Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Implementing DevSecOps Practices

You're reading from   Implementing DevSecOps Practices Understand application security testing and secure coding by integrating SAST and DAST

Arrow left icon
Product type Paperback
Published in Dec 2023
Publisher Packt
ISBN-13 9781803231495
Length 258 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Vandana Verma Sehgal Vandana Verma Sehgal
Author Profile Icon Vandana Verma Sehgal
Vandana Verma Sehgal
Arrow right icon
View More author details
Toc

Table of Contents (25) Chapters Close

Preface 1. Part 1:DevSecOps – What and How?
2. Chapter 1: Introducing DevSecOps FREE CHAPTER 3. Part 2: DevSecOps Principles and Processes
4. Chapter 2: DevSecOps Principles 5. Chapter 3: Understanding the Security Posture 6. Chapter 4: Understanding Observability 7. Chapter 5: Understanding Chaos Engineering 8. Part 3:Technology
9. Chapter 6: Continuous Integration and Continuous Deployment 10. Chapter 7: Threat Modeling 11. Chapter 8: Software Composition Analysis (SCA) 12. Chapter 9: Static Application Security Testing (SAST) 13. Chapter 10: Infrastructure-as-Code (IaC) Scanning 14. Chapter 11: Dynamic Application Security Testing (DAST) 15. Part 4: Tools
16. Chapter 12: Setting Up a DevSecOps Program with Open Source Tools 17. Part 5: Governance and an Effective Security Champions Program
18. Chapter 13: License Compliance, Code Coverage, and Baseline Policies 19. Chapter 14: Setting Up a Security Champions Program 20. Part 6: Case Studies and Conclusion
21. Chapter 15: Case Studies 22. Chapter 16: Conclusion 23. Index 24. Other Books You May Enjoy

DevSecOps maturity levels

Understanding maturity starts with understanding where you stand in DevSecOps. The DevSecOps maturity model illustrates how security measures can be prioritized in conjunction with DevOps tactics. By utilizing DevOps techniques, security can be strengthened. The future-focused DevSecOps maturity model directs the application of the necessary guidelines and security measures to thwart attacks.

An incredible maturity model has been created by an open source community to understand the maturity of DevSecOps: the Open Web Application Security Project (OWASP) (OWASP DSOMM – https://owasp.org/www-project-devsecops-maturity-model/). There are five levels to the maturity model (https://dsomm.owasp.org):

Figure 1.6: Maturity model

Figure 1.6: Maturity model

Many organizations have come up with maturity models that either start from level 0 or level 1. The model we’ll be looking at talks about the four levels of maturity within organizations for DevSecOps.

There are many dimensions under the different categories, all of which talk about the level of maturity in the build process, testing artifacts, pinning artifacts, SBOM components, and much more. Let’s take a closer look.

Maturity level 1

Maturity level 1, within the context of the OWASP DevSecOps maturity model, represents the foundational stage of implementing security practices in your DevOps process. It’s the initial step that’s taken toward integrating DevSecOps into your organization.

Maturity level 1 is where you lay the groundwork. You’re getting the team to start thinking about security, but you haven’t gone full Mission Impossible on it. Think of maturity level 1 like your first day at the gym. You’re not lifting the heavy weights just yet; you’re learning the ropes and maybe doing some light cardio. Similarly, at level 1, you’re just getting started with integrating security into your DevOps process. It’s less about having airtight defenses and more about setting the stage: think basic security checks, simple monitoring, and everyone still getting to know each other’s roles.

Here’s what typically happens at this level:

  • Security practices: Basic security protocols and practices have been established, but they are manually executed. The methods that are employed are typically straightforward and may not fully cover all security needs. While these practices are in place, they require considerable human effort and manual intervention, which could lead to inconsistencies and errors.
  • Process initiation: At this level, teams start to recognize the importance of integrating security into the development process. However, practices are not yet fully structured or systematic.
  • Education: The team might begin learning about security threats and how to prevent them. However, education and training in secure coding practices might not be comprehensive.
  • Risk awareness: There’s a growing awareness of the potential risks of not integrating security fully into the DevOps process. The need for improvement is recognized, leading to the exploration of automated security measures.
  • Automation: While the goal of DevSecOps is to automate as many security processes as possible, at this stage, little to no automation of security tasks exists. Manual work is predominant, which can be laborious and time-consuming.

Maturity level 2

Maturity level 2, in the context of the OWASP DevSecOps maturity model, signifies a progression from the initial stage of implementing DevSecOps in an organization. It’s the point where you start to incorporate and follow security best practices more systematically.

Let’s take a deeper look at this level:

  • Adoption of best practices: The organization starts to adopt recognized security best practices. These practices are likely documented and have become a standard part of the development process.
  • Continuous security: Security practices are not only implemented but are now applied continuously throughout the DevOps pipeline. This means that the security controls are not just a one-time event, but are instead consistently applied throughout the SDLC.
  • Partial automation: This level sees the introduction of automation, but it is not yet extensive. Certain tasks are likely automated to reduce manual effort, improve consistency, and mitigate human error. However, several security processes may still rely heavily on manual work.
  • Regular training: At this stage, there is likely more emphasis on educating the development and operations teams about security threats, secure coding practices, and how to use any new security tools that have been introduced.
  • Proactive security: There’s a shift toward a more proactive stance on security. Rather than just responding to security issues when they arise, teams are working to anticipate and prevent potential security issues.

Maturity level 3

Maturity level 3 within the OWASP DevSecOps maturity model marks a pivotal point in the evolution of an organization’s DevSecOps journey. It signifies the transition from just setting up DevSecOps practices to actively progressing toward their maturity.

Level 3 comprises the following aspects:

  • Advanced automation: The focus at this level is largely on automation. Most security practices are now automated, which reduces manual effort, increases efficiency, and minimizes human error. Security checks and protocols become an integral part of the entire software development pipeline.
  • Integration of security: Security considerations are more thoroughly integrated into the DevOps process. This integration ensures that security is not an afterthought but a consistent theme from the very start of the SDLC.
  • Proactive and continuous: At this level, security practices are not only proactive but also continuous. It’s not about implementing measures to fix issues as they arise but about embedding security practices to prevent issues from occurring in the first place.
  • Regular reviews and updates: Security policies, practices, and automation scripts are regularly reviewed and updated to cope with emerging security threats and vulnerabilities. This keeps the security practices in line with the latest best practices.
  • Enhanced training: There’s an increased focus on training, with development and operations teams regularly educated about current and emerging security threats. They are trained to use the latest security tools and follow updated secure coding practices.

Maturity level 4

At this level, we must set up the process and keep enhancing from there via automation and other processes.

You have been reading a chapter from
Implementing DevSecOps Practices
Published in: Dec 2023
Publisher: Packt
ISBN-13: 9781803231495
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime