DevSecOps

DevSecOps

Emerging practice for achieving security for building applications and APIs is DevSecOps. DevSecOps is based on the principles of DevOps and it allows to deliver applications faster and meet the development timelines by writing secure code first. DevSecOps spans the entire IT stack and includes network, host, container, server, cloud, mobile and application security. As each of these layers are turning into software, eventually the application security is becoming a critical focus of the DevSecOps.

Types of security work during application/API development

• Business Security – Authentication, Authorization, fraud prevention, encryption, etc.,
• Operational Security – Applying patches, software upgrades, vulnerability remediation, generating
analytics, monitoring alerts etc.
• Internal Security – Threat modelling risk management, asset inventory, security architecture,
vulnerability assessment, security monitoring
• Unplanned Security – Security firefighting, responding to new vulnerabilities and attacks,
recovering from compromised accounts and breaches etc

Getting started with DEVSECOPS

Traditionally, security has been performed as a series of massive tasks spanning all risks. For example, write comprehensive security
requirements, design a comprehensive security architecture, do a comprehensive security test, etc. But agility requires a risk-based
approach. To accomplish security work in a DevOps organization, we can prioritize our security tasks and break them into small pieces
for implementation.

In this diagram, we show how security fits into the normal DevOps cycle at a very high level. Notice that these security augmentations
are designed to fit naturally into the process. No extra steps, no gates, no delays. Instead, we will cycle quickly on small security tasks that
are structured to be delivered by the development and operations teams using the tools they already use.