🥶 DevSecOps and CI/CD certification according to GOST 56939
Fireworks,
I haven’t been out here for long yet, I’ll be back soon with a high-quality update for the channel, it’ll be a blast.
For now, I would like to share one of the pain points that was discussed in the community findevsecops.ru @fintechassociation, namely, we will talk about certification.
Why business?
- Saving resources - fixing vulnerabilities at an early stage is cheaper and easier
- Reduces the risks of incidents resulting from potential direct and indirect damage in the form of financial losses, that is, it increases confidence in the company in the market
- Software security from vulnerabilities and cyber threats, that is, how and at what stages to take information security into account
- Development of employees and quality, stability of development, that is, increases competitiveness
- Important when working with the public sector and large customers based on their requirements, if the company develops or makes changes to the information protection system, and also works with CII objects, GIS and/or ISDN
- The standard helps to quickly and confidently pass control by customers and/or independent auditors
- Confirms that the processes meet the requirements for secure development (if we pass 2024 and don’t just cover ourselves with pieces of paper, in most parts the ISP RAS asks for specifics, but we all know how certification takes place)
Basic points according to order 240
- Certification body ISP RAS: deadlines are outlined in order,
where most of the time is spent on certification work
- Application with basic information and application
with the leadership of safe development in FSTEC of Russia
- Certification is carried out on the basis of the manufacturer with verification of compliance, including assessment of documentation and equipment
- Conclusion on the compliance of the processes (Application is pending within 15 working days):
-- If nonconformities occur, the manufacturer will correct them and notify them for recertification.
-- If there is compliance, a draft certificate is prepared, which is reviewed by the FSTEC of Russia.
Key markers GOST 56939-2024
- GOST 56939 and GOST 15408 standards are the basis for confirming the safety of the development process
- The certificate is issued to the company, and not just for a specific application
- Certification is valid for up to 5 years and can cover not one, but several products - all components, dependencies, libraries and tools involved in development
- Certification bodies can verify any application from the pipeline or a finished product at any time. This eliminates the possibility of “preparing only one project for the report.”
- The focus is not only on the code, but also on the process itself: assembly, testing, version control, deployment. The review can cover several CI/CD pipelines used in the organization at once.
- Formal documents (procedures, policies, regulations) must correspond to how the development process actually works.
- All software components and artifacts (sources, libraries, assemblies) must be stored in a verified and controlled repository to ensure reproducibility and security.
- Certification begins with a specific product, and only then proceeds to assessing the development process itself. Exceptions are possible, but extremely rare.
- Products and processes must be associated with specific technical requirements and threats. This is recorded in the design documentation and checked for compliance.
- For certification, you will need to collect more than 100 requirements and confirm their implementation through ~120 artifacts - these are technical documents, tests, reports, descriptions of processes and systems.
Total: according to GOST 56939-2024, it becomes more clear, every day, what is required of people and how this affects business, since the level of activities related to information security and the consequences of their absence affect not just the work of structures, but specifically the possibility of monetization, the unit-economy of products themselves. Therefore, after looking at this, we can roughly understand the value, but in fact we haven’t seen any explicit requirements, only recommendations in most cases from the regulator (or I’m just blind)
#devsecops #pmi #specialty #gost #compliance