Created as an extension of the DevOps methodology, DevSecOps adds security constraints to cloud-native application deployment and lifecycle maintenance. By fostering teamwork and automating checks, it speeds up delivery while keeping software safer, ensuring the use of security best practices in each phase of the software development.

Cloud-native applications are fundamentally a new approach to designing and building scalable software based on microservices that run on dynamic environments such as public, private, and hybrid clouds. This new approach raises a completely new set of security challenges, not only concerning the software itself but also its deployment and maintenance. Issues such as insecure cloud configuration, container orchestration mishaps, or insecure secrets storage are few examples of the main security threats mentioned in the OWASP Cloud-Native Application Security Top 10 [1].

In the context of cloud-native applications development, the candidate will be asked to explore the validation and verification of a set of security constraints in the container lifecycle, starting from container image creation and going through the entire execution phase with the goal of identifying  vulnerabilities that could make the microservice or its dependable infrastructure insecure by deploying a validator to scan the microservice code and configuration, periodically searching for vulnerabilities and other potential security threats. For this, the candidate will explore several techniques, including Natural Language Processing (NLP) and other machine learning algorithms. The candidate will also consider the application’s overall security by implementing a component, integrated into CI/CD pipeline, able to fix the code, recreate the container image, or reconfigure it whenever a threat is identified.

References

[1] https://owasp.org/www-project-cloud-native-application-security-top-10