DDoS attacks. Protecting them ensures that your web, cloud and
mobile applications are secure and safe. Monitor the APIs, infrastructure and external
services to detect and prevent DDoS attacks.

Understanding API Connectivity to Resolve App DDoS Attacks

Automated security for your web apps

!11
PROTECTION

✔ Protect the entire environment and data

You need to secure the development and operational environment, code, processes,
operating systems, and applications. Besides the code, ensure that you have adequate
protection for all the data, infrastructure hardware and software.  

✔ Use security best practices and tools

Observe the standard security best practices. Reduce the attack surface (harden the
infrastructure and services), encrypt your data, and communications channels, filter and
block bad traffic and malware. Don’t forget to perform regular audits, logging and
analyzing events and assesses.

✔ Block attacks and unusual behavior

Monitor all traffic to detect and block unusual behavior, including access violation, abuse
of functionalities, DDoS and others. This helps to prevent any kind of external or internal
attack.

Block bad actors

Enhance security using behaviour-based indicators of compromise (BIOCs)

✔ Automate security testing and protection

Perform automatic security scanning for vulnerabilities in the code, infrastructure, and
applications. Use a security solution that can detect and block attacks, such as SQL
injections, NoSQL injections, and XSS. The solution must have the ability to secure your
on-premise and cloud systems from external attacks that can potentially compromise the
apps and overall security.

Automated security for your web apps

!12
✔ Automate data policy management
Use an automated policy enforcement to manage the data lifecycle and flow. Create
audit logs before and after any security issue. Address all the audit and compliance issues.

Audit Logs

✔ Use security best practices and tools

Observe the standard security best practices. Reduce the attack surface (harden the
infrastructure and services), encrypt your data, and communications channels, filter and
block bad traffic and malware. Don’t forget to perform regular audits, logging and
analyzing events and assesses.

Automated security for your web apps

✔ Automate security tasks and practices

Use existing DevOps tools to automate some security functions. For example;
• Chef – to automate security testing
• Puppet – test compliance and enforce security policies
• Ansible - to define and automate security best practices such as applying custom
policies, configuring firewall rules, locking out certain users, etc.
• SaltStack – to automate security practices
Combine common tools with a continuous security monitoring platform.

Automated security Puppet policy driven development

✔ Complement automatic testing with creative manual tests

Automatic testing scripts may fail to recognize or identify visual issues that a human eye
can pick up. In addition, a human tester will interact with the software and discover if
there are usability or interface issues. Another challenge is when the automated tests
scripts contain errors or bugs that give false negatives or positives.

!13
Reasons Why Manual Testing Can Never Be Replaced
Why Automated Testing Will Never Replace Manual Testing

✔ Deploy post-production protection best practices

Automate scanning and collects the application level metrics upon deployment. You can
use a tool such as Chef to automate the configuration management as well as the
provisioning of the runtime environment. Use runtime protection solutions to harden
your application code.

Getting runtime application self-protection launched

Sqreen - Harden your app

✔ Limit the attack surface

Integrate protection and detection measures in the architecture to limit attack surface,
reduce exposure and consequently internal and external threats. Focus on high-risk areas
such as web forms, internet facing code, access control and session management codes,
data from external sources and other entry points that interface with external networks.

Attack Surface Analysis Cheat Sheet

✔ Use security tools that continue to evolve

The security solutions must keep pace with changing application environments and
infrastructure. These should have the ability to protect the system and automatically send
alerts when there is a security issue.

Automated security for your web apps

!14
EMPLOYEE BEHAVIOR

✔ Encourage secure employee behavior

Implement data protection program that combines security best practices and user
education. Create awareness for employees towards improving personal security and
preventing attacks such as spear-phishing incidences. Always update and patch operating
systems and application software and preferably automatically.

Security Training

✔ Check employee security behavior

Simulate a criminal attack in a controlled way to identify and fix real-world vulnerabilities.
Use on-premise attacks to test desktop security and visitor controls. Use red teaming to
identify vulnerabilities and their impact on businesses and employees.

Use red teaming to find real-world vulnerabilities

✔ Do a spear-phishing campaign
Perform a spear-phishing campaign to test employees’ behaviors and responses. You can
also try hacking your employees in a controlled manner to assess and address internal
risky behavior and preparedness.

Spear phishing
Create user awareness and training to prevent phishing attacks

!15
Automated Security
for your apps.
The first security monitoring and protection platform that
automatically prevents attacks before they impact your
business.

For development For security For operations

teams teams teams

Get started for free

Start your free trial at sqreen.io
www.sqreen.io