An important artifact in security – and DevSecOps – is security frameworks. There are generic frameworks, such as Center for Internet Security (CIS), but typically, industries must comply with and report about compliancy according to specific industry security standards. These have an impact on the way security is handled within enterprises and therefore in the implementation of DevSecOps.

This chapter will explain the functionality and impact of frameworks and how to incorporate them into DevSecOps. This chapter includes a separate paragraph on the use and value of the MITRE ATT&CK framework since it is becoming more well-known and more widely accepted as a base framework.

After completing this chapter, you will have a good understanding of the most used security frameworks and how the controls of these frameworks can be applied to DevOps.

In this chapter, we're going to cover...

IT has become more complex over the years. The same applies to IT security. There's a correlation between the two. Enterprise IT environments are no longer monolithic systems that sit in the basement of a company that's functioning as the enterprise's data center. Today, IT environments share different components and have connections to the outside world through internet connections. With that notion, systems are, by default, accessible through the internet. Yet, only authorized users should be able to access these systems. Hence, we need some strong defenses to protect systems from security breaches.

The level of required security will differ per industry. First of all, financial institutions will want to make sure that bank accounts can't be compromised and that money is not being illegally transferred. Healthcare institutions need to protect their patients' personal and health data. Manufacturers want to protect...

Maybe it's not a completely fair statement, but we will post it here regardless: MITRE ATT&CK lets you think from the attacker's perspective when it comes to security. The strength of this framework is that anyone can contribute to it. It doesn't really describe the actual vulnerabilities in systems, but more the techniques attackers could use to exploit these vulnerabilities. MITRE ATT&CK uses a matrix with 14 attack tactics. Next, it divides these tactics across major platforms or technologies, including cloud and containers. In the cloud, there's a subdivision for Azure, AWS, and GCP.

Tip

The full MITRE ATT&CK framework can be found at https://attack.mitre.org/. However, it is recommended to follow MITRE on Twitter as well at @MITREattack. The matrix is open source, so a lively community is contributing to the tactics and techniques that are collected in the framework. MITRE invites people to join...

In this section, we will learn how to include the controls of frameworks in DevOps and embed them as DevSecOps. Good news: it's not as hard as it may sound. The following diagram shows this process:

Figure 13.3 – Process of applying controls from security frameworks to DevOps

In general, we start by assessing the framework that the enterprise needs to apply to their IT environments. From that assessment, the different controls are derived and set to the development and deployment cycles of applications and infrastructure. As soon as code is pulled from the repositories, scanning starts against these controls.

We are using the CIS benchmark as an example here since CIS is the most used framework for setting security controls. Applying controls starts with the realization that in DevOps, the IT environments are highly dynamic by default. Everything, including the infrastructure, is turned into code, so applications...

DevOps is taking a huge flight in enterprises. Embedding security in DevOps is a logical next step. But how can enterprises be sure that their DevOps and DevSecOps are compliant with the frameworks that we've discussed throughout this chapter? The answer to that question is: by audit. IT systems are regularly audited, and so should DevOps practices. Having said that, auditing DevOps is still unchartered territory, although major accounting firms such as KPMG and Deloitte have issued white papers on the subject.

DevOps audits should include at least the following topics:

• Evaluating the DevSecOps strategy: Is the strategy clear? How is governance arranged? A DevOps strategy can be set per business unit or enterprise-wide. Both are fine, so long as the strategy is followed through consistently. The goals should be clear and adopted by every team. The same applies to the way of working across all disciplines in the team. Processes...

In this chapter, we discussed various security frameworks. These frameworks are guidelines for setting security controls for the IT environments of the enterprise. These controls apply to systems and applications, and also to the DevOps practice. From the moment developers pull code from a repository and start the build, up until deployment and production, IT environments, including CI/CD pipelines, need to adhere to security controls. There are a lot of different frameworks. Some of them are generically and broadly accepted by enterprises, such as NIST, CIS, and COBIT.

We also discussed the MITRE ATT&CK framework, which takes a different angle by comparing itself to other security control frameworks. MITRE ATT&CK lists tactics and techniques that hackers may use or have used to exploit vulnerabilities. Just like CIS, MITRE ATT&CK lists specifics for various platforms and technologies, including containers that are commonly used in CI/CD.

In the last section...

1. What ISO standard is specifically for the cloud?
2. What two techniques does MITRE ATT&CK mention for containers under the execution tactic?
3. True or false: CIS doesn't mention the versioning of Docker as a control.

• KPMG, January 2020: https://advisory.kpmg.us/articles/2020/role-of-internal-audit-devops.html
• Discover the Spotify model, a blogpost by Mark Cruth on Atlassian: https://www.atlassian.com/agile/agile-at-scale/spotify#:~:text=It%20is%20now%20known%20as%20the%20Spotify%20model.,by%20focusing%20on%20autonomy%2C%20communication%2C%20accountability%2C%20and%20quality
• Website of CIS: https://www.cisecurity.org/
• Website of ISACA, where the COBIT 5 framework can be found: https://www.isaca.org/
• Website of NIST: https://www.nist.gov/
• Website of ISO: https://www.iso.org/standards.html