Secure SDLC and DevSecOps

Secure SDLC and DevSecOps

In the last five posts of our new series, 'Secure Your Start-ups' (follow the hashtag #sumerusecureyourstartup), I have talked in length about various elements of securing your start-ups. 

In this article, I will walk you through the basics of securing SLDC and DevSecOps in the context of start-ups. 

Let's dive in. 

We have seen the importance of security across various domains, especially from the infrastructure perspective. One of the essential parts of building a secure application or a product is to make security into it right from the beginning.  

It can involve activities such as carrying out threat modeling with architects, educating developers on secure coding practices, helping quality testers create security test cases as part of functional or unit testing, and lots more.  

This article will first walk you through how Sumeru helps create a secure SDLC process for your start-up to identify issues early on before they become a problem. 

As seen below, Web Application Attacks are the top attack vector used by attackers to compromise organizations, making it critical to focus on the application security side.

No alt text provided for this image

Let's delve deeper and understand more about Secure SDLC and DevSecOps and how they would help a start-up early on. 

Software Development Life Cycle (SDLC) 

Software Development Life Cycle (SDLC) is typically a framework for building an application end to end, starting with different phases from requirements gathering to deployment and maintenance, as shown in the below image. 

No alt text provided for this image

Organizations have adopted various models from the waterfall, iterative to Agile, and much more overtime to have a phase-wise approach to build a robust application. One crucial component was not considered secure, which led to the added protection at each phase to ensure security is addressed at all stages of the software development lifecycle. 

No alt text provided for this image

The above image shows the impact of the cost shooting up multi-fold when fixing bugs post-release, emphasizing the "Shift Left" security approach referring to moving security earlier in the development process. With the developers acting as the first line of defense, educating them on writing code in a secure fashion dramatically reduces the application development cost in the long run.  

Secure Software Development Life Cycle (Secure SDLC) 

Sumeru's Secure SDLC uses one of the most common and popular Secure SDLC frameworks from Microsoft and customizes it based on the needs of the start-up. 

No alt text provided for this image

Security training is a critical component in this process and has to be ongoing and involve everyone who is part of the process, from architects, developers, testers, etc. Architects can carry out Threat Modeling at the design stage, which helps determine the risk early on and design security features for the product. It is also essential to performing source code reviews as well as penetration tests to identify any possible vulnerabilities post development 

Some standard tools used are 

  • Threat Modeling – Microsoft Threat Modelling Tool, OWASP Threat Dragon, Threat Agile, etc. 
  • Secure Code Review – Checkmarx, Veracode, Microfocus Fortify, Sonarcube 
  • Security scanners – Burpsuite, Acunetix, Netsparker, etc. 

Now, let's briefly look at DevSecOps and how, as a start-up, you should move along. 

DevSecOps 

With a swiftly moving development, DevOps has become the go-to tool for the needed speed, and start-ups operate DevOps pipelines with various integrations to meet the required speed and scale with multiple commits a day. It is essential to adopt the "Shift Left" concerning principal security, where security is moved from post-release to very early in the life cycle to address security issues more efficiently. 

DevSecOps Advantage  

To keep up with development speed, security needs to scale up and is often seen as a roadblock and usually prioritized if it is "urgent and important" in a fast-moving start-up world.  

No alt text provided for this image

To fix this gap, DevSecOps has evolved as a cultural shift where security is not seen as a separate function but a well-integrated responsibility of Devs and Ops Team.  

  • DevSecOps is about security being everyone's responsibility, supported by tools, processes, and cultural changes. 
  • DevSecOps brings much-needed speed to security and helps resolve security issues early in the development lifecycle. 
  • It automates multiple security tasks, which help to achieve compliance efficiently. 

Tools Selection

No alt text provided for this image

Image source 

Being a start-up, if you are tight on budgets, there are ample options that open-source tools provide. Still, it's a trade-off as support might be restricted to community forums, high false positives, and with limited bandwidth, it requires careful planning in using open-source tools. 

Use the tools that allow customization, provide APIs and command-line options, produce lesser false positives, support containers, and produce consumable results. 

Sumeru's approach  

No alt text provided for this image

A typical DevSecOps engagement for start-ups begins with studying the current DevOps model, then designing a clear DevSecops plan that evaluates the nature of business, resources in hand, budget limitations, and technical requirements.  

Sumeru considers the contemporary security culture in your organization and supports the start-up team to scale to required security understanding and methodically introduce security tools in the pipeline. Some pilot pipelines are run, and work is done to finetune the tools and minimize false positives. 

A security champion is created among the team who can drive DevSecOps with the support of all team members and then hands over the baton to the start-up team to take it forward. 

To sum up 

  • For start-ups who are yet to launch their product and are considering security, it makes a lot of sense to move towards "Shift Left" security 
  • Educating the developers on an ongoing basis on secure coding practices to build secure products 
  • Move towards DevSecOps quickly to automate security as well as doing it quickly. 
  • For start-ups who already have their products in the market, especially with several users, they can approach in the following order 
  • Perform Penetration tests and Secure Code Review to identify vulnerabilities and close the critical issues immediately 
  • Educate the developers on security best practices concerning coding and establish a robust DevSecOps process within the organization.  


Written by:

Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.


This article is the sixth of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup

Amisha Thakur

Empowering Brands Online | Social Media Strategist | Meta Ads That Deliver Growth

3y

What exactly is 'Threat Modelling', Mr. Chidhanandham Arunachalam ?

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics