Protecting Your Application from Threats Using Shift Left Approach: A DevSecOps Pipeline Security Checklist

Roman Glushach
13 min readSep 20, 2023
DevSecOps Security Checklist

In today’s digital age, application security has become more critical than ever. With the increasing number of cyber-attacks and data breaches, it’s essential to integrate security into every stage of the software development lifecycle.

This is where DevSecOps comes in. DevSecOps is a practice that combines development (Dev), security (Sec), and operations (Ops) to create a secure and efficient software development pipeline.

DevSecOps is a culture and practice that aims to integrate security into every stage of the software development lifecycle, from planning to deployment and beyond. By adopting DevSecOps, you can ensure that your application is secure by design, and that you can detect and respond to any vulnerabilities or attacks as quickly as possible.

CI/CD Stages

Pipeline Checklist Flow

Pre-Commit Checks

Before code changes are committed to the repository, there are several security-focused checks that can be performed to identify potential vulnerabilities early on. These checks can be automated using tools like linters, formatters, and static analysis tools.

  • Code Reviews: Performing regular code reviews is an essential aspect of DevSecOps. This process helps catch bugs, security vulnerabilities, and ensures that coding standards are met. Code reviews should be done by at least one other developer (4-eyes principle), and feedback should be provided constructively
  • Style Guidelines: Linting tools like golint, kube-lint, or hadolint can help detect syntax errors, inconsistencies, and best practices violations in the codebase. These tools can be integrated into the CI/CD pipeline to ensure that code changes are checked before they’re committed
  • Secrets Management: Secret management is critical in Kubernetes, as it ensures that sensitive data such as API keys, certificates, and passwords are handled properly. Pre-commit checks should verify that secrets are stored securely, rotated regularly, and access is restricted to authorized personnel
  • Configuration Validation: Configuration validation is crucial to ensure that resources are correctly configured and aligned with industry standards. Tools like kubebuilder validate configuration files against a set of predefined rules, helping developers avoid common mistakes and misconfigurations
  • Dependency Analysis: Analyzing dependencies is vital to identifying potential vulnerabilities in third-party libraries and frameworks. Dependency analysis tools like go modules, npm audit, or pipdeptree can highlight outdated, insecure, or unmaintained dependencies, allowing developers to address them promptly
  • Container Image Scanning: Container image scanning is necessary to identify potential vulnerabilities in base images, application layers, and dependencies. Tools like Trivy, Clair, or Snyk provide comprehensive reports detailing vulnerabilities, licensing issues, and recommendations for remediation.
  • Infrastructure as Code (IaC) Validation: IaC validation verifies that infrastructure configurations meet security and compliance requirements. Tools like Terraform validate the configuration files used to provision and manage infrastructure, ensuring that resources are correctly allocated and secured
  • Compliance Checks: Compliance checks guarantee that the project adheres to industry regulations, standards, and guidelines. Frameworks like HIPAA, PCI DSS, GDPR, or NIST provide benchmarks for evaluating compliance. Automated tools like SonarQube or Veracode can simplify this process by analyzing code and configuration files against established standards
  • Security Testing: Security testing involves evaluating the system’s resistance to attacks and identifying weaknesses. Techniques like penetration testing, vulnerability assessment, and threat modeling can be applied manually or through tools like Burp Suite, ZAP, or OWASP ZAP. These tests help developers strengthen their systems and address potential flaws proactively

Commit-Time Checks

Once code changes have been committed to the repository, additional security checks can be executed to further ensure the quality and integrity of the codebase.

