Application development has fundamentally changed as a result of the rise of DevSecOps, which has significantly increased time-to-release, facilitated cross-functional collaboration, improved application security, and enabled unprecedented agility. The advantages are obvious, but transitioning to a DevSecOps-based development approach – and doing it well – represents a significant challenge to many organisations’ traditional ways of working.
While the benefits will outweigh the costs, in the long run, organisations may face challenges such as code integration, inconsistency across the build and deploy phases, a lack of visibility into quality metrics, and manual quality control. In fact, we’ve discovered that more than 30% of the time is spent on manual work, 25% on unplanned activities and 36% of released code needs to be reworked.
At AFour Technologies, we ensure that security is built into cloud-based services from the start, through development, production, and decommissioning. Using lightweight, pragmatic approaches that are suitable for continuous delivery, security can be incorporated into agile working practices. Our strategy empowers teams while lowering risk.
This is how our final solution looks like with Jenkins post-integration of Security.
It performs the below tasks serially:
- Pre-commit hooks
- Secret scanning
- SCA (Source Composition Analysis)
- SAST (Static Application Security Testing)
- Auto build creation and deployment
- DAST (Dynamic Application Security Testing)
- Host vulnerability scanning
- Security monitoring and infrastructure misconfigurations (AWS only)
- Vulnerability Management
This is how a target DevSecOps pipeline looks like in reality when it passes through different security checks at each stage of SDLC. This pipeline triggers automatically once a developer makes any changes in the code remotely. We can configure the same per commit or per build basis.
- It reduces costs by minimizing the need to repeat a process to address security issues
- Both Applications and Infrastructure become less susceptible to security breaches when they are deployed and run in a production environment.
- Greater flexibility in managing sudden changes during the development lifecycle
- The use of open-source tools in the CI/CD Pipeline makes our solution unique.
- It monitors AWS infrastructures for security alerts and finds misconfigured resources based on industry best practices like CIS, PCI-DSS and AWS security foundation.
- It aggregates findings from different security tools in a uniform manner which eventually helps in prioritising the defects.
- Automation of security checks
- Continuous monitoring of AWS accounts for security alerts
- Generates a single consolidated report for all the security findings
- Customizable through language-specific security tools, regex/rules
- Cost-effective as most of the tools are opensource
Right now, this solution is readily available for a Java-based application. In future we plan to have:
- Jira Integration
- Container/K8s Scanning
- Check the integration with other CI tools like AWS code build, Azure DevOps, Circle CI and Jfrog
- Security Monitoring with respect to other cloud service providers – Azure and GCP