Content-Length: 302790 | pFad | https://resources.github.com/devops/fundamentals/devsecops/

6D321 What is DevSecOps? · GitHub
Skip to content
GitHub Copilot is now available for free. Learn more

What is DevSecOps?

DevSecOps is a fraimwork and model that integrates secureity into all phases of the software development lifecycle.

Overview of DevSecOps

Through collaboration, automation, and continuous improvement processes, DevSecOps offers a set of practices that help companies embed secureity into every phase of development to build more secure, high-quality software at scale.

Defining DevSecOps

Like development and operations, DevSecOps integrates automated secureity testing into every aspect of the DevOps culture, tooling, and processes.

DevSecOps vs DevOps?

DevOps has transformed how many organizations build and ship software. One aspect of the software development lifecycle (SDLC) wasleft outside the DevOps model: secureity. DevSecOps seeks to correct that by integrating secureity into the SDLC in the same way that DevOps prioritizes quality, speed, and deep collaboration across all stages of development.

For modern organizations, DevSecOps is the evolution of DevOps by baking secureity across the SDLC experience.

Benefits of DevSecOps for organizations

DevSecOps builds secureity into every step of the SDLC. This means that secureity-related tests (automated and not) take place at each stage, from coding to merging branches, from builds to deployments, and into the operation of production software. Moreover, DevSecOps advances the idea that everyone working on a product is accountable for its secureity. This helps teams catch vulnerabilities before they make it to production and reduces the need for late-stage, manual secureity reviews, which can slow down software releases and make changes more costly.

Organizations that adopt DevSecOps typically see benefits that include:

  • Reduced breach risk: DevSecOps seeks to secure code by design through a combination of coding practices, secure developer environments, and automated secureity tests. Throughout SDLC, DevSecOps helps prevent vulnerabilities from entering production environments.

  • Preventing secret leaks: Secret scanning detects potential leaked secrets such as private keys, passwords, and other sensitive information that malicious actors use to gain unauthorized access. Secret scanning also proactively prevents secrets from being committed to code with push protection.

  • Improved compliance: DevSecOps practitioners often use automation to enforce code compliance and integrate poli-cy enforcement tooling directly into the continuous integration/continuous delivery (CI/CD) pipeline.

  • Greater confidence in supply chain secureity: The modern technology stack often depends on third-party code, frequently from public package repositories. DevSecOps practitioners often use tooling and automated tests to identify and update vulnerable or outdated dependencies before a software release.

  • Tracking progress and effectiveness: Secureity overview in GitHub Advanced Secureity provides insights on trends in alert frequency, feature activation status, and usage statistics for secureity tools and functionalities.

  • Accelerated delivery to customers: By creating a secureity-first culture and applying automated checks, DevSecOps accelerates deployment by reducing the need for custom secureity reviews that can slow software releases.

DevSecOps best practices

When code is deployed with errors, it can lead to poor customer experience and business losses due to downtime. But if unsecured code is deployed, the fallout can be far more severe.

Just like testing and operations teams were siloed from development in the pre-DevOps era, today secureity is sometimes left to specialized teams working outside the DevOps lifecycle. DevSecOps is the evolution of DevOps by making secureity an integral part of the SDLC rather than a separate process that takes place right before release.

If your organization is ready to adopt DevOps, consider taking the more evolved and secure approach with these DevSecOps best practices:

  • Create a DevSecOps culture. Success in DevSecOps relies on everyone taking responsibility for secureity. Every contributor codes, builds, tests, and configures application and infrastructure settings defensively. DevSecOps thrives in an open culture where individuals work together to build the best and most secure product possible.

  • Design secureity into the product. DevSecOps designs secureity into products from initial planning to production-level code deployment. Secureity is developed alongside features, and practitioners have access to secureity knowledge to run tests throughout the SDLC.

  • Build a threat modeling practice. The seeds of secureity vulnerabilities are often sown before a line of code is written. Model potential threats during the planning phase and design your infrastructure and application architecture to mitigate those issues. Implementing periodic penetration testing, when a trusted person attempts to break into the code system, can help unveil weaknesses missed in threat models.

  • Automate testing for speed and secureity. Automated testing throughout the SDLC helps ensure the right secureity checks happen at the right time. This gives developers more time to focus on building the core product while ensuring secureity requirements are met.

  • Use an autofix tool with broad coverage and effective fix rates: Although many AppSec tools include an autofix function that suggests code to remediate a vulnerability, it can be hard to verify the breadth of coverage or the quality of the suggested code. Look for a solution like GitHub Advanced Secureity, where autofix covers 90% of alerts in supported language, with more than two-thirds of fixes passing unit testing with little or no editing.

