Continuous security is a developer’s Nirvana. Always being secure while developing any type of software is a dream state that is unrealistic to accomplish. However, if we strive to achieve this elusive goal, we might end up with a software that is at least so secure that an attacker needs a lot of resources before breaching the application.
Crashtest Security provides software developers with an automated vulnerability scanning software for web applications and APIs. However, we also want to share our knowledge and best practices around cybersecurity in all agile software development related topics.
We will cover the following aspects of continuous security in software development:
Do you have a specific topic you would like to learn more about? Please write us! We promise to release content for your topic within a week.
For the introduction of continuous security topics, we start with one of the core principles: “continuous delivery”. This topic covers some general terms and definitions around DevOps and agile development. A continuous delivery process enables teams to take developed code and publish it automatically in a production environment. This process typically includes various tests and is the core enabler to automate and standardize security tests in software development.
If you have never heard of DevOps or the term “continuous security”, we recommend to start with our basic FAQ on all topics around DevOps. We introduce the general topic, why DevOps is introduced to software development teams, and some benefits. We also cover some basic technologies that drive the success of DevOps and agile development. Plus, you’ll get references for further readings.
If you want to understand the real life benefits of a continuous delivery workflow, read our blog post “Why Continuous Delivery is Important”. We share the story of a user from a friendly startup trying to implement text changes in their software. The user was able to understand Heroku, Bitbucket, and the basics of code repository workflows quite quickly. Unfortunately, due to the lack of continuous delivery processes, the changes could not be checked without the agency.
In our final content on continuous delivery, we go in more detail and address the cybersecurity angle in much more detail. If you are interested in the bits and bites of secure DevOps Processes and red teaming, read our blog on “Why should cybersecurity care about DevOps?”. This article discusses the implications on security teams when it comes to DevOps and continuous delivery. We dive deeper into two concrete elements that cybersecurity should address: security champions and standardization through tools. Even as an experienced pentester or developer, you will learn something new.
Our next content sections cover two technologies that drive and accelerate DevOps adoption in organizations. This part covers the infrastructure component, namely container security.
Containers create a virtual layer between the infrastructure and the code on top of it. This helps developers to always have the same conditions - be it in Development, testing, or production environments. Containers can be configured to include specific network, compute, and storage resources, as well as installations of operating systems and software on top. While the virtualization of the infrastructure and base-layer software makes it easier for developers, it is also a security concern.
We are preparing a guide that covers the best practices when it comes to container security. These best practices cover learnings we have incorporated ourselves and are a great starting point for any startup or larger organization when setting up the initial architecture. In technical deep-dives, we cover the container security itself (for i.e. Docker), but also go into the orchestration layer (such as Kubernetes). Read the cybersecurity startup best practices for container security soon!
For everybody a little more advanced, we have two specific How-to articles around containers:
“Collect Kubernetes Logs on Docker for Mac” gives you a neat work-around for collecting logs with a bash script. This works great on your local cluster when using the built-in Kubernetes functionality on Docker for Mac.
For all Terraform, Kubernetes, and Vault users out there, we have a solution in case you run into an “resource does not have attribute” error. We have a short script for you to automatically create a Kubernetes service account and use the JWT token to provision Vault in the cluster.
Another important technological driver for DevOps are microservices, which enable complex software to be deployed independently from each other. In the past with monolithic software architecture, the whole software needed to be deployed when something changed. With microservices, you can deploy only a small portion of the code and release a new feature. Most developers use microservice architectures these days (2020 State of Microservices Report). When using microservices, the individual services need to communicate with each other. For larger software, APIs and API gateways are used. These APIs and gateways need to be incorporated in continuous security measures.
We are currently still developing the content for this aspect, so stay tuned! Below is a preview of the soon-to-come content.
Our first article will cover our own microservices implementation and how we had to adopt it over time. This article will dive deeper into APIs and API gateways to teach you "how microservices communicate".
The second content piece will be developed around the cybersecurity aspects of microservices. "How to exploit microservices architectures" will address the pentesting aspects of microservice architectures and is directed towards experienced pentesters and red teams.
Now that we covered the basics of continuous delivery and technical aspects, we can start with the advanced integrations and tools that can be integrated in DevOps workflows. we will specifically cover tools to enable security tests. Below is an overview over the different tools you can use in a DevOps environment.
To start with, we have an article that will help you understand the deeper aspects of DevOps by providing further helpful resources. The materials cover culture, the first hands-on app development experience, end-to-end workflow mapping, automation, and KPI topics. Check out this article here: Learn more about DevOps
Next, we have created an overview over the security testing tools in DevOps. This article is a good starting point if you want to understand what type of security testing exists in DevOps - and what tools you can use for it. The story follows the various stages of a CI/CD pipeline, so make sure you understand the fundamentals before. This content is great to start on DevOps security!
Finally, we have a 30-minute tutorial on building your own DevSecOps pipeline for you! This tutorial will walk you step-by-step through setting up an app in Heroku, creating a simple CI/CD workflow with CircleCI, and integrating two tools: A SAST test (Python safety check) and a DAST test (Crashtest Security). You will also learn about basic GitHub push/pull/commit functionality.
Continuous quality is a topic that we have been asked about many times by customers. When implementing DevOps principles, the role of the quality management or quality assurance (QA) teams changes. In our opinion, it changes for the better.
In our first content, we cover the fundamental questions of the role of QA teams in DevOps. Visit our FAQ on quality assurance in DevOps if you want to understand the basics. We address questions such as "How does quality testing change with DevOps?" or "How can QA support software developers proactively?".
Currently still in development is our next whitepaper on this topic. "How QA Managers can benefit from agile development" will be published in May. The whitepaper dives deeper into the history of quality assurance in waterfall development and gives specific guidance and best practice examples for the role of QA in DevOps. Finally, the whitepaper also highlights case studies of organizations that already went through the change.
The holy grail of any IT security organization is to reach a state in which security is deeply integrated in the development and operations of applications. This will ensure continuous security on the highest level.
Our blog post "SecDevOps - No agility without security" explains the benefits and trade-offs between agility and security on a non-technical level. If you are just getting started on the topic and would like to understand what the fuzz and the buzzword is all about - start with this content.
If you are already aware of the benefits of DevSecOps and just want to get started, here is a nugget for you: "Six Quick Wins in DevSecOps". From dependency checking to container security, covering specific code snippets and cultural best practices, this article covers the top 6 things you can implement very fast - and get results immediately.