The below section enumerates the application security capability while leveraging the above DevSecOps architecture. One of the prominent reasons why any architecture is not meant to be consumed as a copy-paste template for DevSec- Ops adoption is due to the eco-system governing the organization in terms of people, technology and process.
The reference architecture addresses the people, process and technology aspects as part of implementation approach followed by integrating Continuous Identification, Continuous Integration & Deployment, Continuous Monitoring & Auditing and Continuous Security Governance & Compliance.
a) Continuous Identification empowers the planning phase of SDLC with security offering of conducting Threat Model for business requirements creating a risk profile followed by security control recommendations. Introducing security controls at the right place and time decides the effectiveness of the control with minimal impact on the CI/CD pipeline. A risk-based approach towards security requirements and design goes long way allowing business to prioritize strategic goals in the inception phase of SDLC.
b) Continuous Integration & Deployment empowers the code, build, test, release and deploy phase of SDLC with security capability, conducting verification and validation on proactive security recommendations from Continuous Identification phase. Security Verification entails development team to continuously discover and fix issue on daily basis prior to deploy phase performing Static Application Security Testing (SAST), while Security Validation allows developer to discover and fix issues post deploy phase performing Dynamic Application Security Testing. A risk-based approach towards implementing of security requirement & design reaps cascading returns allowing delivery teams priorities tactical goals.
c) Continuous Monitoring & Audit empowers the operational phase of SDLC with security capability, performing vulnerability confirmation and exploit prevention leveraging agent-based monitoring for application in production and during implementation. Interactive Application Security Testing (IAST) entails continuous monitoring into maintenance code while baking continuous compliance and remediation. Runtime application Self Protection allows to discover and protect live attacks for applications deployed in production environment. A risk-based approach to monitor and audit applications allows operations team to prioritize daily operational objectives.
d) Continuous Security Governance and Compliance empowers all phases of SDLC with automated correlation of vulnerability result, smart vulnerability management and remediation; integrated with leading Governance, Risk and Compliance (GRC) tools for better application security risk management. Placing application security squarely in front of management decision makers for analysis and comparison to arrive at risk-based decisions.
Reference above aims at helping adopter to strategize and implement best practices to deliver continuous security across software development supply chain delivering value to customer.
Wipro’s DevSecOps ecosystem aims at evolving maturity levels rather than an end state. DevSecOps has become a popular buzz word for organizations tackling the ever-evolving security challenge in the digital era. Adopting security into DevOps means incorporating security culture, practice and tooling into all phases of SDLC supply chain. DevSecOps success depends on how an organization can marry culture, automation, measurement and sharing into the golden triad of people, process and technology achieving the business objectives thus making security an influencing factor alongside agility and innovation.