This guide will help you introduce effective DevSecOps practices in your company, regardless of size. We provide explicit guidance and actionable steps to introduce security controls, measure their effectiveness, and demonstrate value for money to your business leaders.
I've been helping software engineering teams build and deploy more secure applications for over 20 years now. I wrote my first hardening document in 2002 for a large insurance company in the US. When I was writing that document there wasn't much information available on the internet about how to secure application environments. What little there was (PCI checklists mostly) was very high-level and super frustrating for an engineer who wants specific tasks that they do and say "I did that thing!". But, here's the thing, as much as I personally hate many "compliance" frameworks, I've come to appreciate them simply because they give you something to test against. It's the way you show that "hey! I'm getting better at this!"
Unfortunately, most compliance frameworks are disconnected from the actual technical things that technical people have to do to make something better. Following compliance guidelines is really important but frameworks like the NIST Secure Software Development Framework (SSDF) talk about theoretical or often non-sensical vulnerabilities. For example, here's a line from the SSDF section PO item 3.2: "Follow recommended security practices to deploy and maintain tools and toolchains." Then in the implementation examples section there are 9 examples that range from evaluating tools and acquiring tools for the developer environment to collecting evidence for an audit. Like, WTF?! How is an engineer supposed to know what to do with that? This is often because the person or group of people writing the framework are technically aligned becasue they come from a risk or GRC background. We want this DevSecOps Playbook to be different. This document is for engineers!
I was inspired by the recent MVSP project which I have profound respect for. But, the MVSP is a framework for defining what a minimally viable secure product is, and not a true checklist of "do this, now do that". This document is NOT meant to replace the MVSP in any way. Instead this is a separate document with a separate target audience and separate philosophy. This document, unlike the MVSP, is meant to be the pentultimate playbook for implementing a DevSecOps program at your company. This document is meant to provide a step by step guide on how to build better software by auditing whats in place now. Finally, I'm selfish and I want a document I can use myself to quickly and efficiently secure an estate of applications.
All companies and applications are unique. Blanket statements like "Shift Left" aren't helpful without context. Enterprises and startups have different tech stacks, funding, workforces, regulation, and more. Context matters, and this document provides a roadmap to use your context to determine your next DevSecOps destination.
We want to secure our applications, from cradle to grave. To do this, we have created five categories that cover the lifecycle of a software application.
- Development Environment
- Source Code Management
- Continuous Integration / Deployment and other Automation
- Deployment
- Organization
- Addendum: Compliance
We use two rating systems.
Priority indicates the order you should implement controls. Difficult indicates how hard implementation is for this control.
The developers laptop is where most of the magic happens, but also where most of the problems are introduced. If you want to shift as far left as you can this is where you want to land much of your embedded security.
| Name | Priority | Description | Difficulty | Maps to security frameworks |
|---|---|---|---|---|
| Secure Code Training | 2 | Developers who receive Secure Code Training are less likely to introduce security bugs, be aware of tooling that can support them, and design systems with security in mind. | Medium |
|
| Source Code Versioning | 1 | Version Control Systems introduce peer review processes, an auditable history, and consistent work patterns between software engineers. | Easy |
|
| .gitignore | 1 | .gitignore files help prevent accidental commits of sensitive, debug, or workstation specific data | Easy |
|
| Pre-Commit Hook Scans | 2 | A Pre-Commit Hook for security scans provides timely feedback to engineers and helps to prevent vulnerable code being introduced to a repository | Easy |
|
| Local Software Composition Analysis | 1 | Helps you find and fix libraries with known security issues | Easy |
|
| Local Static Code Analysis | 2 | Helps you find and fix security vulnerabilities in your source code | Easy |
|
| Local Sensitive Data Analysis | 1 | Audits your repository for secrets, credentials, API keys and similar in dev environment. Secrets stored in source code are visible to other people | Easy |
|
| Application Baseline | 3 | Create an application baseline | Medium |
|
We store our source code in a centralised location, often in the cloud. This, along with git, allow engineers to independently work on the same codebase without affecting each other. As the second stage after writing code, the repository makes sense as the next area to introduce security controls.
