Secure Development Lifecycle

Chapter 3 discusses the integration of information security controls within DevOps known as DevSecOps. DevSecOps is the process of integrating information security controls into a continuous integration, continuous delivery, and continuous deployment pipeline. Through integration of DevOps elements into the secure software development lifecycle (SSDLC), inclusion of relevant information security controls becomes part of the development process.

This Chapter introduces a secure system development lifecycle (SDLC) process and a secure development lifecycle to include security assurance activities, such as penetration testing, code review and architecture analysis, which are an integral part of the risk management process. Activities within each phase assist in the mitigation of vulnerabilities and management of risk. These activities facilitate the risk mitigation strategies within the project lifecycle and development phases of initiatives within the organization, resulting in an alignment of risk to an organization’s risk appetite prior to deployment in production.

This chapter integrates the risk management practices within DevOps to facilitate an iterative approach to managing risk. The risk management process shows how to perform an evaluation, starting with the absence of internal controls, which is known as inherent risk. With the inclusion of proper code certification, which indicates that the overall system works as intended and that its environment protects it from undue influences, the risk is mitigated. Secure capabilities allow stakeholders to take pro-active actions, such as quarantining, meaning moving or deleting sensitive or non-public information from their network before it negatively impacts their capabilities through unauthorized exposure and results in a brand, reputational, financial, legal or cybersecurity risk to the business.