  • Signature Verification: Signature verification guarantees that commits are genuine and tamper-proof. Git signatures use public-key cryptography to authenticate commit authors and prevent malicious modifications. Enforcing signed commits encourages developers to take responsibility for their work and provides accountability
  • Two-Factor Authentication: Two-factor authentication adds an extra layer of protection to the commit process. By requiring a second form of verification, such as a fingerprint, passphrase, or time-based one-time password, unauthorized access to the repository becomes significantly more difficult
  • Access Control Lists (ACLs): Access control lists define permissions for users, groups, or roles within the repository. ACLs can restrict who can push to certain branches, limiting the potential damage from compromised accounts or rogue actors
  • Mandatory Code Review: Mandatory code review ensures that all code changes undergo thorough scrutiny before being merged. This practice helps enforce quality standards, reduces technical debt, and exposes security vulnerabilities earlier in the development cycle
  • Continuous Integration & Continuous Deployment (CI/CD): CI/CD pipelines automate build, test, and deployment procedures, making sure that changes are thoroughly tested and validated before reaching production environments. Well-designed pipelines shorten feedback loops, minimize human error, and enhance overall efficiency
  • Vulnerability Scanning: Run comprehensive vulnerability scans to detect potential security vulnerabilities in the code and its dependencies. These scans can cover both open-source components and custom code
  • Policy Compliance: Use tools like OPA (Open Policy Agent) or Kyverno to validate Kubernetes resources against organizational policies, industry standards, and compliance regulations
  • Secret Rotation: Automatically rotate secrets periodically to reduce exposure windows in case of unauthorized access
  • Image Signature Validation: Verify the integrity of container images by checking their digital signatures against trusted sources
  • Network Policies: Evaluate network policies defined in the Kubernetes cluster to ensure they meet security requirements and restrict unnecessary communication between services
  • Pod Security Context: Review pod security context constraints, such as privileged mode, host networking, and volume mounts, to limit attack surfaces and prevent escalation attacks
  • Resource Utilization: Monitor resource utilization patterns to detect anomalies indicative of potential security threats or performance bottlenecks

Build-Time Checks

After code changes have been committed and verified, the focus shifts to building and packaging the application. Build-time checks aim to catch errors, inconsistencies, and security concerns during this stage.

  • Binary Analysis: Binary analysis examines compiled code for suspicious patterns, backdoors, or known vulnerabilities. Tools like sonobuoy or snyk-container analyze containers and report on potential threats, allowing developers to address issues before they become incidents
  • Artifact Analysis: Artifact analysis inspects package managers, dependency trees, and container images for anomalies or vulnerabilities. Tools like Trivy, Anchore Engine, or Aqua Security scan artifacts and provide actionable insights for mitigation
  • License Compliance: License compliance checking ensures that open-source components and dependencies conform to organizational policies and legal requirements. Tools like Black Duck Hub, or FossID help identify licenses, track versions, and alert stakeholders to non-compliant usage
  • Cryptographic Standards: Cryptographic standards validation verifies that encryption algorithms, ciphers, and hash functions meet industry standards. Tools like OpenSSL, NaCl, or Botan perform cryptographic operations and enforce recommended settings to protect data both in transit and at rest
  • Environment Variables Management: Environment variables management secures sensitive data, such as database credentials, API tokens, or secrets, which are often hardcoded or exposed via environment variables. Solutions like HashiCorp’s Vault, AWS Parameter Store, or Google Cloud Secret Manager offer secure storage, retrieval, and rotation of sensitive values
  • Dockerfile Best Practices: Dockerfile best practices promote clean, reproducible, and secure container images. Guidelines include using official base images, specifying explicit layers, and avoiding unnecessary installations or exposure of ports. Adherence to these practices reduces the attack surface and eases maintenance downstream

Test-Time Checks

During the testing phase, numerous security-oriented checks can be conducted to evaluate the system’s behavior under different conditions. These checks help identify vulnerabilities, edge cases, and unexpected interactions.

  • Unit Testing: Write unit tests for Kubernetes components, such as Pods, Services, and Deployments, to ensure they function correctly and respond appropriately to failures
  • Integration Testing: Execute integration tests to validate interactions between Kubernetes objects and assess how they behave under various conditions
  • End-to-End Testing: Conduct end-to-end tests to simulate real-world scenarios and ensure the entire application functions as expected from a user perspective
  • Acceptance Testing: Acceptance testing confirms that the system meets specified requirements and user expectations. Tests cover happy paths, boundary values, and exception handling, helping developers catch issues that might impact security, performance, or usability
  • Penetration Testing: Penetration testing (pen testing) replicates real-world attacks on the system, attempting to exploit vulnerabilities or gain unauthorized access. White-box, gray-box, or black-box tests can be performed depending on the scope and level of access available to the testing team. Pen testing helps identify high-impact vulnerabilities and weaknesses in the system’s defenses
  • Security Testing Frameworks: Leverage security testing frameworks, such as OWASP ZAP or Burp Suite, to identify vulnerabilities during the testing process
  • Fuzz Testing: Apply fuzz testing techniques to discover potential bugs or weaknesses in the Kubernetes codebase. Fuzz testing simulates unexpected input scenarios to expose edge cases that may lead to security exploits
  • Chaos Engineering: Intentionally introduce failures into the system to evaluate its resilience and ability to recover from disruptions. Chaos engineering helps strengthen the overall reliability and stability of the Kubernetes cluster
  • Performance Testing: Measure the performance of the application under varying loads and stress levels to ensure it can handle anticipated traffic and usage patterns
  • Compatibility Testing: Test the application’s compatibility with different browsers, devices, and platforms to guarantee a uniform user experience
  • Accessibility Testing: Assess the application’s accessibility features, such as screen reader support, keyboard navigation, and color contrast, to ensure inclusivity for all users
  • Compliance Testing: Validate the application’s compliance with relevant laws, regulations, and industry standards, such as HIPAA, GDPR, or PCI DSS

