I am in the process of transitioning to a new ISSO position. The current ISSO responded that I didn’t understand DevSecOps because I asked about their history of exploits. This seems very unusual to me. First of all much of their infrastructure is legacy client server on hardware with some servers virtualized.
I am not so familiar with cloud-native environments so I did a little research. Which is a possible alternative for an updated system. Not surprisingly, I found critical vulnerabilities with remote access vulnerabilities within cloud-native software architectures.
I wonder what other pros think of the existing ISSO’s response to my question?
So at initial thought, I'd say your friend is mistaken. To say there are zero exploits in a DevSecOps environment sounds premature. Devops environments are continuously changing and software exploits appear daily as libraries and packages become outdated.
As a leader in Application Security, I can honestly say that 'zero exploits' is the goal but certainly not realistic when initially shifting to a cloud-native environment, and extremely challenging to maintain.
Even more unrealistic is the opinion that there are no history of exploits. I would heavily question how they are assessing their environment and look to improve the scanners and assessment process.
A good framework to follow for assessing cloud-native environments would be FedRAMP which is a DoD approved modification of the RMF.
You can learn more about this and how to approach assessing a cloud environment here:
Happy to talk more on this!
- Nicolas Moy
Sounds more like an attempt at Secure DevOps rather than a true DevSecOps environment where security is seated in the DevOps team itself. No security person worth the title would ever declare an environment completely vulnerability free. Frankly, I would fire the idiot for saying so, right there on the spot. No questions asked or needed.
As for "shifting left" your CI/CD needs to start at the developer level using a good SAST tool like Veracode or one of the free tools like SonarQube community edition. The next stage would be incorporating your DAST, scanning for active and follow on vulnerabilities from both a static and environmental coding prospect. Containers maybe fine left by themselves but combined with numerous other containers may have hidden vulnerabilities not seen by themselves. Finally, if your doing everything correctly look into IAST or Interactive Application Scanning Tools that use thousands of sensors like an old fashioned IPS but for containers, injected into the container itself. I have seen IAST replace more expensive pentesters and give me better reports/actionable items to follow up on and as a bonus, doesn't burn out as fast as human pentesters.
Even deploying all three layers, following up with good feedback at each level, you're going to still have some flaws but combined with a solid active defense should make the life of your average "electronic burglar" aka "hacker" far more difficult than the average web based application base. Also look at your architecture as a whole. Are you using event based architecture, where you can start and stop services from automagically running to find intruders? I can list another dozen or so active and passive architecture principals to make anything extremely difficult to penetrate but it doesn't mean the best of designs and procedure will ever be impenetrable. Unless of course your talking about a Government system, then we know its impenetrable.
If you are a devsecops professional or are in the process, what according to you is the ideal learning path? What are the concepts you would master and in what progression? What are the certifications you would choose to attain and in which order? What are the tools you would master and what is the best way you would learn it so that you understand it best. If you are already a Devsecops professional, how have you done it? What are the things you would change, do or avoid doing? If you're on your way to being a Devsecops professional, how are you progressing? What methods are you using to learn better? What struggles are you facing? What obstacles did you overcome?
Hey @Dagmar, I want to make sure I follow the community guidelines by not promoting any products but I'll be creating free content on 'shifting into DevSecOps' on my youtube channel starting 2021.
In the meantime, my recommendation is that you learn how a CI/CD pipeline works (play with Jenkins, learn cloud CI pipeline tools, etc.) and begin developing automated security checks in a fictitious pipeline you play with in your sandbox.
Outside of just automated code scanning, begin exploring what you can do with GRC testing, container testing, etc. Lots of fun projects you can play around with at home and would be very beneficial and lucrative to organizations.
Thank you for your response. I am a new Security Professional in my organization and have historically seen that those that are no Security Professionals lack the knowledge to trust the advise from those of us in the profession. Especially where the existing professional is highly regarded but seems not to agree with my knowledge. I may use your response, text only, no reference to you, to support my position.
DevSecOps primarily focuses on reducing the turn around time when the code is scanned manually. Also a good option to scan the code at various levels such as static, open source libraries, dynamic, cloud, container etc. As long as there is a vulnerability, in code, in tach stack , in config etc. and corresponding Threat component, exploits will continue to happen. No exploit is ultimate goal with Defense in Depth and not DevSecOps alone
Thank you for a great response. I may use your response to support my own to my supervisors. One of the challenges I often face is that my supervisors don't know who to trust because they do not have enough knowledge about cyber security themselves.
My recommendation is to bring in an accredited third-party who can advise on what's needed. Sometimes thats necessary in order to shine a light with executive leadership.