Skip to content

DevSecOps Overview

devsecops-diagram.png

Key Principles of DevSecOps

DevSecOps is built on three core principles: collaboration, automation, and security. Collaboration involves breaking down silos between teams to encourage communication and cooperation throughout the software development lifecycle. Automation involves using tools and processes to reduce manual labor and increase efficiency. Security involves integrating security into every stage of the software development lifecycle, from design to deployment.

devsecops-pipeline.jpg

Security best practices

  • Execution with non-root user
  • Start containers in read-only mode
  • Disable the setuid and setgid permissions
  • Verifying images with Docker Content Trust
  • Resource limitation
  • Disabling ping command in a container
  • AppArmor allows you to regulate permissions and access of the containers in the filesystem
  • SELinux provides a system of rules that allows you to implement access controls to the kernel resources
  • Secure Computing Mode (Seccomp) monitors kernel system calls

DevSecOps is a software development practice that aims to integrate security into the software development process. It is a combination of the principles of DevOps, which emphasizes collaboration and automation, and the principles of security, which emphasizes protecting systems and data from threats.

The goal of DevSecOps is to build security into the software development process from the start, rather than trying to add it on later. This can be achieved by incorporating security practices and tools into the continuous integration and continuous deployment (CI/CD) pipeline.

One of the key elements of DevSecOps is to shift security left, which means to integrate security testing and analysis as early as possible in the development process. This can include things like static code analysis, security testing, and vulnerability scanning. By identifying and addressing security issues early on, teams can reduce the risk of vulnerabilities being introduced into the codebase.

infomation-security.jpg

Reference

  • Implementing DevSecOps with Docker and Kubernetes. An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container Applications, J. Candel
  • https://github.com/DropsOfZut/awesome-security-weixin-official-accounts
  • Learning DevSecOps: Integrating Continuous Security Across Your Organization, Michelle Ribeiro
  • Learning DevSecOps: A Practical Guide to Processes and Tools, Steve Suehring
  • Security as Code: DevSecOps Patterns with AWS, BK Sarthak Das, Virginia Chu
  • Multi-Cloud Strategy for Cloud Architects: Learn how to adopt and manage public clouds by leveraging BaseOps, FinOps, and DevSecOps
  • The DevSecOps Playbook: Deliver Continuous Security at Speed, Sean D. Mack
  • Implementing DevSecOps Practices: Supercharge your software security with DevSecOps excellence, Vandana Verma Sehga
  • Enterprise DevOps for Architects: Leverage AIOps and DevSecOps for secure digital transformation, Jeroen Mulder
  • DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement, Wilson, Glenn
  • Practical Security Automation and Testing: Tools and techniques for automated security scanning and testing in DevSecOps, Tony Hsiang-Chih Hsu
  • Hands-On Security in DevOps Ensure continuous security, deployment, and delivery with DevSecOps, Tony Hsu
  • Modern Enterprise Architecture: Using DevSecOps and Cloud-Native in Large Enterprises, Jeroen Mulder
  • DevSecOps敏捷安全, 子芽
  • DevSecOps实战, 周纪海 周一帆 马松等
  • DevSecOps原理、核心技术与实战, 钱君生 章亮
  • DevSecOps企业级实践:理念、技术与案例, 陈能技
  • https://securitycipher.com/security-tools/
  • https://www.qovery.com/blog/6-best-practices-for-implementing-devsecops/
Feedback