The 5 Stages to DevSecOps

Written by the DevSecOps Working Group.

Organizations have a wide array of tools and solutions to choose from when implementing security into their Software Development Lifecycle (SDLC). Since every SDLC is different in terms of structure, processes, tooling, and overall maturity, there is no one-size-fits-all binary blueprint to implement DevSecOps.

This blog identifies the stages through which an organization should integrate DevSecOps into the SDLC. However, keeping in mind this is not a one-time project, but rather a recommendation for where organizations can improve their efforts.

Design and Architecture

The Secure Design and Architecture stage precedes any code being written, but can be the most critical step in the SDLC when implementing security. Identifying design weaknesses and product risks at this stage can save many hours of work and entirely prevent vulnerabilities from being introduced into the codebase before it’s even written. Risks to address at this stage include:

• Failing to identify and secure data flows
• Vulnerabilities inherent to a choice in framework and programming language
• Common risks addressed by security control frameworks
• Poor design decisions identified from threat modeling
• Vulnerabilities tied to an incomplete or flawed business logic

Coding

Secure coding is where applications are developed based upon the requirements detailed in the Design stage. Here, developers choose frameworks and libraries, write code, and create unit tests. This stage focuses on securely implementing the design and business logic and using secure coding practices before code commits to a source code repository (SCR). Risks to address at this stage include:

• Use of insecure protocols, frameworks, and libraries
• Vulnerable source code and dependencies
• Poorly coded infrastructure with vulnerability in hosting environments
• Lack of transparency of changes to critical code

Integration and Testing

Integration and Testing focuses on assembling the components of an application into releasable artifacts and testing the new releases to ensure that they meet the design requirements. This stage should focus on testing the security of the running application as it will exist in production. Risks to address at this stage include:

• Lack of integrity in the build process
• Runtime environment or source code security misconfiguration
• Exploits in the application or infrastructure during runtime
• Improper testing or lack of testing security requirements

Delivery and Deployment

Delivery and Deployment focuses on taking a pre-build release artifact and releasing it into production. This stage should focus on controlling production changes, logging change activities, and the overall integrity of a production release. Risks to address at this stage include:

• Release of incorrect or corrupted artifacts
• Introducing insecure environment configurations into production
• Hijacking the release process to introduce unauthorized changes

Runtime Defense and Monitoring

Runtime Defense and Monitoring focuses on managing the security of applications after they are deployed into production. Managing includes monitoring for indicators of compromise or other malicious and abusive behavior as well as continual security testing. Risks to address at this stage include:

• Business logic attacks
• Denial service or other availability attacks
• Newly discovered exploits
• Compliance monitoring

Read The Six Pillars of DevSecOps - Pragmatic Implementation to learn more about the tools and processes that should be considered when building out a successful DevSecOps program.