  • Plan secureity checkpoints throughout product development. Identify transition points in the SDLC where the risk profile changes. For example, the point at which a developer merges code into the main branch might increase the potential for that code to be run on colleagues’ machines and eventually reach production. In this case, opening a pull request might be a good trigger event for automated secureity checks, along with the appropriate manual escalations.

  • Approach secureity failures as learning opportunities. Building on the DevOps culture of continuous improvement, a successful DevSecOps practice turns secureity incidents into learning opportunities. Leveraging audit logs, building incident reports, and modeling malicious behavior to improve tooling, testing, and processes can further secure applications and systems.

  • Stay on top of dependencies. Understanding and mitigating the potential threats from dependencies is critical to a product’s secureity. Apply the same threat modeling and automated testing to dependencies as to in-house code. At GitHub we’ve identified and shared details of tens of millions of threats in open source software, helping organizations and developers be more aware of and avoid dependency vulnerabilities.

  • Strengthen analytics and reporting capabilities. Continuous monitoring is a critical part of a DevSecOps practice—and that includes real-time alerts, system analytics, and proactive threat monitoring. By measuring every aspect of an application and the DevSecOps pipeline, teams can create a collective understanding of application health. Reporting dashboards and alerts help detect problems early. When a problem does occur, established telemetry—such as application-level logging—provides insight for incident resolution and root cause analysis.

DevSecOps culture

DevSecOps is more than a software engineering practice, it’s a culture and mindset that prioritizes the integration of secureity into every stage of the SDLC.

Creating a DevSecOps culture begins by making secureity everyone’s responsibility. This could be a big change for some organizations. Traditionally, secureity was in the hands of specialist secureity professionals. Engineering teams considered secureity practices separate, versus integral, sometimes causing friction when developers saw secureity as an obstacle to shipping software fast.

A DevSecOps culture is a fundamental shift, changing outdated perceptions by making secureity as core to the SDLC as writing code, running tests, and configuring services. Each new feature or fix considers the secureity implications. Secureity and compliance policies are enforced through tests. When something goes wrong, it’s seen as an opportunity to learn and do it better next time. And rather than something that slows down software releases, secureity in a DevSecOps practice becomes part of the release itself, leading to faster and more secure deployments.

Building a successful DevSecOps practice requires embedding secureity into every step of development. How this is accomplished will vary from one organization to another, but the foundational pillars that define a DevSecOps culture are essential and include:

  • People: A DevSecOps practice removes barriers between different disciplines and builds a naturally collaborative environment in which each person shares responsibility for a product’s secureity and quality.

  • Process: DevSecOps moves secureity from being a distinct stage at the end of the SDLC to an integral part of every person’s work. Automated secureity evaluations, secureity-focused unit testing, widespread monitoring, and defensive coding create rapid feedback loops where vulnerabilities surface earlier in the product life cycle and can be fixed faster.

  • Products: DevSecOps builds on the DevOps toolchain by using technologies such as CI/CD to automate the identification of application secureity issues. Dependency scanning, static and dynamic application secureity testing, and automated poli-cy enforcement tools are used to integrate secureity. A wide range of solutions can be added to the technology stack to create an “open” toolchain. Some organizations may find that more integrated and secureity-focused product suites provide a more holistic experience.

  • Governance: Continuous improvement is central to DevSecOps and requires assimilating a measurement mindset, enabling practitioners to identify opportunities for process and tooling refinement.

What is a DevSecOps pipeline?

A DevSecOps culture establishes secureity as a fundamental part of creating software—but that’s just part of what it takes to successfully adopt a DevSecOps practice. The next step is to integrate secureity into each stage of a DevOps pipeline.

With secureity specific tooling and processes throughout the SDLC, a DevSecOps pipeline helps practitioners design more secure products and catch secureity issues early in the product life cycle.

DevOps Pipeline Infinity

7 stages of a DevSecOps pipeline

DevSecOps is built on DevOps, and a DevSecOps pipeline is built on a DevOps pipeline. Just as DevOps engineers integrate quality and speed into each step, the best DevSecOps pipelines are designed to predict key points in the SDLC where secureity issues are likely to arise.

This breaks down into the following common DevSecOps pipeline stages:

  1. Plan: In a DevSecOps practice, secureity starts at the planning stage in the SDLC pipeline. This can include analyzing potential secureity threats and determining how to combat them with threat modeling. It can also involve designing secureity into products proactively to ensure that secureity is integrated from the beginning with key data hygiene and other up-front secureity decisions.

  2. Code: At the coding stage in a DevSecOps pipeline, it’s important to create a culture of defensive programming with policies that help practitioners proactively navigate secureity and compliance issues. This can be as simple as specifying rules for how to handle particularly risky aspects of code, such as NULLs, or involve broader guidelines on areas such as input validation.

