DevOps security best practices for building more secure software applications


Ongoing compliance is the process of continuously monitoring compliance with industry regulations and adhering to cybersecurity best practices. Establishing a consistent release management process can help achieve ongoing compliance. Other steps include adding access controls to the codebase, regularly updating patches to software libraries, and adopting a repeatable approach to adding new software features that meet customer needs and comply with applicable regulations.

Some of the recommended controls that support ongoing compliance in DevOps include:

Multiple environments – It is essential to create several code environments; ideally, you should have separate development, staging, and production environments. Multiple code environments with an approval workflow to move code between them provide a set of checks and balances.

Separation of duties – clearly define the responsibilities of developers, approvers, administrators and managers, and assign only one role per person. One set of permissions per person allows for easy auditing of changes. Requiring multiple roles and approvals each time code is moved between environments or made available to customers helps protect the codebase.

Authentication – implement strong authentication mechanisms, including multi-factor authentication (MFA), and require developers to change their passwords regularly.

Quality assurance testing – ensure your QA process includes testing and vulnerability scans when moving code between environments to catch cybersecurity risks early. Many organizations have integrated secure code reviews and application security testing into specific stages of their development process.

Key management – use software keys to give access to servers and set an expiration date for each.

Security protocols – use the Secure Shell (SSH) protocol during DevOps. SSH is a network protocol that allows secure remote connections to a computer or server. SSH provides several options for strong authentication and protects the security and integrity of communications. Use a secure protocol such as SSH to protect any access to software code.

encryption – Provide user encryption keys to protect sensitive customer or company data.

SaaS applications reside in the cloud and typically experience a high volume of internal and external user transactions. After the software is released, perform threat hunting regularly to identify unusual behavior and potentially malicious activity. Threat hunting includes performing static analyses, continuous log monitoring of various aspects of the software infrastructure, and automated scans.


Comments are closed.