What is DevSecOps?
DevSecOps is a portmanto of development, security and activities. Like DevOps, DevSecOps refers to a combination of culture, process and technology. But while DevOps focuses on optimizing and streamlining the software development lifecycle, DevSecOps seeks to improve security across an organization’s product delivery pipeline. Furthermore, DevSecOps directly addresses potential security vulnerabilities introduced by the DevOps model.
See: Password Violation: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
You need to know the DevSecOps Terms
An organization’s attack surface refers to potential vulnerabilities within a system that could be exploited by an attacker – exposure to the potential threat to the network. The Internet of Things (IoT) devices, mobile devices, cloud computing, and remote work have all expanded the offensive surface of the average organization.
In general, automation refers to the use of technology to accomplish a task that would otherwise be accomplished by a human being. In DevSecOps context, automation refers to the use of automated technologies-scripts, bots, and algorithms করতে to automate security tasks throughout the life cycle of software development.
The chain of custody is the record of who has the evidence at a given time. In terms of digital evidence, the custody chain must be maintained so that the evidence is not altered and its authenticity can be verified. Modern document management systems, for example, contain thorough audit logs.
CI / CD
CI / CD, or Continuous Integration and Continuous Delivery, is a software development practice where developers frequently integrate code changes into a shared repository, and software changes are automatically created, tested, and produced. These exceptionally fast repetitions create rapid value for the company, but they also require a high level of security to reduce the likelihood of disruption.
Code dependencies are the code you need to run external libraries, frameworks and modules. These dependencies can indicate weaknesses in your codebase if they are not handled properly. Third party vulnerabilities are the most common vulnerabilities in a system.
Consent refers to an organization’s adherence to external rules, standards, or best practices. In terms of DevOps and security, compliance can refer to everything from adherence to industry-specific regulations to internal company policies, such as CMMC for Department of Defense Contractors.
Configuration drift occurs when a system’s configuration changes without track or approval. Configuration drift can lead to security vulnerabilities over time as the company expands its scope.
Containerization is a method of packaging software, so it can be run in isolated environments. Containers are self-contained and include all the dependencies needed to run the software, making them portable and easy to install. Importantly, containerized instances have a limited effect on each other, making them more secure.
Data breach is unauthorized access to or disclosure of sensitive information. Data breaches can occur when a malicious attacker gains access to a system, but it can also happen when an authorized user manages data incorrectly, for example, by sending it to the wrong person or posting it online. Most companies will encounter data breaches at some point, but proper DevSecOps practice will reduce the damage.
Data loss prevention is the practice of preventing unauthorized disclosure of sensitive information, whether by using automated tools or restricted access. Data loss prevention tools can be used to encrypt data in transit and rest as well as monitor and control data access.
The last point is security
Endpoint Security is the practice of securing devices connected to the network. EndPoint can include laptops, smartphones, tablets and IoT devices. Endpoint security solutions typically include antivirus software, firewalls, and intrusion detection and prevention.
Identity and Access Management (IAM)
IAM is the practice of managing identities উভ both digital and physical — and accessing their sensitive information and systems. IAM includes the provisioning and de-provisioning of user accounts as well as the management of access control. In order to be truly effective, IAM suites must be associated with appropriate security procedures.
A maturity model is a framework that can be used to evaluate the progress of an organization in adopting a particular practice or ability. In the context of DevSecOps, a maturity model can be used to adopt DevSecOps practices and evaluate an organization’s progress in achieving DevSecOps objectives.
Password-free authentication is a method of authenticating users without using a password. Instead, this can be done using biometrics, hardware tokens, or one-time passcodes (OTPs). Many security analysts believe that this type of authentication is more secure than traditional passwords, because passwordless authentication does not rely on maintaining user security standards.
Penetration testing, also known as pain testing, is the practice of simulating an attack on a system to identify vulnerabilities. Pen tests can be conducted manually or with automated tools and can be aimed at individual systems or the entire network.
Perimeter security is the practice of protecting the boundaries of a network. Perimeter security solutions typically include firewall and intrusion detection and prevention. Today, companies are moving away from perimeter-based security and to access-based security.
Risk management is the process of identifying, evaluating and mitigating risk. In terms of security, risk management is an essential component which includes identifying threats and vulnerabilities as well as assessing their impact on the organization.
Security Information and Event Management (SIEM)
SIEM is a security management approach that combines the functions of Security Information Management (SIM) and Security Event Management (SEM). SIEM provides organizations with a real-time perspective on their security practices, as well as the ability to identify, investigate and respond to security incidents.
Security as code
Security as a code is the practice of considering security configurations and policies as code, which can then be managed like any other software resource. Security protection configurations such as code help ensure that the environment is consistent and changes can be tracked over time.
The security stance of an organization refers to the overall state of its security, including the effectiveness of its control and the adequacy of its policies and procedures. Safety assessment can be measured through the use of safety assessments and audits.
Move to the left
Shift Left is a DevOps policy that supports the inclusion of security in the software development process. By moving to the left, companies can find and fix security vulnerabilities before the development cycle, which can save time and money.
Sealed security is the practice of distinguishing security functions from other parts of the organization. Silent security can increase the risk of incompetence and blind spots as well as security-related incidents.
Threat modeling is the practice of threat identification, assessment and mitigation. It helps organizations understand the surface of their attacks and audits existing systems and identify potential loopholes to identify the most potential and influential threats.
Zero Trust is a security model that assumes that all users and devices are untrustworthy. In a zero-trust environment, all traffic is considered contaminated and all resources are protected accordingly. Zero trusts are often used to isolate more systems and data with micro-segmentation.