CI/CD Pipelines and Automation

Modern web applications are built using modern continuous integration and deployment processes. 


This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.



Control     Name          Priority          
3.1     CI/CD Pipeline     1    

Description: Implement a CI/CD pipeline  

Difficulty:      Medium     


Control     Name                           Priority     
3.2     Application Environments      2     

Description: Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements     

Difficulty:    Medium   

Control     Name                               Priority            
3.3     Application Data Separation      3     

Description: Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. 

Difficulty:   Difficult     

Control     Name                       Priority         
3.4     CI/CD Administration     3    

Description: Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements

Difficulty:  Medium  

Control     Name             Priority           
3.5     Credential Store     1     

Description: Create a secure encrypted place to store senstive credentials like passwords, API keys, etc.   

 Difficulty: Medium    

Control     Name                                                       Priority           
3.6     Centralized Software Composition Analysis     1 

Description:  Scan source code for vulnerable libraries and open source software from within a CD stage   

Difficulty: Easy   

Control     Name                                     Priority  
3.7     Centralized Static Code Analysis     2    

Description: Scan source code for vulnerabilities in the source code itself from within a CD stage     

Difficulty:  Easy  

Control     Name                                     Priority    
3.8     Centralized Sensitive Data Analysis     2    

Description: Scan source code for secrets, credentials, API keys and similar from within a CD stage    

Difficulty: Easy     

Control     Name                                                                  Priority
3.9    
Dynamic Application Security Testing -DAST             3                        

Description:Scan running application for vulnerabilities

0 comments:

Post a Comment

Twitter Facebook Favorites More