DevSecOps
Obsidian’s DevSecOps approach encompasses the entire Software Development Lifecycle (SDLC) and include agile development, continuous integration, continuous testing, and continuous delivery while providing continuous security testing throughout every phase of the lifecycle.
The key steps for automation that enable our DevSecOps include:
-
Daily Code Commit: Our Developers check-in code on a daily basis into a central source code repository. SAST tools are run every time code is committed and attempt to highlight vulnerabilities within static source code using techniques such as Taint Analysis and Data Flow Analysis.
-
Automated Builds: A Continuous Integration (CI) server is continually polling the source repository for changes; when a change occurs, the code is checked out of the repository and built. The built software is stored in a repository manager by the CI server.
-
Automated Testing: The code is automatically unit tested; code quality tested; code static, dynamic, and interactively security tested; smoke and UI tested; and performance tested. DAST tools are run on operating code to detect issues with interfaces, requests, responses, scripting (i.e. JavaScript), data injection, sessions, authentication, and more. IAST tools are run using knowledge of application and data flow to create advanced attack scenarios.
-
Automated Delivery: The built version is deployed using provisioning tools that treat infrastructure as code and is integrated into the CDM testing tools, monitoring tools, and processes that may include Splunk, Nessus, McAfee ePO, New Relic, etc.
Continuous Integration (CI) and Continuous Delivery (CD) are designed to create an automation environment for the entire end-to-end release process so that every change to the application results in a releasable, security-validated version that is built automatically.
