Enhancing Security Posture: Stabilizing Environments and Automating for Continuous Improvement
Nov 23, 2023
About the Client
Customer is a faith-based, nonprofit health system that cares for more patients in North Texas than any other provider. We serve North Texas through the Texas Health Physicians Group, hospitals, outpatient facilities, Neighborhood Care & Wellness Centers, home health, and preventive and fitness services.
Executive Summary
The customer wanted to transition from a previous vendor offering services in the DevSecOps space. At the same time, there were requirements to bring in new processes and tools, automate some of the existing processes, fill gaps in bespoke automation tools, improve overall cloud security posture, assess cloud deployments from a security standpoint, etc
We started with a security assessment of Azure cloud deployments, auditing against the Defense-in-depth framework, which resulted in a very high level of CSAT. This led to an increased headcount and initiation of transition from the previous vendor. We embarked on an aggressive transition schedule, at the same time, stabilizing an unstable environment, filling gaps in existing automation tools, connecting the dots, creating dashboards in ADO, etc
Once the environment became stable and we were able to successfully achieve initial targets, again with high customer satisfaction, we switched gears to address new automation use cases like creating security gates in ADO pipelines, fixing the Power BI reporting environment, Defender for DevOps preview feature in Microsoft Defender for Cloud, bringing in more enterprise applications (like Salesforce and ML) under DevSecOps umbrella, etc.
The future direction is to continue fortifying customer's cloud deployments, making those Zero Trust, continuously improving processes and Shift Left, expanding the horizon of DevSecOps coverage, automating repetitive tasks, etc
Goals
- Cloud security assessments: The customer wanted to audit cloud deployments from a security standpoint based on Defense-in-depth methodology, identify potential vulnerabilities, and prioritize and address those vulnerabilities. Recur these audits periodically, once in a quarter.
- Stabilize the environment and fix issues related to DevSecOps tool deployments: The customer wanted to bring stability to an unstable environment comprising tool deployments related to SAST, DAST, SBOM, SCA, etc. Make the environment more predictable, review bespoke tools, and identify and address gaps.
- Continuous automation and continuous improvement: Review existing automation tools, identify and work on improvements, also make automation a continuous process by proactively figuring out new areas of automation, assessing feasibility, and implementing.
- User-friendly reporting: There are stakeholders in various groups who consume the outcome of static and dynamic scans, from Developers to C-Suite. Address those reporting requirements using ADO dashboards, PowerBI reports, email communication, etc
- Process improvements and documentation: Review and document existing processes, identify improvement opportunities, and address those. Induct new processes for the betterment of overall security posture
- Security operations: Continuously monitor applications and cloud deployments for vulnerabilities using tools like Microsoft Defender for Cloud, Checkmarx, Burp Suite, and Dependency Track. Configure email alerts.
Solutions and Outcomes
There were various parallel initiatives to address the above Goals. To begin with, once the first security audit was completed, we aggressively stabilized the environment, deploying the hosting platform for tools, and installing and configuring the tools.
We also proactively identified and successfully configured Azure Preview features such as Defender for DevOps security, which can directly scan Azure DevOps repositories and report vulnerabilities. This is a significant achievement towards shifting left.
Azure DevOps CI/CD pipelines were re-engineered to have security gates, which will avoid manual dependencies and any gaps arising due to miscommunication.
While the above are only highlights, there are several other solutions completed and being worked upon towards achieving customer goals.
The solution has been defined through the completion of the following activities.
- Quarterly security assessments
- Stabilize the environment and fix issues related to hosting platform and tool deployments
- Generate user-friendly reports using ADO dashboards, Power BI, email alerts, and other tools
- Pro-actively identify improvement opportunities and new feature releases in DevSecOps space and deploy
- Re-engineer ADO pipelines to configure security gates and other checkpoints
- Continuously automate by reviewing processes and customizing bespoke tools to improve those processes
- Document existing and new processes
- Continuous security operations
Process Improvements
Below is a sample of the process improvements done. This is related to the scanning of code repositories process.
- Created automated security gates to have checkpoints for scans in CI/CD pipelines
- SAST automation changes to push scan results from tools like PMD Scanner to ADO
- Processing of System or Platform vulnerabilities through High-Risk Vulnerability process
- More clarity was added to the escalation process and matrix, going up to the CISO level for production sign-offs
- Iterative scanning of repositories to re-scan after fixing vulnerabilities and loop through