ATVM & Infra Training

Day 4
LTI 23-09-2023
Introduction to Infrastructure Penetration Testing

Infrastructure penetration testing, often referred to as network penetration testing, is a crucial component of cybersecurity
that assesses the security of an organization's IT infrastructure. This process involves simulating cyberattacks to identify
vulnerabilities, weaknesses, and potential entry points within a network or system. The primary goal is to help organizations
strengthen their security measures by addressing these vulnerabilities before malicious actors can exploit them.

Penetration testers, also known as ethical hackers or white-hat hackers, use a combination of tools and manual techniques
to evaluate the security posture of an organization's infrastructure. Below, we'll provide an overview of some common tools
and manual techniques used in infrastructure penetration testing, along with examples, case studies, and studies to illustrate
their applications:

2
Tools for Infrastructure Penetration Testing

Nmap:
Description: Network Mapper (Nmap) is a powerful open-source tool for network discovery and vulnerability scanning.
Example: A penetration tester can use Nmap to scan an organization's network to identify open ports, services running on
those ports, and potential vulnerabilities.

3
Metasploit

Description: Metasploit is a widely-used penetration testing framework that helps testers exploit vulnerabilities and perform
post-exploitation activities.
Example: A tester can leverage Metasploit to exploit a known vulnerability in a web server to gain unauthorized access and
demonstrate the potential risks.

4
Metasploit Overview
• Metasploit is an open-source penetration testing framework.
• It provides a wide range of tools for discovering, exploiting, and post-exploitation activities on vulnerabilities in systems.
• Metasploit simplifies penetration testing by offering a comprehensive set of modules and payloads.

5
Example: Exploiting a Known Vulnerability
with Metasploit
Scenario:
Imagine you are tasked with assessing the security of a web server and have identified a known vulnerability that you want
to exploit using Metasploit.
Step 1: Launch Metasploit Framework
• Open a terminal window.
• Start the Metasploit Framework by running:

Step 2: Search for the Vulnerability Module

• Once in the Metasploit console, you can search for
modules related to the vulnerability you're targeting.
For example, let's say you're looking for an Apache Struts vulnerability:
• Review the search results to identify the relevant module, typically marked with an "exploit" or "auxiliary" tag.

6
Example: Exploiting a Known Vulnerability
with Metasploit

Step 3: Set Module Options

• Use the use command to select the module you want to use. Replace <module_name> with the actual name of the module:

• Set the required options for the selected module. These options vary depending on the module and vulnerability. For
instance:

7
Example: Exploiting a Known Vulnerability
with Metasploit

Step 4: Exploit the Vulnerability

• Once you've set the necessary options, you can initiate the exploitation process:

• Metasploit will attempt to exploit the vulnerability on the target system using the provided options.
Step 5: Post-Exploitation
• If the exploit is successful, you'll gain access to the target system.
• You can perform various post-exploitation activities, such as:
▪ Gathering information about the system.
▪ Privilege escalation.
▪ Data exfiltration.
▪ Further exploration of the network.

8
Example: Exploiting a Known Vulnerability
with Metasploit

Step 6: Cleanup
After completing your assessment, it's crucial to maintain ethical conduct. Ensure that you have proper authorization for your
actions and clean up any traces of your presence on the target system.

Notes:
▪ Metasploit simplifies the exploitation process by providing pre-built modules, but ethical considerations and proper
authorization are paramount when using such tools.
▪ Always ensure you have permission to conduct penetration tests on a target system or network, as unauthorized access
can have legal consequences.

This example demonstrates the basic process of exploiting a known vulnerability using Metasploit. In real-world scenarios,
penetration testers and ethical hackers use Metasploit responsibly to identify and remediate vulnerabilities in a controlled
and authorized manner.

9
Wireshark

Description: Wireshark is a network protocol analyzer that allows testers to capture and analyze network traffic.
Example: During a penetration test, Wireshark can help identify suspicious or malicious network activities, such as
unauthorized data exfiltration.

