What is DevSecOps?
DevOps isn’t just about development and operations teams. If you want to
take full advantage of the agility and responsiveness of a DevOps
approach, IT security must also play an integrated role in the full life
cycle of your apps. DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
Implementing DevSecOps
DevSecOps integrates application and infrastructure security seamlessly into Agile and DevOps processes and tools. It addresses security issues as they emerge, when they're easier, faster, and less expensive to fix (and before they are put into production). Additionally, DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo. It enables “software, safer, sooner” - the DevSecOps motto - by automating the delivery of secure software without slowing the software development cycle.
Below diagram demonstrates the security controls which should be incorporated in each stage of a continuous integration and continuous delivery (CI/CD) DevOps process.
Benefits of DevSecOps
1. Rapid, cost-effective software delivery -The rapid, secure delivery of DevSecOps saves time and reduces costs by minimizing the need to repeat a process to address security issues after the fact.
2. Improved, proactive security -
DevSecOps introduces cybersecurity processes from the beginning of the development cycle. Throughout the development cycle, the code is reviewed, audited, scanned, and tested for security issues.
3. Accelerated security vulnerability patching -
A key benefit of DevSecOps is how quickly it manages newly identified security vulnerabilities by integrating vulnerability scanning and patching into the release cycle.
DevSecOps Tools
The growth of DevSecOps tools is an encouraging sign that software and application service providers are increasingly integrating security into the software development lifecycle (SDLC). The top DevSecOps vendors offer a comprehensive suite of application security testing tools, including static application security testing (SAST), dynamic and interactive analysis testing (DAST and IAST), and software composition analysis (SCA).
Here are some Open Source or Free DevSecOps Tools -
- Alerta
- Grafana
- Kibana
- OWASP ZAP
- OWASP Threat Dragon
Happy Hacking... Enjoy...
For educational purpose only... Do not misuse it...