Deploy-Time Checks

  • Pod Security Context Confinement: Pod Security Context Confinement restricts the privileges of pods, limiting their ability to interact with other parts of the system. Tools like SELinux, AppArmor, and Seccomp provide pod confinement features. By using these tools, security teams can minimize the damage caused by successful attacks, as well as reduce the attack surface
  • Role-Based Access Control: Role-Based Access Control (RBAC) limits access to sensitive resources based on user roles. Tools like Kubernetes RBAC and Open Policy Agent (OPA) provide role-based access control features. RBAC enables organizations to grant only necessary permissions to users, reducing the risk of data exposure or modification
  • Namespace Isolation: Namespace isolation separates resources and workloads in a cluster, preventing interference and reducing attack vectors. Tools like Kubernetes namespaces and Istio service meshes provide namespace isolation features. By utilizing namespaces, security teams can enforce segregation of duties and least privilege access principles
  • Secret Management: Secret management deals with storing and handling sensitive information, such as API keys, certificates, and passwords. Tools like HashiCorp Vault, Ansible, and Kubernetes secrets provide secret management features. These tools encrypt and manage sensitive data, ensuring it remains protected throughout its lifecycle
  • Auditing, Logging, Monitoring, and Alerting: Logging and monitoring provide visibility into the activities occurring within the Kubernetes cluster. Tools like Fluentd, Elasticsearch, and Prometheus offer logging and monitoring features. By collecting and analyzing logs, security teams can detect anomalies, investigate incidents, and improve overall security posture

Summarize

  1. Embrace Automation: The most critical prerequisite for continuous testing and continuous integration is speed. Speed necessitates that the automation process be a fundamental requirement. Therefore, it’s essential to have necessary security measures and triggers in place. Hence, dynamic security testing is preferable over static testing. This implies that vulnerability scanning occurs in real-time, and it’s vital to have the necessary tools to automate security measures in our code configuration
  • Risk Management: In light of the regular occurrence of data breaches and hacks, security is often cited as a significant concern. When incorporated into any project as dependencies, codes from open source projects can pose vulnerability risks. This is because these might be unmanaged codes without any applied security measures. Therefore, checking code dependency is essential. Utilizing an OWASP utility check will ensure the detection of vulnerabilities in these codes from open source projects
  • Security Management Process: When a bug is encountered by a security team, it is reported in the repository. Occasionally, developers lack the resources to review these reports. This results in prioritizing functional testing over security testing. Therefore, DevSecOps must have a uniform Process for Security Management so that code modifications can be made at one location and notify the DevSecOps team about it. They can then execute an authentication testing protocol
  • Integrating Bug Tracker: The information will include comprehensive actionable details about bugs such as their severity, facts, and required treatment. This enables the security team to be advanced and prepared to address issues even before they appear in a production and development environment
  • Threat Modelling: Risk management will assist you in identifying threats in software components and devising measures to counteract those threats

Shift Left Security

Shift Left DevOps is an approach to software development that focuses on moving the testing process to the left side of the software development lifecycle (SDLC). In other words, it involves testing earlier in the development cycle, closer to the point where code is written. This approach aims to detect defects and bugs early on, reducing the risk of downstream problems and improving overall quality.

The term “shift left” refers to the idea of shifting the testing process to the left side of the SDLC, which traditionally starts with requirements gathering, followed by design, implementation, testing, deployment, and maintenance. By shifting testing leftward, developers can identify issues before they become more serious problems later in the development cycle.

