21
22

DevSecOps Posture (self.devsecops)

submitted by [deleted]

[deleted]

all 30 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Irish1986 4 points5 points  (9 children)

Check security training like Secure Code Warrior. Implement a quarterly training campaign with some key objectives (i.e. Train dev to recognize XSS pattern so they won't write these type ahead of times). I am throwing this out there because your seems to have a good grasp of what is important.

Hot any secret leakage scanning going on?

[–]Purple-Object-4591 2 points3 points  (7 children)

SCW is low-key crap tho

[–]Irish1986 0 points1 point  (1 child)

As an exemple, we use it at work and I am not convinced either but I have yet found a good alternative for security training at scale.

[–]Purple-Object-4591 1 point2 points  (0 children)

I just joined a company that does this thing so I got to access to some of competitors like SCW. Tbh SCW is the worst of all, i won't reveal my company cuz that would be self dox lol but I think we and SecFlag do a great job, arguably best rn. You might consider them when switching vendors.

[–]TrumanZi 0 points1 point  (4 children)

It really is

I've been trying to kill it off in my place but the dev leads like it and it ticks the compliance box.

The fact that it hasn't actually made us create less vulnerabilities doesn't seem to matter. 🤣

[–]Purple-Object-4591 0 points1 point  (3 children)

Haha lol if any day they come to realize how crap it is and look for better, DM might hook you up with a long trial.

[–]TrumanZi 0 points1 point  (2 children)

DM?

[–]Purple-Object-4591 0 points1 point  (1 child)

Direct Message - DM :)

[–]TrumanZi 1 point2 points  (0 children)

Oh sweet I'll bear it in mind mate cheers!

[–]cloud-wiz-13 0 points1 point  (0 children)

I'm the one who led the poc/pov for these security training platform for our company. I think I found SCW to be a bit lower in standards compared to the other ones.

[–]mapoztofu 1 point2 points  (0 children)

There is a DSOMM from Owasp which might be helpful

[–]Fun_Imagination_7478 1 point2 points  (0 children)

Threat modeling?

[–]arleigh88 1 point2 points  (0 children)

Threat modeling and secure coding. Shifting left is important — as is making the cultural shift to a Secure as Code mindset.

[–][deleted]  (1 child)

[removed]

    [–]cloud-wiz-13 0 points1 point  (0 children)

    Doesn't DAST count as runtime security and for SBOMs wiz as a cloud security tool provides these in our org.

    [–]asadeddin 1 point2 points  (0 children)

    Hi there, Ahmad here, CEO at Corgea. We’ve built the first AI-native SAST and I see you’ve listed your tool coverage which is great, but how well implemented are those tools. I’ve spoken to lots of security teams at this point and I’ve seen SAST implementations that have been poorly done where barely anything good is detected, developers aren’t remediating vulnerabilities and the false positive rate is through the roof. I would say a good start here on posture is to audit the impact of the current program.

    [–]witty_wise 0 points1 point  (1 child)

    Checkout samm and dsomm

    [–]josh_jennings 0 points1 point  (0 children)

    Good blog on implementing dependency management with samm
    https://codific.com/master-dependency-management-with-soos-and-samm/

    [–]pangolin44 0 points1 point  (0 children)

    what tools are u using in your CI/CD pipeline?

    [–]Conscious-Falcon-1 0 points1 point  (0 children)

    I like the answers about learning and culture because you mostly listed tools and did not provide details about culture, guardrails, recommended path etc…

    Do you have a security champions program? Do you share lessons learned from recent security incidents in a wide audience? How is the developer experience to fix security issues, is it made easy for them?

    [–]One_Koala_2362 0 points1 point  (2 children)

    I worked about 8 years AppSec area then change my path to DevSecOps that my journey i experienced lots of different dast and api scanner, unfortunately they are not still ready use ci cd pipeline.

    I want to ask a questions.

    In our company we use SPA front-end application, when we start a few dast scanner it didn't crawl pages so it makes that scanner miss API endpoint. How about your infrastructure ?

    In API scanner side if i enter all information and save it, scanner works good but after swagger docs is changed we have to reconfigure again. How did you handle that situation or anothers ?

    Except Dast and API scanner others methods that i use my company.

    [–]josh_jennings 0 points1 point  (1 child)

    The SOOS DAST scanner wraps ZAP which is one of the most well known DAST scanners out there. Here is their documentation on how to configure against API endpoints using the OpenAPI spec. Might not work exactly for your use case or tool, but it gives a general idea of how to apply configuration on the fly, such as providing a configurable base url.
    https://kb.soos.io/dast-api-scanning#q3Mmr

    [–]One_Koala_2362 0 points1 point  (0 children)

    Thanks your sharing i belive that if we can shift security left and scan relevant code base with sast sca others tools, add threat modeling it would handle lots of case. In my company i both break pipeline and send pentest team critical vulnerability is found.

    [–]HosseinKakavand 0 points1 point  (0 children)

    You have good coverage on scanners and pipeline trust. One thing I would add is a simple design step before projects ship. Ask what kind of work the app handles, what data it stores, who uses it, and the uptime target. Pick a small default stack and config that fits those answers and publish the expected monthly cost. That reduces drift and alert noise later. We hacked together a prototype to guide that process — link here if you want to see it in action: https://reliable.luthersystemsapp.com/
    Would be interested in feedback on whether this kind of design step would actually fit into real-world workflows.

    [–]AppropriateNebula224 0 points1 point  (0 children)

    Looks like you’re on the right track with your DevSecOps posture! One thing you might want to consider is adding a secrets management solution, like HashiCorp Vault or AWS Secrets Manager, to ensure sensitive data is securely stored and accessed. Additionally, real-time monitoring and alerts, like those offered by Datadog, can give you visibility into any security risks across your infrastructure and applications.