Types of security work during application/API development
• Business Security – Authentication, Authorization, fraud prevention, encryption, etc.,
• Operational Security – Applying patches, software upgrades, vulnerability remediation, generating
analytics, monitoring alerts etc.
• Internal Security – Threat modelling risk management, asset inventory, security architecture,
vulnerability assessment, security monitoring
• Unplanned Security – Security firefighting, responding to new vulnerabilities and attacks,
recovering from compromised accounts and breaches etc
Getting started with DEVSECOPS
Traditionally, security has been performed as a series of massive tasks spanning all risks. For example, write comprehensive security
requirements, design a comprehensive security architecture, do a comprehensive security test, etc. But agility requires a risk-based
approach. To accomplish security work in a DevOps organization, we can prioritize our security tasks and break them into small pieces
In this diagram, we show how security fits into the normal DevOps cycle at a very high level. Notice that these security augmentations
are designed to fit naturally into the process. No extra steps, no gates, no delays. Instead, we will cycle quickly on small security tasks that
are structured to be delivered by the development and operations teams using the tools they already use.