I heard this term first in the book "the DevOps handbook", but it was only this week that I heard the term used by a customer.
I’ve not been that long into the whole DevOps world (I was involved in intial training back in 2015) and so this new word sort of made my teeth grind a little. After rereading the DevOps handbook and after a short amount of research this is my current understanding of what is meant by DevSecOps. Corrections welcome in the comments by the way if you feel I have misunderstood the concept.
I short, you take a DevOps workflow and then you join that up with the Security team and integrate and automate the tools they use into your build, test and deploy system. Building Security telemetry and Automation into the DevOps Workflow.
In places I have read about with this sort of approach you see things like:
- Static and Dynamic code analysis in Source Code
- Information Serurity and Development teams working together on feature development
- Security issues tracked alongside Code issues not just in a GRC system (Governance, Risk (or Risk Management), and Compliance system).
- Automate Information Security tests that run alongside unit test to run against every commit into source control. E.g. http://gauntlt.org/
- Protect the deployment Pipeline and alert when changes are made.
- Information Serurity placing best practice information, samples, trusted libraries, guidance added to Source control, so it’s visible for everyone to learn.
- Security best practices embedded in the Infrastructure as Code.
- Production systems monitoring to ensure it’s in a good known state and that configs has not been changed.
- Everyone in the Value stream gets fast feedback around security issues their code has introduced.
- Security telemetry creating alerting that bubbles up to developers to detect issues in production
- OS Changes
- Security Group Changes
- Security configurations
- Cloud Infrastructure Changes
- XSS attempts
- SQL Injection Attack (monitoring for Union All attempts)
- 4xxx and 5xxx errors.
If you are someone that is currently practising DevSecOps, or part of it , I would love to chat to you about how you go about it and the advantages and disadvantages.
Let me know if I can buy you a coffee some time.