Minimum Viable Security

The minimum recommended security to include in your DevSecOps pipelines, as presented by Dr David Melamed CTO of JIT.io

David suggests that shift-left for security can burden developers with a responsibility they may not be equiped to handle. Starting with the minimum amount of security and using open-source and automation can make the shift more actionable.

He suggests the following as an example in Python:

  • Static Vulnerability Scanning (SAST)
  • Secret Leak Scanning
  • API Vulnerability Scanning
  • OWASP Zed Application Proxy (ZAP) Scan
  • OS Configuration Scan
  • Dependency Check
  • Container Scanning
  • Multi-Factor Authentication (MFA) Scan

I asked about the application of these tools to mobile development and it was admitted the static analysis tools are language dependant, and so require a tool for that specific language. OWASP maintains a list of tools here.

You can find the content of the presentation at David’s GitHub here.

0 comments… add one

Leave a Comment