[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2023/11/27 16:06:39

DevSecOps

The term DevSecOps refers to a software development cycle that focuses on security.

Content

DevSecOps relies on the developments and recommendations of the overall DevOps approach. The application of DevOps values ​ ​ to software safety means that security verification becomes an active, integral part of the development process.[1]

DevSecOps provides for active security audits and penetration testing during aglie development. According to the DevSecOps concept, security should be embedded in the product during development, and not implemented at the stage of the finished product. The principles of DevSecOps encourage collaboration and require the transfer of work to security professionals as early as possible.

DevOps vs DevSecOps.jpg

History

2023

The Ministry of Digital Development replicates DevSecOps secure development technologies on key state IT systems

As of the end of November 2023, DevSecOps technology was introduced for critical State Public services systems, the Unified Identification and Authentication System (ESIA), the Interdepartmental Electronic Interaction System (CMEV), and over time it will be extended to other e-government infrastructure systems. This was reported to TAdviser by the Ministry of Digital Development and Communications of the Russian Federation.

DevSecOps technology involves the addition of web development technology with continuous integration of new components and their painless installation (CI/CD pipeline) of code security verification mechanisms: static (SAST) and dynamic (DAST) vulnerability scanner, component dependency control and built-in secrets, load testing and fuzzing mechanisms. These mechanisms allow you to detect errors in the web application even before they are published, which allows only web components that have already passed the initial security check to be used for mass use.

DevSecOps technology is often represented as an infinity symbol with separation into corresponding stages

{{quote 'For departmental systems, a similar methodology is offered by the State Center for Security Analysis of Mobile and Web Applications of State Information Systems, - explained for TAdviser in the press service of the Ministry of Digital Development. - In the Center, analysis is carried out both using domestic software source code verification tools ("SAST appScreener," "Svace," "DAST appScreener," "Crusher"), and manually with the involvement of experts in the field of information security. Since December 2022, more than 200 mobile and web applications of state information systems have been analyzed. }}

The State Center for Security Analysis of Mobile and Web Applications of State Information Systems[2] (GCA) was created on the basis of the Research Institute "VOSKHOD" in 2022. The purpose of its creation is to increase the level of security of information systems by providing services to identify software vulnerabilities, including mobile and web applications, including government information systems. Moreover, the functions of the center include not only searching for vulnerabilities in mobile and web applications of state IPs, but also interaction with their operators and customers, the purpose of which is to increase the security of such systems.

File:Aquote1.png
In addition, work is underway to create a secure development pipeline on the GosTech platform, the press service of the Ministry of Digital Development said. - The pipeline will increase the level of security of the platform and government information systems operating on it by identifying and eliminating software flaws and vulnerabilities at all stages of the software lifecycle.
File:Aquote2.png

And since it is "GosTech" in accordance with the decree of the President of the Russian Federation No. 231[3] will become the basis for federal, so for regional government systems, the introduction of DevSecOps in this platform will fully provide technology with all the most significant state IPs and thereby improve the security of the web resources of the Russian Federation as a whole.

Moscow region introduces progressive information security practices: DevSecOps, cyber training and bug bounty

The Information Security Center of the Moscow Region in mid-November announced a tender for the introduction of DevSecOps secure development technology for its state information system "Portal of State and Municipal Services (Functions) of the Moscow Region." The project also involves the provision of services for organizing cyber training, conducting a program to search for vulnerabilities and assess the level of security of information resources in the Moscow region. More

See also

Notes

  1. What is DevSecOps?
  2. The State Center for Security Analysis of Mobile and Web Applications of State Information Systems
  3. Decree "On the creation of, the development and operation of state information systems using the unified digital platform of the Russian Federation "GosTech"
Источник — «https://tadviser.com/index.php/Article:DevSecOps»

Шестерня

The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article

If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible.

Model Studio CS: How to use BIM to give new impetus to the development of the fuel and energy complex
Leave a Large Footprint in the Sands of Time
Information modeling technologies: confident course on import substitution