DEVSECOPS - SHIFTING/PUSHING LEFT TO SECURE THE SDLC

Questions and Answers

What is the primary focus of DevSecOps?

Separating security from delivery in the cloud era

Neglecting security best practices in favor of compliance

Maximizing feature velocity at the cost of security

Prioritizing security in the development process (correct)

According to the IBM System Science Institute study, how much does the cost multiply by when security issues are discovered during the production maintenance window?

15

150

100 (correct)

6

What negative impact do security incidents have on an organization, as mentioned in the text?

Legal status only

Reputation, customer loyalty, and intellectual property (correct)

Reputation and customer loyalty only

Financial losses only

Why are vulnerabilities more likely to enter deployment in the cloud era?

Separation of security from delivery

What is the consequence of neglecting security best practices when feature velocity is prioritized?

A negative impact on an organization’s overall security posture

What does successful implementation of DevSecOps provide firms with, according to the text?

Greater competitiveness and decreased innovation risks

What is the fundamental purpose of a security culture?

To promote change and improve security

Why might a DevOps security culture be described as disruptive and deliberate?

To promote change and improve security

Why is it important for organizations to convey to end-users that they are an important aspect relied upon for a robust security posture?

To empower and engage end-users in security strategy

What is the significance of Bring Your Own Device (BYOD) in relation to the organization's security?

It increases the likelihood of successful attacks

Why does an organization need a well-planned security program for end-users?

To inform end-users of their critical responsibilities and empower them in security strategy

Why must the scope of cultural change not be underestimated or disregarded in DevSecOps implementation?

To ensure successful DevSecOps implementation

What is the primary objective of data loss prevention (DLP)?

Preventing data leakage and unauthorized access

What is the main purpose of multifactor authentication (MFA) in cybersecurity?

To authenticate users using a secondary method

What is the key role of backup and disaster recovery (BDR) in cybersecurity?

Ensuring immediate restoration of lost data

What is the primary purpose of network detection and response (NDR) in cybersecurity?

Identifying abnormalities in network traffic

What is the main concept behind the 'assume breach' approach in cybersecurity?

Operating with the assumption that a breach has already occurred

What is the purpose of monitoring tools in a cybersecurity technology security stack?

Enable complete network awareness and identify flaws

What is a derived requirement?

A requirement that arises from abuse cases and describes functional and non-functional requirements

Why must the designer of a requirement think like both an attacker and a user?

To identify potential vulnerabilities and abuse cases

What is one of the sources of software security requirements in the early design and requirement phases?

Industry best practices and abuse cases

What is a key consideration for having a secure application design?

Reviewing the security stack and considering industry best practices

What does perimeter defense refer to in the context of cybersecurity?

Defending against threats attempting to enter a network from an external public network

Why is endpoint protection considered vital in modern times?

Due to the significant rise in the number of devices, including IoT devices, that organizations must secure

What is the purpose of sign posting in the context of cybersecurity?

To place posters and materials with security information in strategic locations

What is the purpose of a company's Acceptable Use Policy (AUP) in cybersecurity?

To tell users what they can and can’t do when using a corporate network or other resources

What is the primary objective of delivering role-specific security training to all employees within an organization?

To increase the security awareness of users within the organization

What is the function of informal communications in the context of cybersecurity?

To communicate and reinforce the security principles of the organization in a relaxed manner

What is the purpose of adding hints about the culture of the organization and commitment to security within non-security-specific job descriptions?

To show applicants the organization’s appreciation for security and some awareness about principles of security

What is a key consideration when building good requirements for software, according to Devarasetty (2021)?

Testability and measurability

What does the 'assume breach' concept involve?

Detecting the attack, responding to the attack, recovering leaked data, and preventing future attacks

What is the strategic cybersecurity approach referred to as 'zero trust architecture' based on?

Implicit trust and continuous validation of users at all stages for their digital interaction

How is usability defined according to the International Organization for Standardization (ISO)?

The extent to which a specified user uses a product effectively, efficiently, and satisfactorily within an agreed context of use

What does 'usable security' encompass in organizations?

Design, development, configuration, and maintenance of business-critical tools and systems

What deliberate actions are involved in making security usable for organizations?

Aiming for secure by default, taking the strain, and making it practical

What does the 'never trust, always verify' approach aim to eliminate?

The traditional security model's implicit trust on everything within an organization’s network

What is the primary focus of 'zero trust architecture'?

Preventing lateral movement and simplifying least privilege policies

What is the main goal of the 'assume breach' concept?

Ensuring there is adequate verification that protection mechanisms are properly implemented

'Usable security' involves the reduction in the complexity of security and operational overhead through:

Shifting the burden of security and decision-making away from employees

What is a key principle underlying 'zero trust architecture'?

Continuous validation of users at all stages for their digital interaction.

What is the primary purpose of Static Application Security Testing (SAST)?

To scan source code, binary codes, and byte code for security lapses

What is the primary function of Dynamic Application Security Testing (DAST)?

To prioritize the remediation of vulnerabilities in applications

What does Software Composition Analysis (SCA) focus on?

Scanning libraries and dependencies to identify and fix vulnerabilities

What is the main goal of Code Linting?

To identify stylistic and programmatic errors in source code

What is the purpose of Policies, Guidelines, and Standards in managing a security program?

To ensure that procedures, standards, guidelines, and policies are proportionate and enforced

What is the significance of understanding where a procedure, standard, guideline, and policy is required?

It assists in clarifying the context of coding decisions.