Wireshark Overview:
▪ Wireshark is a popular open-source network protocol analyzer.
▪ It allows users to capture and analyze network traffic in real-time or from saved capture files.
▪ Wireshark is valuable for network troubleshooting, security analysis, and understanding network behavior.

10
Example: Analyzing Network
Traffic with Wireshark

Scenario:

You want to troubleshoot network connectivity issues on a computer by capturing and analyzing network traffic using
Wireshark.

Step 1: Install Wireshark

• Download and install Wireshark from the official website for your operating system.

11
Example: Analyzing Network
Traffic with Wireshark

Step 2: Launch Wireshark

• Open Wireshark from your applications
or Start menu

12
Example: Analyzing Network
Traffic with Wireshark

Step 3: Choose a Network Interface

• In the main Wireshark window, select the
network interface that you want to capture
traffic from. It could be a wired or wireless
network adapter

13
Example: Analyzing Network
Traffic with Wireshark
Step 4: Start Capturing Traffic
• Click the "Start" button in Wireshark to begin
capturing network traffic

14
Example: Analyzing Network
Traffic with Wireshark

Step 5: Observe Network Traffic

• Wireshark will start capturing packets as they pass through the selected network interface.

• You will see a list of captured packets in the main Wireshark window. Each line represents a network packet.

15
Example: Analyzing Network
Traffic with Wireshark
Step 6: Analyze Packets
• To analyze a specific packet, select it from the list. Wireshark provides detailed information about the packet in the bottom
panel.

• You can view packet details,

including source and destination
IP addresses, port numbers,
protocols, and the content of the
packet.

16
Example: Analyzing Network
Traffic with Wireshark

Step 7: Apply Filters

• Wireshark allows you to apply filters to narrow down the captured packets. For example, you can filter packets by IP
address, port, or protocol.
• To apply a filter, enter the filter criteria in the "Display Filter" field at the top of the Wireshark window.

17
Example: Analyzing Network
Traffic with Wireshark

Step 8: Stop Capturing Traffic

• When you've captured enough data or want to stop monitoring, click the "Stop" button in Wireshark.

18
Example: Analyzing Network
Traffic with Wireshark

Step 9: Save and Analyze Captured Data

• You can save the captured data as a capture file for further analysis or sharing with others.
• To analyze the captured data later, you can open the capture
file in Wireshark.

19
Example: Analyzing Network
Traffic with Wireshark

Notes:

1. Wireshark is a powerful tool for network analysis and troubleshooting, but it should be used responsibly and with proper
authorization.
2. Ensure that you are capturing traffic on a network you have permission to monitor.
3. This example demonstrates the basic process of capturing and analyzing network traffic using Wireshark for
troubleshooting purposes. Wireshark's capabilities extend to more advanced use cases, including network security analysis,
performance optimization, and protocol debugging.

20
Example: Analyzing Network
Traffic with Wireshark
4. Burp Suite:
Description: Burp Suite is a web application security testing tool that helps identify and mitigate web vulnerabilities.
Example: A penetration tester can use Burp Suite to perform a thorough assessment of a web application, finding issues like
SQL injection or cross-site scripting (XSS).

21
Manual Techniques for Infrastructure Penetration Testing

Password Cracking:

Description: Testers use various techniques like brute force attacks and dictionary attacks to crack passwords and gain
unauthorized access.
Example: Trying common passwords and using password lists to crack weak user credentials.

22
Tools for Password Cracking

1. John the Ripper:

• One of the most well-known and versatile password cracking tools.
• Supports various password hash algorithms and encryption methods.
• Can perform dictionary attacks, brute force attacks, and more

23
Tools for Password Cracking

2. Hashcat:
• A powerful open-source password cracking tool.
• Supports a wide range of hashing algorithms and attack modes.
• Known for its speed and efficiency in cracking passwords.

