Table of Contents
DevSecOps
“DevOps is the union of people, process, and products to enable continuous delivery of value to our end users.” – Donovan Brown of Microsoft
The Cloud Monk, Losang Jinpa, is now focused writing until end of December 2025 on his polyglot programmer compendium - concordance books Cloud Monk's Package Manager Book and DevOps for 20 Languages by Cloud Monk (with a particular focus on Cloud Native DevSecOps and Web API Security) to be published on GitHub and this Wiki. (navbar_devops_book - navbar_devops_focus
Return to Cloud Native DevSecOps, DevOps, GitOps Security, Awesome DevSecOps
See Cloud Monk's other Wiki: https://AzureDevSecOps.com
Return to Security automation, Security topics, Extremely Careful about Security, AzureDevSecOps.com, Cybersecurity automation, Cybersecurity, Security topics, DevOps topics, DevSecOps topics, Networking topics, Internet topics, Major programming topics, Programming topics, Programming languages, Software engineering topics, Software architecture, Software architecture topics, Awesome lists
What is DevSecOps?
DevOps isn’t just about development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full life cycle of your apps.
Why? In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are over. Effective DevOps ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can undo even the most efficient DevOps initiatives.
Now, in the collaborative framework of DevOps, security is a shared responsibility integrated from end to end. It’s a mindset that is so important, it led some to coin the term “DevSecOps” to emphasize the need to build a security foundation into DevOps initiatives.
DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security can help meet your security goals, but effective DevOps security requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
DevOps security is built-in
Whether you call it “DevOps” or “DevSecOps,” it has always been ideal to include security as an integral part of the entire app life cycle. DevSecOps is about built-in security, not security that functions as a perimeter around apps and data. If security remains at the end of the development pipeline, organizations adopting DevOps can find themselves back to the long development cycles they were trying to avoid in the first place.
In part, DevSecOps highlights the need to invite security teams at the outset of DevOps initiatives to build in information security and set a plan for security automation. It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats. It’s possible this can include new security training for developers too, since it hasn’t always been a focus in more traditional application development.
What does built-in security really look like? For starters, a good DevSecOps strategy is to determine risk tolerance and conduct a risk/benefit analysis. What amount of security controls are necessary within a given app? How important is speed to market for different apps? Automating repeated tasks is key to DevSecOps, since running manual security checks in the pipeline can be time intensive.
DevOps security is automated To do: Maintain short and frequent development cycles, integrate security measures with minimal disruption to operations, keep up with innovative technologies like containers and microservices, and all the while foster closer collaboration between commonly isolated teams—this is a tall order for any organization. All of these initiatives begin at the human level—with the ins and outs of collaboration at your organization—but the facilitator of those human changes in a DevSecOps framework is automation.
But what to automate, and how? There is written guidance to help answer this question. Organizations should step back and consider the entire development and operations environment. This includes source control repositories, container registries, the continuous integration and continuous deployment (CI/CD) pipeline, application programming interface (API) management, orchestration and release automation, and operational management and monitoring.
New automation technologies have helped organizations adopt more agile development practices, and they have also played a part in advancing new security measures. But automation isn’t the only thing about the IT landscape that has changed in recent years—cloud-native technologies like containers and microservices are now a major part of most DevOps initiatives, and DevOps security must adapt to to meet them.
DevOps security is built for containers and microservices The greater scale and more dynamic infrastructure enabled by containers have changed the way many organizations do business. Because of this, DevOps security practices must adapt to the new landscape and align with container-specific security guidelines. Cloud-native technologies don’t lend themselves to static security policies and checklists. Rather, security must be continuous and integrated at every stage of the app and infrastructure life cycle.
DevSecOps means building security into app development from end to end. This integration into the pipeline requires a new organizational mindset as much as it does new tools. With that in mind, DevOps teams should automate security to protect the overall environment and data, as well as the continuous integration/continuous delivery process—a goal that will likely include the security of microservices in containers.
Environment and data security: Standardize and automate the environment. Each service should have the least privilege possible to minimize unauthorized connections and access.
Centralize user identity and access control capabilities. Tight access control and centralized authentication mechanisms are essential for securing microservices, since authentication is initiated at multiple points.
Isolate containers running microservices from each other and the network. This includes both in transit and at rest data, since both can represent high-value targets for attackers.
Encrypt data between apps and services. A container orchestration platform with integrated security features helps minimize the chance of unauthorized access.
Introduce secure API gateways. Secure APIs increase authorization and routing visibility. By reducing exposed APIs, organizations can reduce surfaces of attacks.
CI/CD process security: Integrate security scanners for containers. This should be part of the process for adding containers to the registry.
Automate security testing in the CI process. This includes running security static analysis tools as part of builds, as well as scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
Add automated tests for security capabilities into the acceptance test process. Automate input validation tests, as well as verification authentication and authorization features.
Automate security updates, such as patches for known vulnerabilities. Do this via the DevOps pipeline. It should eliminate the need for admins to log into production systems, while creating a documented and traceable change log.
Automate system and service configuration management capabilities. This allows for compliance with security policies and the elimination of manual errors. Audit and remediation should be automated as well.
Fair USe Source: https://www.redhat.com/en/topics/devops/what-is-devsecops
- Snippet from Wikipedia: DevOps
DevOps is a methodology in the software development and IT industry. Used as a set of practices and tools, DevOps integrates and automates the work of software development (Dev) and IT operations (Ops) as a means for improving and shortening the systems development life cycle. DevOps is complementary to agile software development; several DevOps aspects came from the agile way of working.
External Sites
Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); Identity and Access Management (IAM), OS Security, Java Security, Security, (Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security, Passwords, Linux Passwords, Windows Passwords), Passkeys, Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, Cybersecurity CI/CD, Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy)
Cloud Monk is Retired (for now). Buddha with you. © 2005 - 2024 Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.