The DevSecOps topic is broad, it consists of the development, security and operations team working together in continuous deployment cycles, where functions that each of these teams need are automated, such as compilation/build, provisioning and infrastructure configuration , quality tests, security tests, monitoring, etc.
The particular recommendation related to this point is that your organization adopt this operation model as way of working with processes (pipelines) of continuous deployment, implementing microservices with low cohesion, and ensuring that as part of this deployment, security is taken into account from the very beginning of a software release, as is shown in the following topics:
If you deploy code on instances, take the following precautions:
They can perform security tests on the Code (Static Application Security Testing), with tools such as Veracode or Fortify and dynamic analysis (DAST) with tools such as Aqua or Acunetix , The key point of these revisions is that it be carried out as part of the application deployment process, and that when any high or critical vulnerability is found, the transition to production is interrupted.
The sooner the vulnerabilities are found, the more convenient it will be for the remediation in the effort, economically, and in time.
It also adds value that the tools verify the open source libraries used and report their vulnerabilities.
AWS has a service called AWS CodePipeline
which enables the orchestration of these continuous deployment processes automatically. Example:
If you know of a vulnerability in an application to be deployed that cannot be fixed yet (for example, when there is a dependency on a third party), you can deploy some custom WAF rules as part of the pipeline to protect the application at that point until the error occurs. of code is remedied.
As an example of the protection infrastructure deployment as part of the continuous deployment (CI/CD) process, it is recommended to review the following blog that shows how to deploy Web ACLs: How to use CI/CD to deploy and configure AWS security services with Terraform