Dev-Sec-Ops

4 min readMay 10, 2021

What is Dev-Sec-Ops?

Dev-Sec-Ops is a strategy or method which promotes adding security at each phase of development to be more specific instead of adding security after the development of complete application, integrate security to each phase of development.In Dev-Sec-Ops two main goals which are assumed to be opposite of each other can be achieved together i.e Speed Delivery of software and Secure Code.We can also say “Dev-Sec-Ops is a Effort to strive for Secure by Default”.

Why do we need Dev-Sec-Ops?

The way IT Industry is growing specially due to COVID-19 most of the company have shifted on cloud so now securing the application while it is in its development phase is most important thing because just think about it this way what if some hacker is able to put any sort of malware or virus in your application when it is development stage and you shared the vulnerable application with users. I don't think that will be a good idea.

BENEFITS OF DEV-SEC-OPS-

It moves at rapid pace the old traditional security cant match the level of DEV-SEC-OPS.
Provide more opportunities for automated builds and quality assurance testing.
You can find out vulnerabilities of your code in very early stage.
Security as part of process is the only way to ensure safety.

What are the stages in Dev-Sec-Ops pipeline?

Stage 0-

Pre-Commit Hooks-

Some times in hurry developers forget to remove secret key like SSH Keys or access tokens from the application and they commit the application on git hub which is very dangerous. So to avoid such kind of mistakes developers can install Pre-Commit Hooks on their workstation
Some Tools which can be used for this are : TALISMAN , GIT-SECRET

Stage 1-

Software Composition Analysis-

As now days 3rd party libraries play a important role in most of the software and remember we don't write software's we build them on frameworks so it is very much important to check whether they are safe to use. The main work of Software Composition Analysis is to performs checks to identify vulnerable/outdated 3rd party libraries.
Some Tools which can be used for this are : OSS Review Tool Kit , Sonatype

Static Application Security Testing (SAST)-

In this step white-box security testing is done on the application to find out about vulnerabilities like SQL injection, Cross-Site Scripting,insecure libraries e.t.c
Some Tools which can be used for this are: SONARQUBE, GRAUDIT

Stage 2-

Dynamic Application Security Testing (DAST) -

Dynamic Application Security Testing is sort of a Black/Grey-box security testing using automated tools because SAST may not get full picture without application deployment. Results from DAST and SAST can be compared to figure out false-positives.
Some Tools which can be used for this are: OWASP ZAP

Stage 3-

Infrastructure scan-

It is an Automated process to scan different elements of a device, application, or network for possible security flaws.In this stage it also allows us to perform audit on Infrastructure.It also checks for Base images are that can be vulnerable as Base images need to be minimal in nature and need to be assessed to identify inherited vulnerabilities.We can also say your environment is as secure as your Base image is.
Some Tools which can be used for this are:OpenVAS, Clair

Stage 4-

Compliance Scan-

Compliance scan checks that all the standard rules that needs to be followed are being followed or not.Compliance is essentially a set of rules and hence can be converted into written test cases.It could be Industry Standard like PCI DSS, HIPAA,SOX or any organization specific.
Some Tools which can be used for this are:Inspec

Stage 5-

Web Application Firewall(WAF)-

Web Application Firewall are a trusted, first line of defense for applications, especially to protect against the OWASP Top 10.It protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app.
Some Tools which can be used for this are:Modsecurity, Naxsi

Vulnerability Management system-

As we use Various tools on different stages so to normalize data we need a central dashboard where you can find reports of different tools together in much simple and understandable way.Vulnerability Management System can then be integrated to bug tracking systems to allow devs to work on items.
Some Tools which can be used for this are: Archery

Below are the few Images which show Dev-Sec-Ops Pipeline-