| Name | Priority | Description | Difficulty | Maps to security frameworks |
|---|---|---|---|---|
| Source Code Management | 1 | Use a centralized source code management (SCM) system like Bitbucket, GitHub or Gitlab | Easy |
|
| User Roles | 1 | Create unique user and team roles so that access to source code can be tailored | Easy |
|
| SSH | 2 | Use the SSH protocol to access your repositories instead of HTTPS | Easy |
|
| Multi-Factor Authentication | 1 | Make sure all developers use multi-factor authentication (MFA) when pulling, fetching or pushing code to remote. This is especially important if you use company email as your login for SCM | Easy |
|
| Server side git hook | 3 | Utilize a server side git hook like update or post-receive hook to run automatic scans | Medium |
|
| Developer Collaboration | 2 | Use collaboration tools to document the changes to a software application | Difficult |
|
| Pull Requests | 2 | Enforce pull or merge requests so all code is verified by team lead or senior engineer | Medium |
|
| Peer reviews | 3 | Enforce peer reviews by software engineers colleagues to increase code quality and security | Medium |
|
Modern web applications are built using modern continuous integration and deployment processes. This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.
| Name | Priority | Description | Difficulty | Maps to security frameworks |
|---|---|---|---|---|
| CI/CD pipeline | 1 | Implement a CI/CD pipeline | Medium |
|
| Application Environments | 2 | Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements | Medium |
|
| Application Data Separation | 3 | Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. | Difficult |
|
| CI/CD Administration | 3 | Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements | Medium |
|
| Credential Store | 1 | Create a secure encrypted place to store senstive credentials like passwords, API keys, etc. | Medium |
|
| Centralized Software Composition Analysis | 1 | Scan source code for vulnerable libraries and open source software from within a CD stage | Easy |
|
| Centralized Static Code Analysis | 2 | Scan source code for vulnerabilities in the source code itself from within a CD stage | Easy |
|
| Centralized Sensitive Data Analysis | 2 | Scan source code for secrets, credentials, API keys and similar from within a CD stage | Easy |
|
| DAST | 3 | Scan running application for vulnerabilities | Medium |
|
Applications are deployed somewhere whether thats an AWS Lambda, S3 bucket or some old crusty server in the corner of the server room. In any case, DevSecOps best practices mean that you need to include that deployment location in your processes.
| Name | Priority | Description | Difficulty | Maps to security frameworks |
|---|---|---|---|---|
| Valid SSL Certificate | 1 | Create and use a valid SSL certificate for each application URL, or implement a wildcard cert | Easy |
|
| Encrypt Traffic | 1 | Encrypt all traffic that's public facing | Medium |
|
| Redirect to HTTPS | 1 | Configure web service to redirect all inbound requests to port 80 to the secure HTTPS endpoint | Easy |
|
| HSTS | 1 | Enable HSTS in your webserver, load balancer or CDN | Easy |
|
| CSP | 1 | Enable content security policy (CSP) in the webserver, load balancer or CDN | Easy |
|
| Use Current Software | 1 | Use the most recent versions of application components, languages, frameworks and operating systems | Difficult |
|
| Alternative Deployment | 3 | Have tested and working altnerative way to deploy changes to your applicaiton other than using your standard process with GitHub or Bitbucket in case they go down. This must include the ability to push to PROD from local in emergencies. | Difficult |
|
| security.txt | 1 | Create a security.txt file in the root of your application so people know how to contact you about security issues | Easy |
|
| X-Forwarded-By | 2 | Configure your webservers, load balancers & web proxies to include the X-Forwarded-By: header | Easy |
|
| Logging | 1 | Collect application logs in realtime and send to centralized storage or SIEM | Medium |
|
| WAF | 2 | Implement a web application firewall (WAF) to protect your application from known attacks | Medium |
|
| CDN | 3 | Use a content delivery network (CDN) whenever possible to add availability and security to you applications | Medium |
|
| Harden Operating System | 2 | Harden operating system using industry best practices from CIS, ISM, etc | Difficult |
|
| Encrypt Storage | 3 | Encrypt all filesystems, disks and cloud storage | Medium |
|
| SBOM | 3 | Generate a real-time software bill-of-materials (SBOM) | Medium |
|
| Monitor Application | 1 | Monitor your application in real-time so you know when its state changes for the worse (or better). This includes uptime, performance and security monitoring | Medium |
|
People don't deploy applications, organizations do. Some steps in the DevSecOps playbook need to be owned by the Organization itself.
