Coveros is a consulting company that helps organizations build better software. We provide software development, application security, QA/testing, and software process improvement services. Coveros focuses on organizations that must build and deploy software within the constraints of significant regulatory or compliance requirements. The primary markets we serve include: DoD, Homeland Security & associated critical infrastructure companies, Healthcare providers, and Financial services institutions
Making Application Security a first class citizen in a software development process. Vs. and after thought that gets interpreted as a hurdle.
Make security a first class citizen in your software development process.
Part of the daily workflow instead of something done late in the process. By late I mean too late to change much.
Shifting Left is the practice of taking something you did later in a process and doing it earlier in a process.
Shifting Security Left is the practice of doing security testing and analysis during development. Usually automating data collection to make it faster and cheaper.
DevSecOps leverages the collaboration and automation of DevOps to Shift Security Left.
Fewer security compromoses in production. Making is less likely that something will happen to exploit the software.
By shifting security left teams are usually given the opportunity to deal with security issues as they happen so there are fewer last minute mistakes, compromises, and untested code going into production.
This is where compromised come into play.
We don’t have time to triage (analyze) all of the findings
We don’t have time to fix all of the issues
We don’t want to fix issues that already exist in the code base
We don’t have time to find alternatives
The functionality can’t wait
What is the likelihood of something happening anyway?
Threat Analysis - Figuring out who wants to attack you, why, and how they would do it.
Secure Code Review - Human beings reviewing code for security flaws
(Check In) Static Analysis - Using fast running static analysis to find a number of issues including vulnerabilities and insecure code
SAST - Static Application Security Testing - Using static analysis to specifically find security issues
SCA - Software Composition Analysis - Checking your software and dependencies for security issues and license compliance
Security Testing - Using test automation tools to verify the security features of an application (functional and nonfunctional)
DAST - Dynamic Application Security Testing - Using tools to interact with your software like a user and in different ways to find issues (crawl your site, fuzz testing, injection JavaScript, etc.)
IAST - Interactive Application Security Testing - Using software agents that monitor the internal state of your running application to find issues
Pen Testing - Penetration Testing - A human being trying to find vulnerabilities in your software, usually aided by tools like proxies, could be informed by the results of other tools
Infrastructure Analysis Testing - using tools to check the host and software configuration to determine if known vulnerabilities are present
Encrypted Data Channels - all network traffic encrypted including traffic within a data center
Data Encrypted at rest - all Personally Identifiable Information (PII), if not all data, needs to be encrypted in the database or files in a system, including backups
RASP - Runtime Application Self-Protection - Using software tools or agents to monitor the internal state of an application and determine if an exploit is currently happening
SIEM - Security Information and Event Management - Software that monitors a running system, including logs, and determines if security events are happening, have happened, and manage the process of recovering from the event.
Your implementation order may vary because:
You already have something in place
Your risk may drive a different order
Your tech stack may make something easier to put in place quickly
A build pipeline is the automation embodiment of a DevSecOps value stream, as your build moves down your pipeline to become a release candidate you want to have more and more confidence that the software and platform are secure and resilient to attack and exploit.
DevSecOps is as much about how security is perceived as it is about the technical practices and their implementation. You want to move the perception that security is a hurdle to security being an enabler of higher quality software and supports the business or mission better.