Development, Security, and Operations (DevSecOps) is introducing security prior to the life cycle of application development to minimize vulnerabilities and bring security closer to business objectives.
In this article at Jile, Ramkumar Ilangovan explains that instead of putting maximum effort on business features, if an organization manages to spend some on security tests, fixes, and updates, it will save the venture from a security breach or a drastic hindrance in future.
A trained agile team in DevSecOps must embrace the effort for security testing activities in the backlog estimation. This may require a well-planned Continuous Integration and Continuous Delivery (CI/CD) pipeline to automate testing. This way teams may optimize their security testing efforts. Here are some essential factors DevSecOps teams may consider for faster CI/CD cycle:
- Code-Scanner: An effective CI pipeline contains code analysis, typically done by integrating code analysis tools like Sonar and Fortify.
- Extended Unit Testing: In this technique, for any given backlog or feature, it is essential to mention allowed inputs, available features, and who is allowed to use them. On the basis of the technique, unit test automation cases need to be added by test case automation using Junit or Cucumber.
- Web-Scanner: Teams must keep the dynamic security testing scripts like WebInspect or ZAP for all the key use cases. This will be a part of the deployment pipeline and triggered after the build process.
- Third Party Scanner: An effective CI pipeline must include a step for checking the list of third-party components for vulnerabilities. Even though there are very few tools available, use the one with latest vulnerability databases and to generate reports.
- Infrastructure Scanner: As a part of the deployment pipeline, teams need to include a step for scanning the security aspects of the infrastructure.
- Vulnerability Taxation: The steps mentioned above may develop several issues or reports. Therefore, the teams must keep in mind that most of the tools used for security scanning are inference engines.
Click on the following link to read the original article: https://www.jile.io/articles-agile-devops/6-factors-devsecops-teams-CI-CD-pipeline?utm_source=dzone&utm_medium=paid-ad-partner&utm_campaign=dzone-oct18&utm_content=devsecops-blog