Overview

Digital service provider for the government faced problems due to the manual testing process for applications. Since the process took several months to complete and critical issues kept popping up after deploying the application, there was a need for an automated approach that is also secure and compliant.

Approach

In order to overcome these difficulties, we adopted a fully-fledged DevSecOps approach. In this approach, security measures were embedded throughout the whole cycle of software development rather than being treated as a distinct step. The security measures were thus built-in, automated, and included in all the phases of development.

The implementation of this model started from applying the tool SonarQube for performing automated static code analysis to spot vulnerabilities during the coding phase. OWASP ZAP was then utilized for conducting dynamic application security testing.

Furthermore, containers were made secure by use of Trivy which helped scan vulnerabilities in the images prior to their deployment. In an effort to enhance data protection from leaks, there was use of a secret manager known as IBM Vault to protect credentials.

One of the most important things achieved in this transformation process was compliance as code which would ensure that all deployments are checked against government cybersecurity requirements and that no manual audit is necessary. This would be important in ensuring alignment with India’s cybersecurity framework especially in regards to CERT-In.

Overall pipeline is scalable, repeatable and automated to allow collaboration between development and security teams without compromising delivery time.

Impact on Business

The effect of the DevSecOps process was felt immediately, and the results were quantifiable. We managed to shorten the release cycle to 3 weeks from 3 months, but it also managed to eliminate the release cycle bottleneck.

Equally impressive is that during a whole year, not a single critical vulnerability emerged on the production platform. This result was an improvement over what had been seen in the preceding years. The continuous monitoring process became seamless, and there was no need for developers to pause and check security matters.

Furthermore, compliance with CERT-In requirements was completely automated, making it possible to save on costs and efforts. Moreover, developers were able to receive feedback instantly, helping them eliminate flaws in the software.