DevSecOps aims to provide better-quality software by incorporating security principles into the software development process from the beginning of the software development lifecycle. But how to be Agile?

Continuous Integration

The purpose of this continuous integration (CI) is for developers to check for small iterative code progress regularly. For most teams, this involves many updates to a shared source code repository. One or more versions are made daily. The key is smaller, more uncomplicated additions, where we can more easily and quickly find code defects. These are fundamentally Agile concepts, implemented in processes which drive code, rather than methods that drive people (such as scrums and sprints).

Continuous Deployment

Continuous Deployment looks very similar to CI but focuses on releasing software to end-users rather than building it. It involves identical packaging, testing, and monitoring tasks, with some additional wrinkles. The CD takes another massive step towards automation and flexibility, but it launches the new application code after automating the release management, deployment, and final configuration of the application bundle.

DevSecOps: how to be Agile
App-Ray combines bleeding-edge static and dynamic analysis techniques developed by Fraunhofer AISEC research. It operates on Android bytecode and does not require the source code of an application. Users can choose whether they want to manually interact with the application in the test environment or whether the analysis should run fully automatically and unassisted.

Where to Test

Meta Data Analysis

In a first preparatory step, an app’s metadata is assessed, revealing information about the application’s permissions, components, and structure. Information gathered in this step sets the scope for the following static analysis.

Desktop Security Tests

Most developers today work in Integrated Development Environments (IDEs). These include Visual Studio, Eclipse, IntelliJ, and so on, depending on the developer’s environment or programming language.

Code Repository Scanning

Source code management, configuration management databases, repository registers, and similar types of devices store code and help with administrative tasks such as versioning, IAM, and approval processes.

Static Analysis

Static Application Security Testing (SAST) scans every code or runtime binaries. Its job is to find general vulnerabilities, even in manually revised code. The static analysis investigates the bytecode and structure of an application without executing it. App-Ray features a highly efficient bidirectional data flow tracing, revealing unwanted data flows which can impose violations of security and privacy requirements. Threats to data integrity and secrecy, such as SQL injections or unprotected intents, will be identified in this step.

Dynamic Analysis

Dynamic Application Security Testing (DAST) dynamically crawls an application’s interface and examines how it responds to various inputs. During plain dynamic analysis, the original app is executed in a test environment, and its behavior is analyzed. Screenshots are taken, network traffic is recorded, and a full trace of syscalls and accessed files are created. Private information sent out to advertisement and user profiling platforms is identified. Users can choose whether they wish to interact with the app or whether the analysis runs entirely automatically.

Hybrid Analysis

Guided by knowledge gained from static analysis and modifications injected by instrumentation, App-Ray’s hybrid analysis engine investigates the app’s runtime behavior under specific security-relevant conditions and ensures that critical parts of the app are executed and observed. Tracing of individual function calls and register values allow deep insights into the applications’ behavior. The hybrid engine attempts to provoke the execution of vulnerable code fragments and records encrypted traffic in plaintext, allowing inspection for private information.

Composition and Vulnerability Analysis

Composition analysis tools check open-source directory versions to assess the risk of open source, both for vulnerabilities and potential licensing issues.

Instrumentations

Instrumentation makes a slight modification to the app to extract specific information from it in a hybrid static/dynamic analysis. Guided by potential findings from the static analysis step, particular versions of the app are crafted, which automatically jump to relevant parts and provide meaningful information when executed.

Manual Code Review

Some companies insist that code changes are investigated by humans, if not before the code is published. The review may also reveal many apparent errors that the testing software did not notice. Any deficiencies that will arise will need to be integrated into a more recent version of the testing software.

Security Unit Tests

Unit testing is where you check small sub-components or fragments (‘units’) of an application. These tests are intended to be long-lived, checked into the source repository along with new code, and run by every subsequent developer who contributes to that code module.

Risk and Exposure Analysis

With DevOps, you need to close the loop on issues within infrastructure, security testing as well as code. Patching, code changes, blocking, and functional whitelisting are all options for closing security gaps.

Security’s Role in DevOps

The Security Pro’s Responsibilities

Learn the DevOps model

You need to understand cultural and philosophical changes as well as how they affect process, tooling, and priorities. You need to understand your organization’s approach to integrating security tooling and metrics optimally.

Learn how to be agile

We hope this DevSecOps and Agile overview brings this topic closer to you. DevSecOps is all about people, process, and technology, and applying lean principles and automation to drive better collaboration between your applications delivery and IT operations teams. It extends the agile methodology of mindset, incorporating operations and security into the process.

As a versatile analytics tool, App-Ray can be an optimal tool for those DevSecOps organizations who are developing mobile applications.