DevSecOps Auditing
back to our services...
How do you know if you're doing "DevSecOps" well? By aligning development, security and operations teams we can ensure security defects are fixed at the earliest, and cheapest, opportunity.
A DevSecOps audit provides a full review of the DevSecOps maturity of a business. It’s more than just a review of the tooling or processes
How should DevSecOps be implemented?
DevSecOps requires a holistic approach, where various tools and processes come together to automatically detect security defects during development and ensure they are fixed at the earliest opportunity. This is typically referred to as “shifting left” but a lot of the ideal is lost in the messaging.
DevSecOps cannot simply be the introduction of one or more tools, as they will simply be ignored and serve only to provide vanity metrics and frustrate development teams. Instead, these tools need to be introduced into the software development process in a controlled and sensible manner whilst we also work to promote and monitor engagement.
Training is another key cornerstone of DevSecOps. Technical security findings can be difficult to understand and triage, preventing development teams from reacting appropriately. Instead, security awareness and engagement should be fostered to ensure development team buy-in.
What is a DevSecOps audit?
A DevSecOps audit provides a full review of the DevSecOps maturity of a business. It’s more than just a review of the tooling or processes.
We leverage the OWASP SAMM and DSOMM research to provide a thorough, broad review of the businesses DevSecOps implementation and assess its maturity. The resulting report highlights quick-win optimisations, and areas of significant risk, without the useless vanity metrics.
How do we audit DevSecOps?
Our engineers and consultants review the entire DevSecOps function with a sampled assessment across multiple development teams, ensuring an accurate representation. It is typical to find that some parts of an organisation are performing weaker than others, but this is often lost during internal appraisals. By accumulating and reporting on successes, the business gets a distorted view of its maturity.
Our consultants are able to gain a comprehensive understanding of the current situation by interviewing key stakeholders throughout the SDLC, and analysing the logs and artifacts generated during development. This balanced approach reduces the impact to development teams, whilst ensuring stakeholder engagement and allowing for an evidence-based assessment.
Want to learn more?
WHAT OUR CLIENTS SAY
Our internal IT team were in need of expert consultancy to help us strengthen our cybersecurity measures and protect our sensitive data.
We engaged the services of Punk Security and were thoroughly impressed with the level of professionalism and knowledge they brought to the table.
The team was able to provide valuable insights and recommendations, and their guidance helped us implement effective security protocols that have greatly enhanced our overall security posture.
We originally sought Punk’s services to support us with a potential cyber-attack. The team responded immediately, out of hours, and calmly and professionally walked us through the necessary steps to determine that our environment hadn’t been compromised.
Since then, we have engaged Punk to carry out a third party audit of our cloud environment and a gap analysis against the Cyber Essentials and ISO270001 criteria. The team provided a thorough report with recommendations and are now working with us to improve our processes and systems.
I feel assured that we are walking towards best practice security operations.
Having attended a live hack demo held at C4DI we approached Punk Security to help sure-up our cyber security and DevOps processes. Punk not only completed this audit but passed on valuable gained knowledge to our team to broaden their skills and insight in this area.
We have since continued to work in partnership with Punk to implement a WAF and frequently consult their expertise in DevOps in relation to our application so we can all learn and grow in a collaborative way.
Punk are approachable, knowledgeable and also adept at explaining in layman’s terms for the less technical! We look forward to continuing our fruitful working relationship.
Our team at Illumio recently participated in a custom CTF event hosted by Punk Security, and it was a great experience! The CTF was not only challenging but also immensely educational, especially in the realm of cloud security principles.
The challenges presented during the CTF were designed to cover a broad spectrum of cloud security topics. This approach allowed our team to dive deep into practical scenarios that tested our skills and pushed us to explore new strategies and technologies. The balance between difficulty and learning outcomes was perfectly struck, ensuring that each team member, regardless of their prior level of expertise, found the event to be rewarding.
Punk Security were happy to perform external scans pro bono due to our status as an NGO.
The team also spent meeting time on two separate occasions to discuss our requirements and provide advice without any commitment or expectation. I’ll certainly be coming to Punk Security again in future should we need further security services
Punk Security provided exceptional DevSecOps training for our engineers here at Sage and delivered an outstanding talk at our Securing Sage Summit.
Their expertise and knowledge were evident throughout the sessions.
Not only were they efficient and great to work with, but their presentation was also the highest rated session of the entire event. We highly recommend Punk Security for any security-related needs.
We initially reached out to Punk Security to help us out with our hosting architecture and were impressed with their breadth of knowledge.
With their expertise we were able to implement additional controls into AWS and successfully scale our systems. When we needed to gain more performance insights, their engineers configured our datadog platform end to end.
We’ve found that they really take the time to understand our problem and then put forward a great solution.