The way we build software and systems is rapidly evolving, becoming more and more automated and integrated. Today, developers can define an entire system architecture in code and tie it to tooling which will automate both testing and deployment.
These high level principles are intended to help development teams integrate security into their development process. The security controls should be a standard part of sprints.
# | Activity | Description | Threshold |
1 | Security debt | Plan fixing vulnerabilitites, replace old or vulnerable open source components. | In every sprint |
2 | Threat modeling1 | Update or re-assess threat model. | During larger changes |
3 | Training2 | Plan training in security principles and best-practices. | When required |
# | Activity | Description | Threshold |
1 | Version control | Make sure all source code, build scripts, etc. are managed in Git or similar. | Always |
2 | Secrets management | Do not hardcode secrets in source code. | Always |
3 | Code linting | Use safe programming language constructs. | When possible |
4 | Peer review | Enforce peer review. | Always |
# | Activity | Description | Threshold |
1 | Hardened container image | Perform build using a hardened container image. | Always |
2 | SBOM3 | Update the SBOM. | Always |
3 | Artefact versioning | Publish build to artefact repository and ensure versioning. | Always |
# | Activity | Description | Threshold |
1 | Static code analysis | Perform static code analysis. | Always |
2 | Software composition analysis | Perform software composition analysis of open-source components. | Always |
3 | Unit testing | Perform unit testing. | 80% |
4 | Dynamic code analysis | Perform dynamic analysis. | Always |
5 | Fuzz testing | Perform fuzz testing. | On critical source code |
6 | Load and performance testing | Perform load and performance testing. | Always |
# | Activity | Description | Threshold |
1 | Vulnerablity scanning | Scan the container image for known vulnerabilitites. | Always |
2 | Secrets management | Retrieve and inject secrets. | Always |
3 | Certificate management | Retrieve and inject certificate. | Always |
4 | Digital signing | Digitally sign the container image. | Always |
5 | Artifact storage | Store build artifacts in a repository and ensure versioning. | Always |
6 | Penetrations test | Perform penetration test (e.g. once a year). | Always |
# | Activity | Description | Threshold |
1 | Secrets management | Retrieve and inject secrets. | Always |
2 | RASP / WAF | Enroll in RASP / WAF service. | When required |
3 | Database changes | Validate database changes. | Always |
4 | Deploy | Deploy to a hardened CNCF Kubernetes cluster or native environment. | Always |
# | Digital verification | Validate the digital signature. | Threshold |
1 | Resilience verification | Perform chaos (monkey) tests. | At least twice per year |
2 | Vulnerability management | Scan the runtime on a regular basis for known vulnerabilitites. | In real-time or every week |
3 | Responsible disclosure | Publish responsible disclosure policy. | Always |
# | Activity | Description | Threshold |
1 | Logging and monitoring | Review and monitor logs for signs of malicious behaviour. | Daily or automate |
2 | Incident response | React and respond to incidents. | All the time :-) |
In every sprint, re-assess the current threat model by answering the following questions (https://owasp.org/www-community/Threat_Modeling):
To help answer "what can go wrong" and thereby defined the right security requirements, the following guides from OWASP may serve as input:
For a more in-depth introduction, please refer to these guides from AWS:
Always consider when training junior developers, new hires, etc. is required. The best result is typically achieved when having regular dialogue with security champions and development teams.
The following free resources may serve as inspiration:
The following commercial services may be a better choice in Enterprises:
Read more about SBOMs here