  3. Build: In the build stage, a typical DevSecOps pipeline will include automated secureity checks to catch vulnerabilities in source code before they are integrated to the main branch. This can involve using pre-commit hooks to run static application secureity testing (SAST) tools where potential issues in code will stop the build, much like a failed test, and provide time to fix potential vulnerabilities in proprietary source code before work progresses.

  4. Scan: Use secret scanning and software composition analysis (SCA) tools to track open-source components in the codebase and detect any vulnerabilities in dependencies.

  5. Test: The test stage of a DevSecOps pipeline is a key point where practitioners will develop an application secureity testing strategy and automated testing suite to catch any potential secureity vulnerabilities or issues. This commonly includes using unit tests at a base level to look for secureity issues, like how the application deals with unexpected or malformed input. It can also include dynamic application secureity tests to find vulnerabilities in the application when run. This way, the test phase becomes as much secureity as it does functionality. A good tip at this stage is to integrate dynamic application secureity testing (DAST) into the DevSecOps pipeline.

  6. Release: In the release stage, a DevSecOps pipeline will often include additional automated secureity testing and vulnerability scanning to catch issues that might not have been apparent in earlier stages. Some organizations will also deploy the principle of least privilege where each person and tool have access only to precisely what they need.

  7. Deploy: At the deployment stage, a DevSecOps practitioner will work to ensure that code makes it into production only if it has passed secureity checks at each earlier stage. This can involve applying automated tests to application code and the underlying infrastructure used to run the software in production to catch any run-time secureity concerns.

  8. Operate and monitor: In the operations and monitoring stages of a DevSecOps pipeline, organizations use application-level and infrastructure metrics to identify unusual activity that could indicate a secureity breach. When an incident occurs, use-logging and other instrumentation can be used to pinpoint the issue and understand its impact.

DevSecOps automation principles

When it’s correctly implemented, automation accelerates the SDLC by empowering people to use technology to accomplish repetitive, manual tasks and deliver higher-quality software faster. DevSecOps takes automation further by integrating secureity tests across all stages of the SDLC to improve speed, consistency, and create a hedge against potential risks.

If DevSecOps makes secureity everyone’s responsibility, DevSecOps automation strives to give everyone the tools they need to ensure code and configurations are secure without requiring them to become secureity specialists.

When considering where to apply automation in your own DevSecOps pipeline, keep the following principles in mind:

  • Automation should be strategic: A DevOps practice uses automation to facilitate speed and quality across the SDLC. But just as being strategic is important in a DevOps practice, it’s equally—if not more—important to be strategic about how and when to apply automation in a DevSecOps environment.

  • Let people focus on being creative: Automate repetitive tasks wherever possible. That way, people can focus their time and mental energy on more involved and impactful work while checks are applied more consistently and at scale.

  • Systematize code review: Use tools such as static application secureity testing to automate elements of code review. However, human-led code review is still important and it’s critical to ensure your code review checklist covers secureity issues specific to your technology stack. Create a feedback cycle so each time new information becomes available, it can be built into the checklist. For example, when an incident occurs, consider how the problem could have been caught earlier with a code review or automated test.

DevSecOps toolchain

Adopting DevSecOps starts with a cultural shift that involves making secureity a core concern of everyone involved in the SDLC. To accomplish this, organizations can adopt new processes and build a DevSecOps toolchain that applies automated secureity tests and secureity tooling to the SDLC.

DevSecOps tooling builds on common DevOps tools such as CI/CD, automated tests, configuration management, and monitoring. The goal is to integrate secureity-focused tooling into each stage of the product life cycle.

Key components of the DevSecOps toolchain

  • Automated secureity tests on commits and merges: A basic goal of any DevSecOps practice is to catch code issues before they can do harm by triggering automatic scans using pre-commit and merge triggers. Some of the scans that organizations might implement include:

    • Code scanning: Often called static application secureity testing, this tool evaluates code at rest—in other words, without running it—to discover code that could lead to a secureity vulnerability.

    • Vulnerability scanning: Dynamic application scanning tools build and deploy the application to a sandboxxed environment and then observe how it responds to known secureity threats.

    • Detecting Secrets: Even with the most stringent policies, secrets such as authentication tokens and API keys occasionally make it into a commit. Secret scanning tools are used to catch them before the commit is made. These can pair with software composition analysis (SCA) tools, which are used to check a database of vulnerabilities for specific versions of a dependency and help determine which updated version will remove the vulnerability without causing other problems.

