SecDevOps practices are used for application development.
Adopt best security practices for the deployment, operation, and maintenance of tools and toolchains. Select and integrate tools based on secure configurations, ensure compatibility with other tools and workflows, apply code-based configurations, and implement reproducible builds. Continuously monitor tools for integrity issues, replace outdated tools, and follow security protocols for compilers, interpreters, and build tools. These practices uphold the security and reliability of the DevOps toolchain.
Automating the build process ensures consistent and efficient execution of builds, reducing human error and improving productivity. This approach requires securing the build toolset and its interfaces to prevent tampering and unauthorized access. Proper management of credentials and secrets, such as repository keys and code signing certificates, is critical. Additionally, incorporating automated security checks like SAST tools enhances security by identifying vulnerabilities early in the development lifecycle. These measures ensure that the build process remains efficient, secure, and trustworthy.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-07-01-01 | Automate the build execution process | Implement tools to automate the build process, ensuring it runs consistently without manual intervention. Configure the build system to execute reliably at any time, minimizing human error and ensuring reproducibility. | Development | DevOps Teams |
| SSS-02-02-07-01-02 | Harden and secure build tooling | Apply security controls to build tools and their interfaces (e.g., web portals) to prevent tampering and unauthorized access. This includes network lockdowns and regular audits of exposed services to mitigate risks from potential malicious actors. | Deployment | Security Teams |
| SSS-02-02-07-01-03 | Manage credentials and sign artifacts | Securely manage credentials and secrets needed for builds, such as code signing certificates and repository access tokens. Sign generated artifacts using organizational certificates to verify their origin and ensure integrity. | Deployment | DevOps Teams |
| SSS-02-02-07-01-04 | Integrate automated security checks | Incorporate tools like Static Application Security Testing (SAST) into the automated build pipeline. Use these checks to identify and address vulnerabilities early in the development process, leveraging automation to enhance security benefits. | Post-deployment | Security Teams |
| SSS-02-02-07-01-05 | Monitor and maintain build processes | Continuously monitor the build system for anomalies and regularly update the automation tools to address new threats. Periodically review and refine the process to ensure it remains secure and aligned with evolving best practices. | Post-deployment | DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.2) OWASP SAMM: Software Assurance Maturity Model (I-SB-2-A) |
Automating the deployment process eliminates manual configuration steps, reducing the risk of human error and ensuring consistency across all stages. Security checks such as DAST and vulnerability scanning should be integrated into the deployment pipeline to identify and mitigate potential risks early. Deployment artifacts should be verified for integrity, and test results logged centrally to support monitoring and remediation. Critical issues should trigger automated deployment stops or initiate manual approval workflows with proper documentation. A comprehensive deployment tracking system should record every deployment's details, ensuring accountability and supporting audits.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-07-02-01 | Automate deployment processes | Set up tools to fully automate the deployment process, ensuring no manual configuration steps are required. This ensures consistency across all stages and minimizes the risk of human error. | Development | DevOps Teams |
| SSS-02-02-07-02-02 | Integrate automated security checks | Incorporate tools like DAST and vulnerability scanners into the deployment pipeline. Verify the integrity of deployed artifacts and log the results of security checks in a centralized system for monitoring and further action. | Deployment | Security Teams |
| SSS-02-02-07-02-03 | Implement automated issue handling | Configure the system to automatically notify relevant personnel of detected issues. For critical defects, automate deployment stops or introduce a manual approval process to review and document exceptions. | Deployment | DevOps Teams |
| SSS-02-02-07-02-04 | Track and audit deployments | Establish a tracking system to record all deployment details, including personnel involved, software versions, and deployment-specific variables. Use this information for accountability and audit purposes. | Post-deployment | Compliance Teams |
| SSS-02-02-07-02-05 | Review and refine deployment practices | Regularly review deployment logs and security test results to identify areas for improvement. Refine automation and security practices based on evolving threats and organizational requirements. | Post-deployment | DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.2) OWASP SAMM: Software Assurance Maturity Model (I-SD-2-A) |
Integrating security testing tools into the delivery pipeline ensures continuous and automated testing for vulnerabilities throughout the development lifecycle. This approach starts early in the requirements or design phases and continues through implementation, helping to identify and address security issues before release. Results from these tests should be centralized in dashboards, made visible to stakeholders, and used to guide defect management and decision-making. Developers should use security test cases as upfront goals, driving secure coding practices while improving organizational awareness and collaboration around security concerns.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-07-03-01 | Automate security testing in CI/CD pipeline | Configure security testing tools to automatically run during the build and deployment processes. Use tools like SAST, DAST, and IAST to identify vulnerabilities early in the cycle and lower the risk of release delays due to unresolved security issues. | Development | DevOps Teams |
| SSS-02-02-07-03-02 | Introduce test-driven security practices | Start security testing during the requirements or design phases. Create and run security test cases early, treating passing these tests as an essential milestone for implementation completion. This approach sets clear, upfront security goals for developers. | Development | Development Teams |
| SSS-02-02-07-03-03 | Centralize and present test results | Use dashboards to make automated and manual security test results visible to stakeholders. Present findings to management and business stakeholders before each release, establishing timelines for addressing accepted risks and unresolved issues. | Deployment | Security Teams |
| SSS-02-02-07-03-04 | Use security test correlation tools | Implement tools to match and merge results from various security scanners (e.g., static, dynamic, and interactive). Centralize the data in one dashboard to support defect management and streamline remediation efforts. | Deployment | Security Teams |
| SSS-02-02-07-03-05 | Promote security awareness and collaboration | Share security test results and knowledge across development teams. Use findings to improve security awareness and encourage collaborative efforts to enhance the quality of security tests and practices within the organization. | Post-deployment | Development Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.2) OWASP SAMM: Software Assurance Maturity Model (V-ST-3-A) |
Establish and maintain a repository of preferred technologies, frameworks, and tools, focusing on those widely used across the organization’s software projects. Ensure this repository includes high-level technologies vetted for security, reliability, and compatibility with organizational goals. When curating this list, assess each tool's incident history, ability to respond to vulnerabilities, functionality relevance, ease of use, and internal familiarity. Engage senior developers, architects, managers, and security auditors to collaboratively identify and validate these recommendations. Share the list across development teams as a trusted source of default tools and perform periodic reviews to address emerging security and operational needs, ensuring continuous alignment with best practices.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-07-04-01 | Identify commonly used tools and technologies | Compile a list of common tools like Spring Boot for backend development and React for frontend. | Preparation | Architects, Development leads, Security auditors |
| SSS-02-02-07-04-02 | Evaluate tools against selection criteria | Evaluate Django for security patches and community support compared to similar frameworks. | Preparation | Senior developers, Architects, Security team |
| SSS-02-02-07-04-03 | Create a recommended tools and technologies list | Publish a preferred list including tools like GitHub Actions for CI/CD and PostgreSQL for databases. | Development | Architects, Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.2) OWASP SAMM: Software Assurance Maturity Model (D-SA-3-B) |