DevSecOps: From Theory to Practice

DevSecOps

DevSecOps has become one of the hottest buzzwords in the DevOps ecosystem over the past couple of years. In the abstract, it’s easy to understand what DevSecOps means and why people care about it: It’s a strategy that extends DevOps efficiencies to software security.

But when you sit down and actually start implementing DevSecOps, things can get trickier. There is no switch that you can flip to achieve DevSecOps. Nor is there a specific tool you can acquire, or even a particular process to follow.

Instead, implementing DevSecOps requires you to perform a broad evaluation of your existing IT resources and DevOps processes, then build a holistic strategy that integrates stronger security into all of them.

Let’s take a look at how to do that by walking through the main considerations that the typical organization must address in order to achieve DevSecOps.

What is DevSecOps?

First, let’s briefly define DevSecOps.

Basically, DevSecOps is DevOps with security built-in, right from the start. It means building security into requirements, into design, into code, and into deployment, logging, and monitoring — in short, into your entire DevOps supply chain.

How do you translate those goals into practice? Which specific security processes can you automate and integrate into the rest of your CI/CD pipeline, and how can you do it?

Let’s explore those questions and look for some answers, based on the current state of DevSecOps tools and practices.

Step #1: Vulnerability Scanning

Scanning your code for vulnerabilities is a basic first step for securing your products. And integrating vulnerability scanning into your CI/CD process is an obvious place to start for implementing DevSecOps.

What this means is ensuring that code is checked for vulnerabilities at every major stage of the delivery pipeline – from (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/devsecops

Gabriel Avner

Gabriel Avner

Gabriel is a former journalist who loves learning and writing about the cat and mouse game of security. These days he writes for WhiteSource about the issues impacting open source security and license management and training Brazilian Jiu-Jitsu.

gabriel-avner has 18 posts and counting.See all posts by gabriel-avner