24
Tools for Password Cracking

3. Cain and Abel:

• A Windows-based password recovery tool.
• Supports dictionary attacks, brute force
attacks, and cryptanalysis attacks.
• Also has additional network and system
hacking capabilities

25
Tools for Password Cracking

4. Hydra:
• A fast and flexible network login cracker.
• Supports various protocols like SSH, HTTP, FTP, RDP, and more.
• Can perform dictionary attacks, brute force attacks, and incremental attacks.

26
Social Engineering

Description: Social engineering involves manipulating individuals to reveal sensitive information or grant unauthorized
access.
Example: Phishing attacks, where testers send deceptive emails to employees to trick them into clicking on malicious links
or providing login credentials.

27
Case Study

28
Let's consider a hypothetical case study

Scenario: An e-commerce company wants to assess the security of its online shopping platform. They hire a penetration
testing team to identify vulnerabilities.

Process:
• The team uses Nmap to scan the company's web servers, identifying open ports and services.
• Burp Suite is employed to thoroughly analyze the web application for common vulnerabilities like SQL injection.
• A penetration tester conducts a social engineering test by sending phishing emails to employees to assess their
susceptibility.
• Weak passwords are identified and cracked using password cracking tools.
• Metasploit is used to exploit a discovered vulnerability in the web application and demonstrate the impact of a potential
attack.

29
Studies and Resources

To further explore infrastructure penetration testing, consider these resources and studies:

1. OWASP Top Ten Project: This project by the Open Web Application Security Project (OWASP) provides detailed information
on the top web application security risks, making it an essential resource for web application penetration testing.

2. Penetration Testing Execution Standard (PTES): PTES is a comprehensive framework for conducting penetration tests,
covering various aspects of network and system security testing.

3. Certifications: Consider pursuing certifications like Certified Information Systems Security Professional (CISSP), Certified
Ethical Hacker (CEH), or Offensive Security Certified Professional (OSCP) to gain expertise in penetration testing.

4. Case Studies and Reports: Look for case studies and reports from reputable security firms and organizations to learn
about real-world penetration testing engagements and their outcomes.

30
Introduction to Red Team Approach & Operations

The Red Team approach is a cybersecurity strategy that involves simulating cyberattacks to evaluate an organization's
security posture. This approach helps identify vulnerabilities, weaknesses, and potential entry points in a proactive and
controlled manner. Red Team operations are designed to mimic the tactics, techniques, and procedures (TTPs) of real-world
adversaries, allowing organizations to strengthen their defenses.

31
Key Components of Red Team Approach

1. Objective-Oriented: Red Teams work with specific objectives in mind, such as breaching a network, compromising sensitive
data, or disrupting operations.

2. Realistic Scenarios: Red Team operations replicate actual threats, using the same tools and tactics employed by cyber
adversaries.

3. Assessment and Evaluation: The primary goal is to assess an organization's security controls and responses, identifying
areas for improvement.

4. Reporting and Recommendations: Red Teams provide detailed reports with findings and recommendations to enhance
security measures.

5. Collaboration: Red Team operations often involve collaboration with the organization's Blue Team (defenders) to improve
detection and response capabilities.

32
Example of Red Team Operations

Scenario: A financial institution wants to test its security measures against a sophisticated cyberattack.
Operations:

1. Objective Definition: The Red Team defines clear objectives, such as gaining access to sensitive financial data or disrupting
critical services.
2. Reconnaissance: The team gathers information about the target organization, including its infrastructure, employees, and
potential vulnerabilities.
3. Attack Simulation: Red Team members employ a variety of tactics, such as spear-phishing, social engineering, and
network penetration, to simulate a cyberattack.
4. Evasion Techniques: They use evasion techniques to avoid detection by security systems and continue their operations
undetected.
5. Exfiltration: If successful, the Red Team exfiltrates data or achieves its defined objectives, demonstrating the potential
impact of a real attack.
6. Reporting: A comprehensive report is created, detailing the methods used, vulnerabilities discovered, and
recommendations for improvement.

33
Case Study: Target Data Breach (2013)

• In one of the most infamous data breaches, the retail giant Target fell victim to a cyberattack. Hackers gained access
through a third-party HVAC contractor and exploited vulnerabilities in the network.
• The breach exposed credit card information and personal data of approximately 40 million customers.
• A Red Team-style analysis of this incident might have identified the contractor's weak security practices and helped Target
improve its vendor risk management.

