Scribd
Upload
15 views22 pages

Unit 1.2 (SDLC)

The document outlines the principles and practices of DevSecOps within the Software Development Life Cycle (SDLC), emphasizing early integration of security, automation, collaboration, continuous monitoring, and secure design. It details the benefits of adopting DevSecOps, including proactive security, faster delivery, cost efficiency, and regulatory compliance, as well as the tools and challenges associated with its implementation. Additionally, it provides a structured approach to incorporating security at each phase of the SDLC, from requirement analysis to operation and maintenance.

Uploaded by

Shrawani Dongre
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views22 pages

Unit 1.2 (SDLC)

The document outlines the principles and practices of DevSecOps within the Software Development Life Cycle (SDLC), emphasizing early integration of security, automation, collaboration, continuous monitoring, and secure design. It details the benefits of adopting DevSecOps, including proactive security, faster delivery, cost efficiency, and regulatory compliance, as well as the tools and challenges associated with its implementation. Additionally, it provides a structured approach to incorporating security at each phase of the SDLC, from requirement analysis to operation and maintenance.

Uploaded by

Shrawani Dongre
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Application Security -SDLC

By Prof.Vidya Harkal

Overview of DevSecOps
SDLC Overview
Security in CI/CD pipeline
DevSecOPs
Key Principles of DevSecOps:

1. Shift Left Security:


○ Security is integrated early in the software development lifecycle (SDLC), during design and development phases.
○ This helps in identifying and resolving vulnerabilities before they progress downstream.
2. Automation:
○ Automated tools are used to perform static code analysis, vulnerability scanning, compliance checks, and more.
○ Continuous integration and continuous delivery (CI/CD) pipelines include security testing.
3. Collaboration and Culture:
○ Encourages collaboration between development, operations, and security teams.
○ Emphasizes a security-first mindset among all stakeholders.
4. Continuous Monitoring:
○ Applications and infrastructure are monitored for threats and vulnerabilities in real-time.
○ Feedback loops ensure rapid response to security incidents.
5. Secure by Design:
○ Applications are designed with security as a core requirement, leveraging best practices like least privilege, encryption, and
secure coding standards.
Benefits of DevSecOps:

● Proactive Security: Early detection and resolution of vulnerabilities reduce


risks.
● Faster Delivery: Automated testing and integration minimize delays caused
by traditional security processes.
● Cost Efficiency: Fixing issues earlier in the lifecycle is less expensive than
addressing them post-release.
● Regulatory Compliance: Ensures adherence to industry standards and
regulations like GDPR, HIPAA, etc.
Tools Commonly Used in DevSecOps:

● Static Application Security Testing (SAST): SonarQube, Checkmarx


● Dynamic Application Security Testing (DAST): OWASP ZAP, Burp Suite
● Dependency Scanning: Snyk, Dependabot
● Container Security: Aqua Security, Twistlock
● Infrastructure as Code (IaC) Security: Terraform Validator, Open Policy Agent
● CI/CD Security: Jenkins, GitHub Actions with integrated security checks
Challenges in DevSecOps:

● Balancing speed with security.


● Training teams on secure coding and tools.
● Managing cultural resistance to new workflows.
● Integrating tools seamlessly into CI/CD pipelines.
Security in SDLC
1. Requirement Analysis (Plan Phase)

● Security Objectives: Define application security goals, such as data protection, user authentication,
and access controls.
● Threat Modeling: Identify potential threats and their impact. Use frameworks like STRIDE (Spoofing,
Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges).
● Compliance Requirements: Address industry standards (e.g., PCI-DSS, GDPR) and ensure
regulatory compliance.

Key Outputs:

● Security requirements documentation


● Threat model for the application
● Tools:
a. OWASP Threat Dragon
b. Microsoft Threat Modeling Tool
Design Phase:

● Architect the application with security in mind using secure design principles like
least privilege, secure defaults, and defense in depth.

Security Activities:

● Threat modeling refinement.


● Define security controls (e.g., authentication, authorization, encryption).
● Choose secure algorithms and protocols (e.g., TLS, AES).

Tools:

● Lucidchart (for architectural diagrams with security in focus).


● OWASP ASVS (Application Security Verification Standard).
Development Phase:

● Implement the application with secure coding practices to minimize vulnerabilities.


● Regularly scan code for vulnerabilities.

Security Activities:

● Secure coding practices (e.g., OWASP Secure Coding Guidelines).


● Use Static Application Security Testing (SAST) tools.
● Perform peer code reviews with a focus on security.

Tools:

● SAST: SonarQube, Checkmarx, Fortify


● Dependency Scanning: Snyk, Dependabot
Testing Phase:

● Validate the application’s security through rigorous testing.


● Identify vulnerabilities in both the application and its runtime environment.

Security Activities:

● Perform Dynamic Application Security Testing (DAST).


● Conduct penetration testing.
● Use Fuzz Testing to discover unexpected behavior.
● Test APIs and third-party integrations.

Tools:

● DAST: OWASP ZAP, Burp Suite


● Fuzzing: Peach Fuzzer
● API Testing: Postman, ReadyAPI
Deployment Phase:

● Secure configurations for production environments.


● Automate security checks in the CI/CD pipeline.
● Use infrastructure-as-code (IaC) security tools.

Security Activities:

● Secure deployment pipelines with role-based access control (RBAC).


● Conduct pre-deployment vulnerability scans.
● Encrypt secrets and sensitive data.

Tools:

● Infrastructure Security: Terraform Validator, Open Policy Agent


● Secrets Management: HashiCorp Vault, AWS Secrets Manager
Operation and Maintenance (Monitoring Phase):

● Continuously monitor the application in production to detect and respond to threats.

Security Activities:

● Real-time monitoring for anomalies and breaches.


● Regular updates and patching.
● Conduct periodic security audits and compliance checks.

Tools:

● Monitoring: Prometheus, Grafana


● SIEM: Splunk, ELK Stack
● Vulnerability Management: Nessus, Qualys
Security in CI/CD pipeline : Example

You might also like