Last modified: Apr 5, 2024

Secure DevOps

Security is an important concern in all phases of the DevOps cycle.

Having a Secure DevOps process requires that security is built into the applications, the process, the infrastructure, and the configuration, and more.

Secure DevOps phases (clickable)

Below you find information on what kind of tools, patterns, and processes we follow to make sure we think about application and infrastructure security for all phases.

Planning phase

During the planning phase, the requirements for features are gathered. Already in this phase, we identify changes that need special security considerations. Typically this is done as part of grooming to reach Definition of Ready.

We mark our security-related features and bugs with the label kind/security.
If threat modeling is deemed necessary, the label tm/yes is used to indicate this.

Details of security-related issues and threat modeling are in many cases kept out of GitHub.

Code phase

During the development of a feature, we have several processes and tools to help us creating secure code.

Development checklists

We have a development checklists that ensures that developers and reviewers consider the different security aspects.

See checklist.

IDE and tools

We use both Visual Studio and Visual Studio Code. Those provide us with tools for static code analysis.

Unit and integration tests

As part of the coding process unit and integration-tests are created. Besides, to cover functionality, many of them cover security aspects like authentication and authorization.

Build phase

Once a developer has finished coding a feature he/she must create a pull request.

Peer Reviews

All pull requests require peer review from at least one other team member.

See active pull requests.

Run Unit and integration tests

As part of the build pipelines, all unit and integration tests are run. This makes sure that security functionality has not been broken.

CodeQL

CodeQL is a code analysis platform for identifying vulnerabilities and preventing them from reaching production.

This is run for every pull request.

Sonar Cloud

Every pull request is analyzed by Sonar Cloud.

Sonar Cloud analyzes the code by a defined rule set and checks the code against OWASP Top 10 and SANS Top 25.

We have defined some quality gates that the code need to adhere to to be able to merging pull request in to master. Our current active issues are available here.

Secret scanning

Secret scanning in GitHub is used to prevent secrets from being committed to the source code accidentally.

Test phase

Each feature added to our platform is tested.

  • Integration tested with positive and negative tests for access control where possible
  • Manual functional tests
  • Manual security testing for selected features

Dynamic code analysis.

We use different tools to perform dynamic code analysis.

Some of the tools are:

We also regulary use third party security companies to go through our code and perform pen testing.

Release phase

Releases are created automatically using Github Actions, and the configuration for this is part of each product repository.

Release notes should also be generated automatically.

Deploy phase

Deployment of the code to test and production environments are done automatically using Github Actions, and the configuration for this is part of each product repository.

Applications and products are deployed as containers to either Azure Kubernetes Services or Azure Container Apps.

Operate phase

When the different applications are in production the DevOps team make sure that everything works as expected.

Monitor phase

During the monitor phase, the team follows up on how the different solutions are working and identifying improvements and changes.

We use different tools to identify security threats for our running applications.

Dependency updates

We use Renovate and Dependabot to monitor updates for dependencies.

These tools can automatically create pull requests with updates in each repository, and each team merges these.