34
Studies and Resources

1. MITRE ATT&CK Framework: The MITRE ATT&CK framework provides a comprehensive resource for understanding adversary
TTPs and enhancing detection and response strategies.

2. Cybersecurity Certification: Pursue certifications like Certified Information Systems Security Professional (CISSP) and
Certified Ethical Hacker (CEH) to gain expertise in Red Team operations.

3. Red Team Assessment Guidelines: Review guidelines and best practices for conducting Red Team assessments, such as
those published by NIST or OWASP.

Red Team operations are an essential part of proactive cybersecurity, helping organizations identify vulnerabilities and
improve their security posture. When executed effectively, they provide valuable insights into an organization's strengths and
weaknesses, allowing for continuous improvement in cyber defense strategies.

35
Introduction to DevSecOps – Tools, Techniques

What Is DevSecOps (DevOps Security)?

DevSecOps is the convergence of development, security, and operations. It is an organizational pattern that aims to adopt
security from the beginning of the software development life cycle (SDLC) through to the end.

Previously, security was added to applications later in the life cycle, after development was complete. Agile development
practices and advances in cloud platforms, microservices, and containers, make this impractical, because security cannot
keep up with rapid releases.

DevSecOps solves this problem by integrating security with DevOps. Security becomes an integral, automated part of
continuous integration (CI) and continuous delivery (CD) pipelines, and a responsibility shared by all teams. Developers
become aware of security practices and implement them from the onset of a development project.

36
DevSecOps Benefits and Challenges
DevSecOps provides the following benefits:
Fast, cost-effective delivery: traditional software development methods often result in huge bottlenecks and delays due to security
issues. Addressing security flaws and fixing code is often time-consuming and costly. DevSecOps enables faster, secure software
delivery to save time and reduce technical debt, thus lowering costs by reducing the need for repeated processes at the end of the
delivery cycle.
A proactive approach to security: DevSecOps introduces security processes at the beginning of the software development cycle and
ensures the code passes continued reviews, audits, tests, and scans throughout the development pipeline. Development teams can
address security issues immediately when discovered, remediating problems before they introduce more dependencies. This
approach makes security more effective and less expensive.
Fast vulnerability remediation: DevSecOps helps teams identify security vulnerabilities quickly and apply patches early. It integrates
vulnerability detection and patching into the development cycle to prevent the release of the vulnerable software. Early patching
also reduces the opportunity for threat actors to exploit vulnerabilities, especially for publicly exposed common vulnerabilities and
exposures (CVEs).
Automation-driven development: DevSecOps teams can integrate security testing into automated test suites, enabling streamlined
operations. Organizations can leverage continuous integration/continuous delivery (C/CI) pipelines to automate development and
security processes.
The main objective of DevSecOps is to introduce security processes early in the development lifecycle, helping reduce vulnerabilities
and aligning IT and business objectives with security requirements.
However, organizations may also face obstacles when adopting DevSecOps, especially if they lack the proper governance strategies,
technologies, and expertise. Usually, hiring or retraining staff is necessary to provide security skills and adjust the development
team’s responsibilities. There is a shortage of security professionals with DevSecOps experience, and developers often struggle to
embrace a security-driven culture.
Each organization has unique challenges and must determine the best DevSecOps strategy for its existing infrastructure, policies,
and business needs. Businesses can overcome these challenges, especially once management, development, IT, and security teams
realize the benefits of implementing DevSecOps.
37
What Is a DevSecOps Pipeline?
Here are the main stages of a DevSecOps pipeline. These are the security-oriented stages that occur alongside traditional DevOps
pipeline stages—such as planning, development, testing, and deployment.
1. Threat Modeling
Threat modeling outlines possible attack scenarios, describes sensitive data flows, vulnerabilities, and potential mitigation options.
This step helps close the security gap and improve security knowledge for everyone on the team.
2. Security Testing
Scanning is the process of analyzing code, artifacts, and running software to identify security weaknesses. This includes manual and
automated code reviews, application security tools such as static/dynamic application security testing (SAST/DAST), vulnerability
assessment, and penetration testing. This step allows developers to address security vulnerabilities and bugs early in the software
development lifecycle.
3. Analysis and Prioritization
The analysis phase identifies security risks by reviewing all data and metrics collected during security testing. These risks are then
aggregated into a list and prioritized by their potential business impact and likelihood of exploitation.
4. Remediation
After identifying and security vulnerabilities in the previous steps, teams take steps to remediate those vulnerabilities. Continuous
testing tools, and processes like penetration testing, provide actionable guidance on how to address security weaknesses. Teams
can then address vulnerabilities in order of priority.
5. Monitoring
Monitoring involves tracking the overall security posture of an application, to identify new vulnerabilities or misconfigurations that
can occur while it is running in production. In addition, monitoring is critical for discovering threats and security breaches. When a
threat is discovered or a breach occurs, lessons should be learned to improve the DevSecOps process and prevent similar incidents
in the future.