Benefits

  • Early Defect Detection: Shift Left DevOps helps detect defects and bugs early in the development cycle, reducing the likelihood of downstream problems. This leads to fewer delays, lower costs, and improved quality
  • Lower costs: By testing early and often, teams can reduce the amount of rework and waste that occurs when defects are found late in the development cycle. This saves time and money for both development and operations teams
  • Improved Quality: By testing early and often, developers can ensure that the delivered software meets customer expectations, leading to higher satisfaction rates and better brand reputation
  • Faster Time-to-Market: With Shift Left DevOps, development teams can release high-quality software faster, giving them a competitive advantage in today’s fast-paced digital marketplace
  • Reduced Rework: Detecting defects early reduces the amount of rework required later in the development cycle, saving time, resources, and effort
  • Better Collaboration: Shift Left DevOps encourages collaboration between developers, testers, and other stakeholders, fostering a culture of transparency, communication, and shared responsibility

Challenges

  • Cultural Changes: Shift Left DevOps requires a cultural shift toward greater collaboration and shared ownership among team members. This may be difficult to achieve, especially in traditional organizational structures
  • Lack of Skills: Developers may require additional training to perform tests that were previously conducted by dedicated testers
  • Resistance to Change: Some team members might resist adopting new processes and tools, preferring to stick with familiar methods
  • Toolchain Complexity: Integrating testing tools into the development pipeline can add complexity, requiring careful consideration and planning
  • Data Management: Managing large amounts of data generated by testing activities can be challenging, necessitating adequate storage, processing, and analysis capabilities

Flow

Shifting left in DevOps requires a cultural change as well as a technical change. It requires teams to adopt a test-driven mindset and a collaborative approach to software development:

  • Define clear requirements: Before writing any code, teams should define clear and testable requirements for their software. This helps them to align their expectations with their customers and stakeholders, and to design their tests accordingly
  • Write unit tests: Unit tests are tests that verify the functionality of a single unit of code, such as a function or a class. Unit tests are fast, easy to write, and easy to maintain. They help developers to ensure that their code works as intended and follows coding standards. Unit tests should be written before or along with the code (test-driven development), and run frequently during development
  • Use test automation tools: Test automation tools are tools that enable teams to automate the execution of their tests. Test automation tools can save time and effort for teams by running tests faster, more reliably, and more consistently than manual testing. Test automation tools can also provide useful reports and metrics on test results and coverage. Teams should use test automation tools for different types of tests, such as unit tests, integration tests, functional tests, performance tests, security tests, etc.
  • Integrate testing into the CI/CD pipeline: The CI/CD pipeline is a set of processes that automate the building, testing, and deploying of software. By integrating testing into the CI/CD pipeline, teams can ensure that their code is tested continuously throughout the development cycle. This helps them to catch defects early and prevent them from reaching production. Teams should use tools such as GitLab CI/CD or Azure DevOps to create and manage their CI/CD pipelines
  • Use test data management tools: Test data management tools are tools that enable teams to create, manage, and use realistic test data for their tests. Test data management tools can help teams to avoid using sensitive or production data for testing, which can pose security and compliance risks. Test data management tools can also help teams to generate synthetic data that mimics real-world scenarios and conditions. Teams should use test data management tools such as Aqua Data Studio or Faker to create and manage their test data
  • Use code quality and security tools: Code quality and security tools are tools that enable teams to analyze and improve the quality and security of their code. Code quality and security tools can help teams to identify and fix issues such as code smells, bugs, vulnerabilities, performance bottlenecks, etc. Code quality and security tools can also help teams to enforce coding standards and best practices. Teams should use code quality and security tools such as SonarQube or Aqua Security to analyze and improve their code

Best Practicies

  • Define Clear Goals: Establish clear objectives for your Shift Left DevOps initiative, ensuring everyone understands the expected outcomes and benefits
  • Assess Current State: Evaluate your current development process, identifying areas where testing can be moved leftward
  • Train Developers: Provide developers with the necessary skills and training to perform effective testing
  • Adopt Automated Testing: Leverage automated testing tools to reduce manual testing efforts and increase efficiency
  • Integrate Testing into CI/CD Pipelines: Seamlessly integrate testing into your Continuous Integration/Continuous Deployment (CI/CD) pipelines, enabling quick feedback loops and rapid issue resolution
  • Monitor and Analyze Data: Collect, store, and analyze testing data to identify trends, optimize testing efforts, and improve overall quality
  • Encourage Collaboration: Foster a collaborative environment where developers, testers, and other stakeholders work together towards common goals
  • Embrace Continuous Learning: Encourage a culture of continuous learning, experimentation, and improvement, allowing your team to adapt to evolving technologies and customer needs
  • Measure Progress: Regularly measure progress, tracking key performance indicators (KPIs) such as mean time to detect (MTTD), mean time to resolve (MTTR), and defect density. Use these metrics to refine your Shift Left DevOps strategy over time

Conclusion

Building a secure DevSecOps pipeline is a challenging but rewarding endeavor. It can help you deliver secure applications faster and more efficiently, while reducing the risks and costs of security breaches.

--

--

Roman Glushach

Senior Software Architect & Engineer Manager at Freelance