Intro to DevSecOps

DevSecOps stands for Development, Security, Operations, and the goal of this development approach is to integrate security into every stage of the software development and operations lifecycle, rather than consigning it to the Testing phase of the SDLC.

DevSecOps improves the lead time and frequency of delivery outcomes through enhanced engineering practices; promoting a more cohesive collaboration between Development, Security, and Operations teams as they work towards continuous integration and delivery.

Advantages:

• Teams catch security vulnerabilities during development, instead of having the problems manifest after app release, where the public is affected, and the company’s reputation takes a hit
• A better return on investment (ROI) in the organization’s existing security infrastructure
• The process is automated, which means fewer mistakes or administration failure incidents, two things that could otherwise contribute to cyber-attacks and downtime
• Automation means that cybersecurity architects aren’t needed to configure security consoles, freeing up the security teams to handle other pressing issues, boosting their agility and speed
• Better communication and collaboration between teams
• Greater flexibility in managing sudden changes during the development lifecycle
• More significant opportunities for quality assurance testing and automated builds

Tools cover a range of security tasks:

• Claire: Scans for vulnerabilities in Docker containers
• HackerOne: Lets you effectively and efficiently triage and responds to vulnerability reports
• Rapid7 Nexpose: Scans systems for vulnerabilities and manages the entire lifecycle of vulnerability detection
• Snyk: Checks open-source code libraries for any known issues
• Stethoscope: Helps you manage user-focused security; open-source
• Suricata: Detects threats against networks; open-source
• fortify
• SonarQube
• OWASP Tools

Devops vs Devsecops:

DevOps focuses on technologies and techniques that can help developers and operations teams work together to achieve common goals, while DevSecOps is focused on practices that can add security considerations to an existing DevOps pipeline.