38
What Are DevSecOps Tools?
Tools are an integral part of DevSecOps. This is because in a fast-changing DevOps environment, security must be automated
and tightly integrated with the CI/CD pipeline.

DevSecOps tools have three main goals:

Continuous security testing: detects security vulnerabilities as soon as they occur, minimizing risk and allowing rapid
remediation without slowing down the development pipeline.
Support security teams: enabling easy monitoring and control over development projects without having to manually review
and approve each release.
Support development teams: assisting developers in applying secure coding practices. Automated tools can notify developers
about security issues during all stages of development, to enable quick fixes and promote developer security education.
Tools:
1. Gitlab
2. Docker
3. Veracode

39
DevSecOps Best Practices
DevSecOps is the seamless integration of security processes and controls into the development and delivery pipeline. Here
are some best practices to help ensure effective DevSecOps implementation.

40
Shifting Security Left

Shifting left is the core principle of DevOps and, by extension, DevSecOps. It involves moving processes—in this case,
security: from the end of the delivery process to the beginning, known as the “left” of the pipeline. DevSecOps environments
place security at the start of the development lifecycle, requiring software and security engineers to collaborate with the
development team.
The DevSecOps team is collectively responsible for ensuring each component and configuration is secure. Every team
member must implement security patches and document their processes. Shifting security left allows the team to discover
security risks early, enabling the immediate remediation of security threats and facilitating rapid, smooth delivery cycles. The
developers consider security in addition to their traditional build processes.

41
Security Training

Security requires a combination of compliance and software engineering processes. Developers, software engineers, and
security specialists should work closely with the compliance department to keep everyone up-to-date with the organization’s
security policies. All employees should undergo periodic training to ensure they understand their responsibilities.
All individuals involved in the software delivery process must be familiar with basic application security principles, including
awareness of the Open Web Application Security Project (OWASP), security testing processes, and software engineering best
practices. Developers must understand threat models and compliance assessments. They should know how to identify and
measure security risks and exposures and apply security controls.

42
Workplace Culture

Successful DevSecOps require a workplace culture that embraces change and takes security seriously. An organization’s
leadership should encourage collaborative attitudes and promote communication to enable a unified security effort.
Developers and software engineers must take ownership of the security processes incorporated into the delivery cycle.

The DevSecOps team should establish a system that incorporates appropriate practices and technologies. The team should be
free to create a workflow environment that suits its needs, allowing each team member to become invested in the project’s
success.

43
Observability and Monitoring

Maintaining security requires continuous monitoring and observability solutions to provide security insights and help keep
track of the development environment’s risks. An effective observability strategy should incorporate the following elements:

Visibility: the ability to view the development and security processes is essential for maintaining DevSecOps environments.
Organizations must use monitoring systems to measure operations, generate alerts, and provide awareness of threats and
attacks. Visibility is important for ensuring accountability throughout the project’s lifecycle.