| Name | Priority | Description | Difficulty | Maps to security frameworks |
|---|---|---|---|---|
| Penetration Testing | 1 | Have your application pentested regularly | Medium |
|
| Threat Modeling | 3 | Build a collaborative way for developers and security staff to understand the threat landscape for an individual application | Difficult |
|
| SIEM | 3 | Implement a SIEM and send all application, system and cloud logs to it | Difficult |
|
| Attack Surface Management | 1 | Identify public facing resources via automation | Medium |
|
| Sovereignty | 1 | Require that all code is written in, stored in, or otherwise served from a location and/or sovereignty that aligns with orgs requirements | Medium |
|
| Vulnerability Disclosure | 1 | Create and publish a set of procedures to let people contact you when they find security issues in your app | Easy |
|
| Bug Bounty | 3 | Setup a bug bounty program to incentivize security researchers to tell you about vulnerabilities they find | Medium |
|
Because this is meant to be a manifesto about how to do DevSecOps, we have to be cognizant that there are three groups of people that this affects: Developers, Operations and InfoSec. Historically, there are many compliance frameworks that address the InfoSec community and to a lessor extent Operations teams. But software development was never mentioned until only recently. Understanding this, I wanted to note there are only really 4 frameworks that specifically mention software development:
- NIST 800 SA 10, 11, 15, 16 and 17
- ISO 27001 Annex A Section 14
- CIS Section 16
- Australian ISM "Guidelines for Secure Development"
Below you will find links to several security frameworks that align with this document. I have personally spent many years implementing CIS controls into my application environments. CIS is a wonderful framework as its very presciptive and easy for an engineer to understand. This is not to say that CIS controls are easy to implement. They are not! Regardless, you can't deny the ubiquity of ISO27001 and SOC2 and I want this document to help orgs looking to meet those requirements as well. In fact, SecureStack has started a SOC2 program and in parallel to writing this document I am busily mapping SOC2 requirements and will eventually add them to this document.
I had a number of Australian friends suggest that I tackle the Australian ISM and APRA CPS 234 as well so you will see me attempt to map it as well when it makes sense. This is a work in progress and I encourage anyone that is interested to jump in and suggest mappings. You can add an issue in GitHub or simply create a PR.
NIST 800-218 "Secure Software Development Framework" (SSDF) version 1.1: https://csrc.nist.gov/publications/detail/sp/800-218/draft
NIST 800-53B (2021): https://csrc.nist.gov/publications/detail/sp/800-53b/final
Control Families via HTML: https://csrc.nist.gov/projects/risk-management/sp800-53-controls/release-search#!/families?version=5.1
- SA-11: Developer Testing and Evaluation
- SA-15: Development Process, Standards, and Tools
- SA-16: Developer-Provided Training
- SA-17: Developer Security and Privacy Architecture and Design
NIST 800-92: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf
NIST 800-95: Guide to Secure Web Services (2007): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-95.pdf
The Center for Internet Security is an organization that has been providing very prescriptive security controls since 2000. There are a total of 18 security control groups with section 16 being the group we will be referencing for this document.
https://www.cisecurity.org/controls/application-software-security
It's not the focus of this document, but CIS maintains an amazing set of benchmarks and build playbooks for most operating sytems. I have been using these templates for years and they are a great resource: https://www.cisecurity.org/cis-benchmarks/
The Australian Cyber Security Centre has authored a document called the "Information Security Manual" or ISM as its commonly called. The landing page for this document is https://www.cyber.gov.au/sites/default/files/2021-12/Information%20Security%20Manual%20%28December%202021%29.pdf.
This document is large and has a very broad scope. You can download the complete ISM at https://www.cyber.gov.au/sites/default/files/2021-12/Information%20Security%20Manual%20%28December%202021%29.pdf
In late 2021 the ACSC released the "Guidelines for Software Development" (GSD). These are a general set of guidelines for embedding secure coding practices into an organization. These guidelines are far from authoratative and are not very presciptive with my favorite snippet from the GSD being this little gem: "Platform-specific secure programming practices are used when developing software, including using the lowest privilege needed to achieve a task, checking return values of all system calls, validating all inputs and encrypting all communications." Is that a catch all or what?! Wow! Regardless, I am respectful of the energy that went into this set of guidelines and will continue to try and bring visibility to it as much as I personally can.
You can find the GSD here: https://www.cyber.gov.au/acsc/view-all-content/advice/guidelines-software-development
The Australian Prudential Regulation Authority (APRA) is part of the Australian government and is charged with regulating the financial industry. It published the "Prudential Standard CPS 234" document in 2019 which outlines high level information security requirements.
This document is organized in an unusual way with 8 "attachments" at the end of the doc. It is in these attachments that the security controls and expectations are laid out. You can find the APRA 234 document at https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf.
- mapped all of ISM GSD
- mapped all of SSDF
- mapped CIS section 16
- map remaining ISO 27001 Annex 14
- map CIS section other than 16 to all items
- map remaining NIST 800-53
- map remaining ISM infrastructure
Sponsored with ๐ by SecureStack
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent