DevSecOps: Our Approach

Gaurav Chib Gaurav Chib

Gaurav Chib

Published May 12, 2020
+ Follow

This article is second part of the series: "DevSecOps: Security as Code" and builds upon the overview of DevSecOps presented here.

The approach to implementation of DevSecOps in the organization is presented below:

DevSecOps: Our approach

This can be explained through the integration of following 6 Stages and the PPT model:

Stages

  • Scoping and requirements: The overall scope is defined by the organization based on their current processes, technology and business needs. The requirements are defined based on type of service required: Implementing security in existing pipeline, implementation of a new DevSecOps pipeline or providing a managed secure pipeline as a service.
  • Architecture review: The entire network, development, testing and deployment architecture of the organization is reviewed to identify the best approach that can be followed by the organization.
  • Threat modelling and pipeline analysis: The existing DevOps pipeline is analyzed and a threat model is built to identify the existing security gaps in the organization based on impact, severity, exploitability, CVSS scores, type of access required, etc. and prioritize them.
  • Implementation of a governance model: A governance model is built to define the Role matrix, Segregation of Duties matrix, escalation chart for each role, user and process that is involved in the current project.
  • Training and Awareness: Training may be provided to raise awareness about the new changes in the pipeline, new security features and controls added to the existing pipeline and the requirements to be followed to maximize the potential benefit to the organization.
  • Continuous integration and Re-validation: As the threat landscape expands, new tools and solutions may be integrated in the existing DevSecOps pipeline to counter these threats and attacks and increase the baseline of security. The entire pipeline and tools integrated are re-validated to ensure business continuity and performance as and when required.

PPT Model

  • People: The people involved are the stakeholders that want to implement the solution and the Subject Matter Experts (SME). They help in identifying the existing security threats and the relevant tools and procedures to be integrated to mitigate these threats.
  • Process: The various processes that may be involved in this approach are Change management, Standard Operating Procedures (SOP), Segregation of Duties (SOD), Business continuity planning (BCP), etc.
  • Technology: The technology required to automate various stages of security testing such as SAST, IAST, DAST, VAPT, Deployment, etc. and to integrate them in the existing pipeline.

Summing Up

This article discussed the approach to DevSecOps project.

The next article in this series discusses: Making a plan: Implementation in detail.

Hope you enjoyed the article. Thanks for reading!

To view or add a comment, sign in

More articles by Gaurav Chib

  • DevSecOps: Making a plan
    May 12, 2020

    DevSecOps: Making a plan

    This article is third part of the series: "DevSecOps: Security as Code" and builds upon the approach presented here. In…

  • DevSecOps: Security as Code
    May 11, 2020

    DevSecOps: Security as Code

    I first learned about DevSecOps during my internship and successfully implemented the project under the expert guidance…

    9 Comments

Others also viewed

Similar topics

Explore content categories