What is the acronym STRIDE used for in the context of threat modeling?

A representation of six categories of threat

What does the DREAD framework help practitioners identify?

Potential threats based on five attributes

What is the main objective of the PASTA threat modeling framework?

Aligning technical security requirements with business objectives

What does the VAST threat modeling model provide for modelers?

An automated platform to integrate into workflows

In the context of secure coding, what does Java's type-safety contribute to?

Memory management and array bounds checking

According to a report by WhiteHat Security, what was predominant in sites built with ColdFusion?

SQL Injection

What is the primary purpose of the principle of least privilege in computer security?

To restrict users' access rights to only what is necessary for performing their duties

What is the main focus of integrating administrative systems or procedures in the context of security?

To enhance usability and security

What is the fundamental purpose of 'usable security' in organizations, as mentioned in the text?

To reduce the complexity of security and operational overhead for better protection

What does the 'assume breach' concept involve in cybersecurity?

Being prepared for potential security breaches

What is the main purpose of implementing the concept of 'zero trust architecture' in cybersecurity?

To verify and validate all network communication regardless of location or source

Why is usability considered essential in developing effective security measures?

To ensure that security measures work effectively in the real world

What is the primary purpose of a security unit test in software development?

To determine if the smallest piece of testable software has an effective security control

Why is writing clean code important in relation to security?

It reduces the risk of security vulnerabilities and makes it easier to locate and mitigate them

What is the purpose of third-party coding frameworks and libraries in relation to security?

To introduce potential security vulnerabilities and affect the entire system

What is the main goal of applying a combination of security testing at various stages of the continuous integration and continuous delivery/deployment (CI/CD) pipeline?

To improve the security posture of the organization

Why are peer reviews important in application security testing?

To catch edge cases and logic flaws that a single tester may miss

What is the main consideration for organizations regarding third-party code dependencies and their security impact?

The history of security vulnerability attributed to dependency

What is the primary focus of static application security testing (SAST)?

Examining source code for security flaws

What is the main advantage of dynamic application security testing (DAST) over static application security testing (SAST)?

Identification of runtime challenges and server problems

What technology can assist in the identification and management of security risks associated with vulnerabilities discovered in running web applications?

Interactive application security testing (IAST)

What is a key advantage of static analysis in the software development life cycle (SDLC)?

Finds vulnerabilities in the early stages of development

Which type of testing is sometimes referred to as a web application vulnerability scanner and checks for vulnerabilities from exposed interfaces?

Dynamic application security testing (DAST)

What does interactive application security testing (IAST) do to assist organizations in managing security risks?

Monitors applications by gathering information about how they perform

What is the primary benefit of using IAST in the SDLC?

Identifying vulnerabilities at an early stage of development

What does SCA assist in discovering within applications?

Third-party components and their versions

What is the main objective of risk intelligence in SCA?

Providing information for shipment decisions

What capability ensures security within the supply chain in SCA?

Risk intelligence

Why is it inefficient to use DAST to identify vulnerabilities during the QA/test phase of the SDLC?

It can lead to expensive identification of lines of codes with vulnerabilities

What is a significant advantage of IAST over DAST?

Early return of vulnerability information and remediation guidelines

What does IAST assist developers in locating when a vulnerability is discovered?

Source of the discovered vulnerability

Why do organizations require automated security testing tools that can scale to process hundreds and thousands of HTTP requests?

To keep up with the rapid development demand of web applications

What is a key capability provided by IAST that is not possible with DAST?

Integration into the CI/CD and DevOps workflow

What does stack trace information, application code, HTTP requests and replies, and dataflow analysis assist in locating using IAST?

The source of a discovered vulnerability

Study Notes

• DevOps teams prioritize quick construction over security, leading to neglected security best practices, anomalies, and compliance.
• Cost of repairing security issues increases dramatically as they move through the development lifecycle: sixfold at build time, 15 times during customer testing, and 100 times during the production maintenance window.
• Security incidents result in financial losses, negative reputation, customer loyalty, intellectual property theft, and legal issues.
• DevSecOps prioritizes security in the development process and enables enterprises to manage software exposure as fast as DevOps, cloud, IoT, AI, and mobile adoption.
• The greatest challenge for DevSecOps is cultural change, particularly in integrating development, security, and IT operations.
• A sustainable security culture requires investment and fourth determinant features: disruptive and deliberate, interesting and engaging, rewarding, and provides a return on investment.
• Challenges in developing a security culture include poorly drafted rules and policies, absence of a continuous improvement plan, and leaders not modeling good security behavior.
• Humans are the weakest link and need a framework to understand security; the best methods are divergent and empowering.
• With Bring Your Own Device (BYOD), users own their devices but the organization owns corporate data and resources, and they are the most exposed aspect of the intangible defense structure.
• Prevention is essential and comes before monitoring in preventing attacks.
• Security is everyone’s business and can be achieved using continuous education methods such as signing posters, creating a security portal, and implementing an Acceptable Use Policy (AUP).
• An Acceptable Use Policy (AUP) outlines rules for using corporate resources, and security training should be delivered role-specific and relevant.
• Recruitment can promote the organization's commitment to security by including hints in non-security-specific job descriptions.

Description

Test your knowledge about the importance of security in DevOps, the impact of neglected security best practices, the challenges of integrating security in the development process, and promoting a sustainable security culture. Explore topics such as cost implications of security issues, cultural challenges, BYOD, prevention methods, and continuous education for security.