Traceability: organizations must be able to track security configurations and code issues throughout the development
pipeline. It is essential for enforcing controls and helps organizations maintain compliance, minimize bugs, secure the code,
and facilitate code fixes.

Auditability: organizations must conduct audits to comply with internal security policies and government regulations. All
security controls must be auditable and well-documented.

44
Introduction to DevSecOps – Tools, Techniques

What Is DevSecOps (DevOps Security)?

DevSecOps is the convergence of development, security, and operations. It is an organizational pattern that aims to adopt
security from the beginning of the software development life cycle (SDLC) through to the end.
Previously, security was added to applications later in the life cycle, after development was complete. Agile development
practices and advances in cloud platforms, microservices, and containers, make this impractical, because security cannot
keep up with rapid releases.
DevSecOps solves this problem by integrating security with DevOps. Security becomes an integral, automated part of
continuous integration (CI) and continuous delivery (CD) pipelines, and a responsibility shared by all teams. Developers
become aware of security practices and implement them from the onset of a development project.

45
DevSecOps Benefits and Challenges

DevSecOps provides the following benefits:

Fast, cost-effective delivery—traditional software development methods often result in huge bottlenecks and delays due to
security issues. Addressing security flaws and fixing code is often time-consuming and costly. DevSecOps enables faster,
secure software delivery to save time and reduce technical debt, thus lowering costs by reducing the need for repeated
processes at the end of the delivery cycle.
A proactive approach to security—DevSecOps introduces security processes at the beginning of the software development
cycle and ensures the code passes continued reviews, audits, tests, and scans throughout the development pipeline.
Development teams can address security issues immediately when discovered, remediating problems before they introduce
more dependencies. This approach makes security more effective and less expensive.
Fast vulnerability remediation—DevSecOps helps teams identify security vulnerabilities quickly and apply patches early. It
integrates vulnerability detection and patching into the development cycle to prevent the release of the vulnerable software.
Early patching also reduces the opportunity for threat actors to exploit vulnerabilities, especially for publicly exposed
common vulnerabilities and exposures (CVEs).
Automation-driven development—DevSecOps teams can integrate security testing into automated test suites, enabling
streamlined operations. Organizations can leverage continuous integration/continuous delivery (C/CI) pipelines to automate
development and security processes.

46
DevSecOps Benefits and Challenges

The main objective of DevSecOps is to introduce security processes early in the development lifecycle, helping reduce
vulnerabilities and aligning IT and business objectives with security requirements.

However, organizations may also face obstacles when adopting DevSecOps, especially if they lack the proper governance
strategies, technologies, and expertise. Usually, hiring or retraining staff is necessary to provide security skills and adjust the
development team’s responsibilities. There is a shortage of security professionals with DevSecOps experience, and
developers often struggle to embrace a security-driven culture.

Each organization has unique challenges and must determine the best DevSecOps strategy for its existing infrastructure,
policies, and business needs. Businesses can overcome these challenges, especially once management, development, IT, and
security teams realize the benefits of implementing DevSecOps.

47
DevSecOps Benefits and Challenges

48
DevSecOps Benefits and Challenges

What Is a DevSecOps Pipeline?

Here are the main stages of a DevSecOps pipeline. These are the security-oriented stages that occur alongside traditional
DevOps pipeline stages—such as planning, development, testing, and deployment.

1. Threat Modeling
Threat modeling outlines possible attack scenarios, describes sensitive data flows, vulnerabilities, and potential mitigation
options. This step helps close the security gap and improve security knowledge for everyone on the team.

2. Security Testing
Scanning is the process of analyzing code, artifacts, and running software to identify security weaknesses. This includes
manual and automated code reviews, application security tools such as static/dynamic application security testing
(SAST/DAST), vulnerability assessment, and penetration testing. This step allows developers to address security
vulnerabilities and bugs early in the software development lifecycle.

49
DevSecOps Benefits and Challenges

3. Analysis and Prioritization

The analysis phase identifies security risks by reviewing all data and metrics collected during security testing. These risks
are then aggregated into a list and prioritized by their potential business impact and likelihood of exploitation.

