Use Case:
- A business needs to deploy a basic three-tier application (frontend, backend and database).
- The deployment needs to be on the Azure ecosystem.
- Deployment should take place using the DevSecOps lifecycle.
- Strengthened security measures need to be in place to avoid vulnerabilities before the code goes live.
Solution:
- Implement DevSecOps with Azure DevOps
- Application of security principles such as SAST, DAST, SCA, etc
What is DevSecOps?
As the name suggests, it is a combination of “Development,” “Security,” and “Operations”. This combination ensures security is applied from the very beginning in the DevOps pipeline. It emphasizes a shift-left approach, where security is integrated at every stage of the development lifecycle.
The concept of “Shift Left Security: One of the benefits given by SAST tools is the support of “shift-left” security. This is a concept where security checking begins in the initial stages of the development process, before the application is running. By incorporating security scrutiny in the beginning, the security vulnerabilities are identified and the security measures are tightened. This results in a more resilient application.
Azure DevOps provides tools and features based on the security principles that helps organizations implement DevSecOps practices effectively.
Let’s understand these security principles in a little more detail.
SAST
One of the major issues associated with source code is security weaknesses. That’s when “static application security testing or SAST” helps. Specifically made for DevSecOps products as automation, SAST tools scrutinize the source code line by line and identify if there are any security vulnerabilities. This entire check happens before the code makes it to production, which, in addition to providing protection, lowers fixing costs. The biggest advantage of running SAST is that it doesn’t necessitate a running system to perform code security checks. Furthermore, it will not slow down the process, as seen in manual code review.
DAST
Dynamic Application Security Testing or DAST comes into the picture when the application is up and running. DAST works from the outside, looking in and identifying security vulnerabilities
DAST tools require a working version of a web application for its function since DAST scrubs web pages and identifies inputs and outputs of web services. DAST does not concern itself with the source code and instead simulates penetration testing like attacks to uncover any security weaknesses and exploitable business logic issues. The tools perform these from a hacker’s point of view, ensuring high quality and genuine results. However, one important thing to keep in mind is that with DAST tools, the security check takes place when the application is running. This may reveal substantial findings, leaving the DevOps team with less time for fixing.
SCA
Often, developers do not have the time to complete writing the entire code. Hence, to get features commercialized faster, the use of packaged open-source code is common. However, with this ability comes potential entry points for security breaches and malicious attacks. Modern DevOps focuses on security governance to ensure protection. The main function of the Software composition analysis or SCA tools is to scrutinize the open-source component and detect potential security weaknesses, dependencies and license compliance. This makes the work for DevOps extremely convenient. Additionally, you can expand such analysis to a containerized environment for detection of any potential threat / security disruption. Interestingly, some SAST solutions are being combined with SCA to locate weaknesses in proprietary code and vulnerabilities in open-source code.
Infrastructure as Code (IaC) Security
These incorporated security checks allow for infrastructure automation. This is generally utilized to build, test and deploy an application.
How does it work for deploying an application on the Azure ecosystem?
- Developers utilize Visual Studio Code or Visual Studio with security tools (such as SAST) that enable checks for potential code vulnerabilities.
- Developers register the application code to the GitHub Enterprise repository, which implements automatic security scanning.
- The CI build workflow associated with GitHub generates a Docker container image.
- This is stored in the Azure Container Registry.
- Advanced security related to GitHub helps protect sensitive information in your application source.
- Further, security tools are used to scan Azure Container Registry security vulnerabilities.
- Using the concept of IaC, Azure Policy can be applied for policy compliance and enforcement.
- A security information and event management (SIEM) solution further analyzes AKS cluster logs for any security threats.
- Open-Source security tools, such as SCA, are utilized as penetration testing for web applications and services.
- Once the application is deployed to the Azure ecosystem, DevSecOps tools, such as DAST, are used to detect any security weaknesses.
Conclusion
The application of DevSecOps in deploying a three-tier application to the Azure ecosystem is a testimony to a proactive approach to security. This security aspect integrates seamlessly in the development lifecycle. Security principles such as SAST, DAST and SCA ensure that throughout the entire development process, the application is guarded from security vulnerabilities and threats. In addition, these tools instill security checks from the very beginning of the development process. Leveraging Azure DevOps alongside security tools ensures a comprehensive defense strategy, enabling developers to address security concerns early and continuously throughout the development process. Furthermore, with IaC, the Azure ecosystem provides a robust security check against emerging threats, safeguarding both applications and sensitive data. Therefore, embracing DevSecOps principles will empower your organization to deploy an application safely.