devops, security,

Security improvement in CI/CD DevOps

Security improvement in CI/CD DevOps
Share this

Introduction

You might be wondering how you can improve the DevOps pipeline or development process. DevOps best practice

Top 5 to consider

Team capabilities

Good teams are the ambition and assets of the company, we need to build security awareness in the team.

Security guideline

Bounch of security guideline outside, we can choose the fittest for us like Security compass, SD-Element, HIPPA, PCI, Local regulation and OWASP should be part of business security risk guidelines.

Implementation capabilities

  • Static Application Security Testing (SAST): Prevents vulnerabilities early in the development process, allowing them to be fixed before deployment
  • Dynamic Application Security Testing (DAST): Once code is deployed, prevents exposure to your application from a new set of possible attacks as you are running your web applications
  • Dependency Scanning: Automatically finds security vulnerabilities in your dependencies while you are developing and testing your applications, such as when you are using an external (open source) library with known vulnerabilities
  • Container Scanning: Analyze your container images for known vulnerabilities
  • Auto Remediation: Auto remediation aims to automated vulnerability solution flow, and automatically create a fix. The fix is then tested, and if it passes all the tests already defined for the application, it is deployed to production.
  • Secret Detection: Prevent secrets from accidentally leaking into your Git history. Each commit is scanned for secrets within SAST.
  • IAST and Fuzzing: Future features GitLab will be adding to its Security capabilities, see the visions for IAST and Fuzzing
  • much more

Security Testing

Make sure all environment, applciation and servers are passed from penetrate before lounch. We can do several activity like:

  • Automation security testing
  • Vulnerability Assessment and Penetration Testing (VAPT)
  • SSAT

Secure monitoring

To make sure production ready, provide secure monitoring to monitor likes:

  • Identify attact
  • Digital assets discovery