Following the principles of Secure by Design
In the previous sections we designed our CI/CD pipelines. But as we have concluded, security starts at the very beginning of DevOps and should be integrated throughout the entire process, from the moment the code is pulled, or new code is written up until deployment to production. We need to apply security by design. This is the second layer of DevSecOps and includes the following activities:
- Securing pipelines: best practice is to apply zero trust-principles to the pipeline. Pipelines should only be accessed through least privilege policies. Also, continuous testing must be integrated in the pipeline. This includes Static Application Security Testing (SAST), but also penetration testing to find any backdoors in the pipelines or any other vulnerabilities.
- Clean code practice: this one is subject to multiple interpretatons, but key is the principle of KISS: keep it simple, stupid. Try to keep the code as simple and short as possible. Document...