Are you currently experiencing an attack?

Are you currently experiencing an attack?

What is DevSecOps?

Summary

DevSecOps is the addition of security to DevOps. It is an overall process to ensure that security is “baked in” to the entire software development cycle.

Keep reading: Related Content

More Topics

Summary

DevSecOps is the addition of security to DevOps. It is an overall process to ensure that security is “baked in” to the entire software development cycle.

What is DevSecOps?

DevSecOps is the addition of security to DevOps. It is an overall process to ensure that security is “baked in” to the entire software development cycle. 

DevSecOps is a logical extension of DevOps:

  • DevOps integrates operations into the develop/release cycle. DevSecOps integrates security into the develop/release cycle.
  • DevOps increases the speed at which software is developed and delivered. DevSecOps increases the security with which software is developed and delivered.
  • DevOps automates much of the software lifecycle. DevSecOps requires merging and automating many of the traditional practices of security engineers, operations teams, and development teams.

DevSecOps hardens the processes within, and the products of, the development cycle. Here are some examples.

Infrastructure hardening 

Infrastructure as Code (IaC) is the management of infrastructure components (subnets, networks, servers, databases, services, etc.) through code. This has many advantages, including the ability to fortify the infrastructure automatically. Usually, an organization which uses IaC will also use immutable infrastructure.

Server settings, port closures, protocol closures, NACLs, security group settings, and other configurations can all be automated. This not only increases security, it is also required for some forms of compliance. As a result, a wide variety of tools have become available for various types of IaC hardening.  

Pipeline hardening 

DevSecOps mandates the automation of security throughout the development and delivery cycle. A variety of tools have become available to harden the CI/CD pipeline.

For example, if the pipeline builds containers, then the containers can be hardened immediately afterwards. After applications are built, they can be run through vulnerability scans. APIs can be tested to ensure that they trigger alerts and throw exceptions when out-of-bounds inputs are received. Software that passes should be delivered into environments that themselves have been hardened and verified, for example by host-based firewalls, data loss prevention agents, and so on. 

Application hardening

DevSecOps can prevent some common security pitfalls from occurring. Setting up code to manage application hardening can automate security practices at each environment of the operational stack. 

For example, many of the OWASP Top 10 Vulnerabilities can be remediated through automation:

  • Code that installs applications automatically and requests/applies trusted certificates for web endpoints, app-to-app communication, and app-to-database communication.
  • Code that installs framework updates (Java and NodeJS) as part of an agent-based desired state configuration management.
  • Code that creates auditable exceptions in applications that show security attacks, then alerts when those exceptions are raised.
  • Code that ensures only strong cipher suites, protocols, and hashes are used in the application stack, and that all insecure methods are disabled at the OS whenever possible.

Traditionally, security is one of the last things that gets considered during the development cycle. Engineers tended to create apps first, and then test them for vulnerabilities as an afterthought. DevSecOps mandates that good security practices should be enforced all through development, and not only in production.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.