This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Phase 3: Post Deploy

Security Compliance for Post Deployment

Introduction

The post-deploy stage of your software delivery pipeline is where your application is live and actively serving users. While much of the focus in DevSecOps is on securing code, builds, and deployments, ensuring robust security doesn’t end there. The post-deploy phase is critical for monitoring, maintaining, and adapting to new threats in real time.

This phase includes tools and practices for continuous monitoring, vulnerability patch management, and incident response. From runtime application self-protection (RASP) to real-time threat detection and log analysis, post-deploy security ensures your application remains secure, compliant, and reliable in production.

Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.

1 - Secure Software Development Framework

Secure Software Development Framework Post Build CI/CD Steps

Achieving Post Deploy Tasks of the Secure Software Development Framework

The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Post Deploy actions of the CI/CD pipeline to achieve:
Prepare the Organization (PO) Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.
Protect the Software (PS) Organizations should protect all components of their software from tampering and unauthorized access.
Produce Well-Secured Software (PW) Organizations should produce well-secured software with minimal security vulnerabilities in its releases.
Respond to Vulnerabilities (RV) Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

1.1 - Protect the Organization (PO)

Protect the Organization (PO) CI/CD Steps

Protect the Organization (PO)

PO.3 Implement Supporting Toolchains

Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.

Open-Source Tools to Achieve:

1.2 - Protect the Software (PS)

Protect the Software (PS) CI/CD Steps

Protect the Software (PS)

Post Build Software Bill of Material Tools

DAST

Vulnerability Databases

Continuous Vulnerability Patch Management

Application Security Compliance Reporting

1.3 - Produce Well-Secured Software (PW)

Produce Well-Secured Software (PW) CI/CD Steps

Produce Well-Secured Software (PW)

1.4 - Respond to Vulnerabilities (RV)

Respond to Vulnerabilities (RV) CI/CD Steps

Respond to Vulnerabilities (RV)

Task: Identify and Respond to Vulnerabilities How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.

Open-Source Tools to Achieve: