DevSecOps

DevOps adoption continues to mature, and as organizations are getting better at breaking down silos in the development and delivery process to ship software faster, security is moving to the forefront. In fact, Forrester predicted that 2019 would be the year of security:

“Many organizations have succeeded in automating continuous release and deployment for some applications but face increasing risk from lack of governance and fragmented toolchains.”

Application Security

Application Security is complex when security is separated from your DevOps flow. Security has always been the final hurdle in the development lifecycle. Iterative development workflows can make security a release bottleneck. Your team doesn’t have enough resources to test all of your code, and hiring more experts won’t automatically reduce the friction between your app sec and engineering teams. Only testing major releases, or limiting tests to certain apps, leaves weak spots hackers will exploit. You need a way to balance risk and business agility. Instead of waiting for security at the end of the development process, you can include it right within your DevOps workflow. That’s the reason why you need DevSecOps.

Security Dashboard Demo:

Lyra Infosystems are Premier Partners of GitLab. Let’s get into more detail on what is DevSecOps, why is required and how it works with GitLab.

What is DevSecOps?

DevSecOps basically integrates security best practices in the DevOps lifecycle workflow. DevSecOps automates security workflows to create an adaptable process for your development and security teams. DevSecOps is the natural next iteration of DevOps.

Why is DevSecOps needed?

Balancing business velocity with security is possible. With GitLab, DevSecOps architecture is built right into the CI/CD process. Every merge request is scanned through its pipeline for security vulnerabilities in your code along with its dependencies. This enables some magic to happen.

How can you Benefit out of DevSecOps?

  • Every piece of code is tested upon commit, without any incremental cost.
  • Your developers can remediate security vulnerabilities now, while they are still working in that code, or create an issue with one click.
  • The dashboard for the security pro shows roll-up of vulnerabilities remaining which the developer did not resolve on their own.
  • Security vulnerabilities can be efficiently captured as a by-product of software development.
  • A single tool also reduces your cost rather than buying multiple tools and taking the pains to integrate and maintain other solutions.

What Are The GitLab Advantages?

  • Contextual:Unlike traditional application security tools primarily intended for use by security pros, GitLab secure capabilities are built into the CI/CD workflows where the developers live. We empower developers to identify vulnerabilities and remove them early, while at the same time, providing security pros a dashboard to view items not already resolved by the developer, across projects. This contextual approach helps each role deal with items that are most important and most relevant to their scope of work.
  • Congruent with DevOps processes:GitLab’s secure capabilities supports the decision-makers, within their natural workflow. Reports are interactive, actionable, and iterative and most important immediate and relevant to changes made. Developers immediately can see the cause and affect of their own specific changes so they may iteratively address security flaws alongside code flaws.
  • Integrated with DevOps tools:When triaging vulnerabilities, users can confirm (creating an issue to solve the problem), or dismiss them (in case they are false positives or there are compensating controls). When using GitLab, no additional integration is needed between app sec and ticketing, CI/CD, etc.
  • Efficient and automated:Eliminates mundane work wherever possible. Auto remediation applies patches to vulnerable dependencies and even re-runs the pipeline to evaluate the viability of the patch.

Deep Dive into a Security Demo

DevSecOps Capabilities:

  • Static Application Security Testing (SAST): Prevents vulnerabilities early in the development process, allowing to be fixed before deployment.
  • Dynamic Application Security Testing (DAST): Once code is deployed, prevents exposure to your application from a new set of possible attacks as you are running your web applications.
  • Dependency Scanning: Automatically finds security vulnerabilities in your dependencies while you are developing and testing your applications, such as when you are using an external (open source) library with known vulnerabilities.
  • Container Scanning: Analyzes your container images for known vulnerabilities
  • Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is then deployed to production.
  • Secret Detection: There are several types of secrets that need to be protected. Each commit is scanned for secrets within SAST.
  • IAST and Fuzzing: These are the future features GitLab will be adding to its Security capabilities.

Continuous security testing within CI/CD

How can Static Application Security Testing (SAST) help?

  • Scan the application source code and binaries to spot potential vulnerabilities.
  • Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report.
  • Evaluate vulnerabilities from the GitLab pipeline and dismiss or create an issue with one click.

To know more about SAST, see SAST features.

How can Dynamic Application Security Testing (DAST) help?

  • Dynamic scanning earlier in the SDLC than ever possible, by leveraging the review app CI/CD capabilities of GitLab
  • Test running web applications for known runtime vulnerabilities.
  • Users can provide HTTP credentials to test private areas.
  • Vulnerabilities are shown in-line with every merge request.

To know more about DAST, see DAST features.

How can Dependency Scanning help?

  • Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD.
  • Identify vulnerable dependencies needing updating.
  • Vulnerabilities are shown in-line with every merge request.

How can Container Scanning help?

  • Check Docker images for known vulnerabilities in the application environment.
  • Avoid redistribution of vulnerabilities via container images.
  • Vulnerabilities are shown in-line with every merge request.

How can License Compliance help?

  • Automatically search project dependencies for approved and blacklisted licenses defined by your policies.
  • Custom license policies per project.
  • License analysis results are shown in-line for every merge request for immediate resolution.

DevSecOps in a single application

With our tool you can get DevSecOps in one single application. The advantages of a single application are numerous: A single sign-on eliminates the need to request access to each separate tool, context switching is reduced which improves cycle time, and work is tracked in one place so you don’t have to do detective work to find the information you need. According to Forrester’s Manage Your Toolchain Before It Manages You report, over 40% of enterprises anticipate improved quality, security, and developer productivity by using an out-of-the-box solution. For security professionals, this means that balancing velocity with security is possible.

Interested in GitLab licensing? We can help! Contact us now

how can we help you?

Contact us at the Lyra office nearest to you or submit a business inquiry online.

“Lyra is prompt and helpful. Their solutions are easy-to-use and implement.”

Edelweiss
IT Head, Edelweiss

Hey! I am first heading line feel free to change me