4. Remediation
After identifying and security vulnerabilities in the previous steps, teams take steps to remediate those vulnerabilities.
Continuous testing tools, and processes like penetration testing, provide actionable guidance on how to address security
weaknesses. Teams can then address vulnerabilities in order of priority.

5. Monitoring
Monitoring involves tracking the overall security posture of an application, to identify new vulnerabilities or
misconfigurations that can occur while it is running in production. In addition, monitoring is critical for discovering threats
and security breaches. When a threat is discovered or a breach occurs, lessons should be learned to improve the DevSecOps
process and prevent similar incidents in the future.

50
DevSecOps Benefits and Challenges

What Are DevSecOps Tools?

Tools are an integral part of DevSecOps. This is because in a fast-changing DevOps environment, security must be automated
and tightly integrated with the CI/CD pipeline.

DevSecOps tools have three main goals:

Continuous security testing—detects security vulnerabilities as soon as they occur, minimizing risk and allowing rapid
remediation without slowing down the development pipeline.

Support security teams—enabling easy monitoring and control over development projects without having to manually review
and approve each release.

Support development teams—assisting developers in applying secure coding practices. Automated tools can notify
developers about security issues during all stages of development, to enable quick fixes and promote developer security
education.

51
DevSecOps Benefits and Challenges

DevSecOps Best Practices

DevSecOps is the seamless integration of security processes and controls into the development and delivery pipeline. Here
are some best practices to help ensure effective DevSecOps implementation.

Shifting Security Left

Shifting left is the core principle of DevOps and, by extension, DevSecOps. It involves moving processes—in this case,
security—from the end of the delivery process to the beginning, known as the “left” of the pipeline. DevSecOps environments
place security at the start of the development lifecycle, requiring software and security engineers to collaborate with the
development team.

The DevSecOps team is collectively responsible for ensuring each component and configuration is secure. Every team
member must implement security patches and document their processes. Shifting security left allows the team to discover
security risks early, enabling the immediate remediation of security threats and facilitating rapid, smooth delivery cycles. The
developers consider security in addition to their traditional build processes.

52
DevSecOps Benefits and Challenges

Security Training
Security requires a combination of compliance and software engineering processes. Developers, software engineers, and
security specialists should work closely with the compliance department to keep everyone up-to-date with the organization’s
security policies. All employees should undergo periodic training to ensure they understand their responsibilities.
All individuals involved in the software delivery process must be familiar with basic application security principles, including
awareness of the Open Web Application Security Project (OWASP), security testing processes, and software engineering best
practices. Developers must understand threat models and compliance assessments. They should know how to identify and
measure security risks and exposures and apply security controls.

Workplace Culture
Successful DevSecOps require a workplace culture that embraces change and takes security seriously. An organization’s
leadership should encourage collaborative attitudes and promote communication to enable a unified security effort.
Developers and software engineers must take ownership of the security processes incorporated into the delivery cycle.
The DevSecOps team should establish a system that incorporates appropriate practices and technologies. The team should be
free to create a workflow environment that suits its needs, allowing each team member to become invested in the project’s
success.

53
DevSecOps Benefits and Challenges

Observability and Monitoring

Maintaining security requires continuous monitoring and observability solutions to provide security insights and help keep
track of the development environment’s risks. An effective observability strategy should incorporate the following elements:

Visibility—the ability to view the development and security processes is essential for maintaining DevSecOps environments.
Organizations must use monitoring systems to measure operations, generate alerts, and provide awareness of threats and
attacks. Visibility is important for ensuring accountability throughout the project’s lifecycle.

Traceability—organizations must be able to track security configurations and code issues throughout the development
pipeline. It is essential for enforcing controls and helps organizations maintain compliance, minimize bugs, secure the code,
and facilitate code fixes.

Auditability—organizations must conduct audits to comply with internal security policies and government regulations. All
security controls must be auditable and well-documented.

54
Thank You

55