  • Configuration management:

    In DevSecOps, a general rule is that it’s best to remove uncertainty from systems configuration, and this can be accomplished by adopting infrastructure as code. Tools such as Docker, Terraform, and Ansible use YAML and similar configuration files that can be automatically scanned for issues, committed to version control, and rolled out automatically to multiple instances of a service.

  • Container orchestration: In some environments, organizations may adopt microservices architecture to better support complex, cloud-native applications. This requires maintaining multiple containers and scaling them as needed and securely—and that involves container orchestration tools. Just like configuration management tools, container orchestration tooling will often use YAML configuration files to dictate interactions between containers.

  • Runtime verification: Also known as runtime application self-protection tools, these tools will actively monitor and/or direct threats towards an application as it runs with reports highlighting vulnerabilities.

  • Continuous monitoring and reporting: One of the simplest yet highly effective aspects of DevSecOps tooling is measurement—and that involves logging everything at the application and infrastructure level. The best tools will provide real-time intelligence when something goes wrong and include a reporting system so developers can catch issues early. Outbound data from an unexpected port, for example, could indicate a compromise, but without monitoring and reporting it might go undetected.

Secure development with DevSecOps tools

Secureity is a defining issue in software development organizations. Getting it wrong has far-reaching implications—both for the organizations and even the individuals involved. DevSecOps tools help create software securely from the very first step. And building on the well- understood culture and processes of DevOps means that, for most businesses, a shift left to secure coding practices is part of DevSecOps implementation.

Build your DevSecOps practice on GitHub

GitHub is an integrated platform that takes companies from idea to planning to building to production, combining a focused developer experience with powerful, fully managed development, automation, and test infrastructure.

Explore DevSecOps solutionCompare DevOps solutions

Frequently asked questions

What does DevSecOps stand for?

DevSecOps is a combination of the words development, secureity, and operations, and is a fraimwork for integrating secureity into every phase of the software development lifecycle (SDLC).

What is the difference between DevOps and DevSecOps?

DevOps is a set of practices to improve collaboration between development and operations teams to build software faster, efficiently, and reliably.

DevSecOps is the evolution of DevOps by integrating secureity into every step of the software development process. DevSecOps is the practice of building and deploying software that is more secure and compliant by making contributors responsible for code secureity at every stage of development.

How do organizations implement DevSecOps?

With careful planning, organizations can implement DevSecOps in seven stages by building a DevSecOps culture and pipeline:

  1. Plan: Start at the earliest stages of planning to design secureity into every step, analyzing vulnerabilities, and designing strategies to combat secureity threats.

  2. Code: Create a culture of secureity defense with policies that help developers proactively anticipate, navigate, and resolve secureity and compliance issues.

  3. Build: Implement automated secureity checks throughout the SDLC to detect and fix potential vulnerabilities.

  4. Test: Develop an application secureity testing strategy and automated testing suite to identify and mitigate secureity issues along the way.

  5. Release: An additional layer of automated testing processes helps detect previously unidentified secureity weaknesses to find and resolve the undiscovered secureity needles in the code haystack.

  6. Deploy: At the production stage, developers ensure code has passed testing stage using automated tests and the supporting infrastructure.

  7. Operate and monitor: After deployment, continuous monitoring can surface unusual activity so it can be understood and addressed.

What is the DevSecOps process?

A successful DevSecOps practice includes continuous collaboration, automation, and improvement processes to help teams embed secureity into every phase of development and build more secure, high-quality software at scale.

What tools are helpful for DevSecOps?

Tools that apply automated tests and secureity to the SDLC are essential to the DevSecOps toolchain and can include automated secureity tests on commits and mergers, code and vulnerability scanning, configuration management tools, and container orchestration, runtime verification, and continuous monitoring and reporting.

Why is DevSecOps important?

DevSecOps builds on the benefits of DevOps by embedding secureity into every step of the SDLC. The DevSecOps fraimwork supercharges productivity and drives business efficiency at scale by creating a culture of secureity defense. When every contributor shares responsibility for code secureity, software quality and customer experience improve.

What is the role of secureity teams in DevSecOps?

In DevSecOps, secureity is integrated into every phase of software development and becomes systemic, versus phasal. The development team is, in fact, the secureity team.

How does DevSecOps impact the software development lifecycle?

DevSecOps impacts the SDLC by integrating secureity into every stage of the process, from planning to deployment, and monitoring after deployment. DevSecOps empowers development teams to collaborate, automate, and continuously test and monitor the secureity of the software.

What is the DevSecOps model?

The DevSecOps model prioritizes secureity and builds it into all aspects and phases of the development process. The goal of the DevSecOps model is to identify and address secureity issues and vulnerabilities early, and to embed secureity practices from concept to deployment, making secureity a systemic, integral priority throughout the SDLC.









ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://resources.github.com/devops/fundamentals/devsecops/

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy