SecDevOps practices are used for application development.
Define the necessary tools and tool types in each toolchain to mitigate risks effectively and integrate them seamlessly. This includes categorizing essential tools, identifying security-specific tools, standardizing data formats for tool interaction, evaluating digital signing capabilities for auditability, and leveraging automated technologies to manage and orchestrate the toolchain. These actions ensure that the toolchain is secure, consistent, and auditable within DevOps practices.
Evaluate and identify critical technologies, frameworks, tools, and integrations utilized across applications to ensure security and scalability. Collaborate with architects to analyze the development and operational environments, as well as related artifacts, assessing them for security quality. Recognize that while new technologies may improve efficiency or scalability, they can also introduce risks. Implement processes to manage these risks effectively, including documenting findings and prioritizing mitigation actions. Utilize a structured approach to categorize and integrate tools into the toolchain, ensuring they align with organizational security policies and support secure-by-design principles.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-01-01-01 | Inventory key tools and technologies | Identify tools such as React for frontend development, Docker for containerization, and Jenkins for CI/CD. | Preparation | Architects, Development teams, Security team |
| SSS-02-02-01-01-02 | Assess development and operating environments | Review how Kubernetes is configured for application scaling and its implications on security. | Development | Architects, DevOps team |
| SSS-02-02-01-01-03 | Evaluate security posture of technologies | Use tools like Dependency-Check to assess libraries, and CIS Benchmarks to evaluate cloud infrastructure configurations. | Development | Security team, Architects |
| SSS-02-02-01-01-04 | Report and manage identified risks | Report risks such as using an unsupported version of a framework in the defect tracking system and assign them to the team. | Deployment | Security team, Development leads |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.1) OWASP SAMM: Software Assurance Maturity Model (D-SA-1-B) |
Establish and maintain a repository of preferred technologies, frameworks, and tools, focusing on those widely used across the organization’s software projects. Ensure this repository includes high-level technologies vetted for security, reliability, and compatibility with organizational goals. When curating this list, assess each tool's incident history, ability to respond to vulnerabilities, functionality relevance, ease of use, and internal familiarity. Engage senior developers, architects, managers, and security auditors to collaboratively identify and validate these recommendations. Share the list across development teams as a trusted source of default tools and perform periodic reviews to address emerging security and operational needs, ensuring continuous alignment with best practices.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-01-02-01 | Identify commonly used tools and technologies | Compile a list of common tools like Spring Boot for backend development and React for frontend. | Preparation | Architects, Development leads, Security auditors |
| SSS-02-02-01-02-02 | Evaluate tools against selection criteria | Evaluate Django for security patches and community support compared to similar frameworks. | Preparation | Senior developers, Architects, Security team |
| SSS-02-02-01-02-03 | Create a recommended tools and technologies list | Publish a preferred list including tools like GitHub Actions for CI/CD and PostgreSQL for databases. | Development | Architects, Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.1) OWASP SAMM: Software Assurance Maturity Model (D-SA-2-B) |