Continuous security in DevOps environment: Integrating automated security checks at each stage of continuous deployment pipeline

Abstract

In this digital transformation, when the world is witnessing record security breaches, and hackers are getting bolder and more sophisticated, the development of software quickly is not enough; however, an organization must secure the applications also. To get the secure application out of delivery team hands organization must make security not only a priority but also a standardized part of a daily operational procedure. It will be possible only when an organization integrates security checks and practices throughout the software development lifecycle to better defend their applications and protect their brand values. Therefore, this thesis has outlined a secure DevOps delivery workflow to achieve continuous security by infusing security controls, tools, compliance, and industry best practices, and automated security checks at each stage of the software development cycle, so that all the security testing is done seamlessly through a continuous delivery pipeline. Secure DevOps delivery workflow designed in this thesis will allow organizations to make security as standardized part of a daily operational procedure and results into resilient organization and culture of “everyone responsible for security,” “Scaling through automation,” and “Measurable outcomes.” Moreover, it will save team effort to put into building a better, faster, cheaper and more secure product with a focus on delivery of customers centric features instead of fighting with security-related bugs and compliances and fend off more attacks, leading to an overall more protected system. The secure seven-stage workflow gateway presented in this thesis are Requirements, Plan, Secure Develop, Build, Test, Deploy and Continuous Monitoring fully integrated with security checks at each stage. It is applicable and relevant to all DevOps enabled organization to improve productivity, organizational security learning, shift security to the left, and transform the application release cycle to produce more secure applications. At the end of this thesis, its outline, The Secure DevOps work value stream, to help DevOps team members to evaluate proposed seven-stage gateway workflow and provide everyone in the value stream with the fastest possible feedback about the security of what they are creating, enabling them to quickly detect and correct security problems as part of their work, which enables learning and prevents future errors. Security testing DevOps toolchain, set of security tools integrated within Continuous deployment pipeline to auto checks security at each stage of the workflow, to help the delivery team identify and fix flaws earlier in the delivery process before flaws exposed to the public without impeding agility and this shift security to the left. Secure DevOps workflow model by building security into every stage of the secure development life cycle, from the security requirements stages onwards, and this makes everyone responsible for security. Contributions of this thesis consist of: a secure seven-stage continuous security workflow infused with security controls, compliances and best practices; flow of work across continuous security value stream; Anatomy of continuous security assurance model; Toolchain to infuse automated security checks during CI/CD pipeline.8