What is DevSecOps?
DevSecOps is a portmanteau of development, security, and operations. Like DevOps, DevSecOps refers to a combination of culture, process, and technology. But whereas DevOps focuses on optimizing and streamlining the software development lifecycle, DevSecOps seeks to improve security throughout an organization’s product delivery pipeline. Additionally, DevSecOps directly addresses potential security weaknesses introduced by the DevOps model.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
DevSecOps terms you need to know
An organization’s attack surface refers to the potential vulnerabilities in a system that can be exploited by an attacker, i.e. the exposure of the network to potential threats. Internet of Things (IoT) devices, mobile devices, cloud computing, and remote working have all expanded the average organization’s attack surface.
In general, automation refers to the use of technology to accomplish a task that would otherwise be performed by a human. In the context of DevSecOps, automation refers to the use of automated technologies (scripts, bots, and algorithms) to automate security tasks throughout the software development lifecycle.
Chain of Custody
Chain of custody is the record of who was in possession of evidence at any given time. In the context of digital evidence, chain of custody must be maintained to ensure that the evidence has not been tampered with and that its authenticity can be verified. Modern document management systems, for example, contain extensive audit logs.
CI/CD, or Continuous Integration and Continuous Delivery, is a software development practice in which developers frequently check in code changes into a shared repository, and software changes are automatically built, tested, and deployed to production. These exceptionally fast iterations deliver value to the organization faster, but they also require higher levels of security to reduce the risk of disruption.
Code dependencies are the external libraries, frameworks, and modules your code needs to run. These dependencies can introduce vulnerabilities into your code base if not properly managed. Third-party vulnerabilities are the most common vulnerabilities within a system.
Compliance refers to an organization’s adherence to external regulations, standards or best practices. In the context of DevOps and security, compliance can refer to everything from adhering to industry-specific regulations, such as the CMMC for Department of Defense contractors, to internal company policies. .
Configuration drift occurs when a system’s configuration changes without being tracked or approved. Configuration drift can lead to security vulnerabilities over time as the organization increasingly expands its reach.
Containerization is a method of packaging software so it can run in isolated environments. Containers are self-contained and include all the dependencies needed to run the software, making them portable and easy to deploy. It is important to note that containerized instances have limited impact on each other, making them more secure.
A data breach is any unauthorized access or disclosure of sensitive information. Data breaches can occur when a malicious attacker gains access to a system, but they can also occur when an authorized user mishandles data, such as sending it to the wrong person or posting it online. Most businesses will experience a data breach at some point, but DevSecOps best practices will mitigate the damage.
Data Loss Prevention
Data loss prevention refers to the practice of preventing the unauthorized disclosure of sensitive information, whether through the use of automated tools or through restricted access. Data loss prevention tools can be used to encrypt data in transit and at rest, as well as to monitor and control data access.
Endpoint security is about securing devices that connect to a network. Endpoints can include laptops, smartphones, tablets, and IoT devices. Endpoint security solutions typically include antivirus software, firewalls, and intrusion detection and prevention systems.
Identity and Access Management (IAM)
IAM is the practice of managing identities, both digital and physical, and the access they have to sensitive information and systems. IAM includes the provisioning and deprovisioning of user accounts as well as the management of access controls. To be truly effective, IAM suites must be paired with the appropriate security processes.
A maturity model is a framework that can be used to assess an organization’s progress in adopting a particular practice or capability. In the context of DevSecOps, a maturity model can be used to assess an organization’s progress in adopting DevSecOps practices and achieving DevSecOps goals.
Passwordless authentication is a method of authenticating users without using passwords. Instead, it can be accomplished with the use of biometrics, hardware tokens, or one-time passcodes (OTPs). Many security analysts believe that this type of authentication is more secure than traditional passwords because passwordless authentication does not depend on the user to meet security standards.
Penetration testing, also known as penetration testing, consists of simulating an attack on a system in order to identify vulnerabilities. Penetration testing can be done manually or with automated tools, and it can be targeted to individual systems or the entire network.
Perimeter security is the practice of protecting the boundaries of a network. Perimeter security solutions typically include firewalls and intrusion detection and prevention systems. Today, enterprises are moving away from perimeter-based security towards access-based security.
Risk management is the process of identifying, assessing and mitigating risks. In the context of security, risk management is an essential component that includes the identification of threats and vulnerabilities as well as the assessment of their impact on the organization.
Security Information and Event Management (SIEM)
SIEM is a security management approach that combines the functions of security information management (SIM) and security event management (SEM). SIEM provides organizations with a real-time view of their security posture as well as the ability to detect, investigate, and respond to security incidents.
Security in the form of code
Security as code is about treating security configurations and policies as code, which can then be managed like any other software asset. Security as code helps ensure that security configurations are consistent across environments and that changes can be tracked over time.
An organization’s security posture refers to the overall state of its security, including the effectiveness of its controls and the adequacy of its policies and procedures. Security posture can be measured using security assessments and audits.
Shift Left is a DevOps principle that advocates the early inclusion of security in the software development process. By moving left, companies can find and fix security vulnerabilities earlier in the development cycle, which can save time and money.
Siled security involves isolating security functions from other parts of the organization. Siled security can lead to inefficiencies and blind spots, as well as an increased risk of security incidents.
Threat modeling is the practice of identifying, assessing and mitigating threats. It helps organizations understand their attack surface and identify the most likely and impactful threats by auditing existing systems and identifying potential gaps.
Zero trust is a security model that assumes that all users and devices are untrustworthy. In a zero-trust environment, all traffic is treated as malicious and all assets are protected accordingly. Zero trust is often used in conjunction with micro-segmentation to further isolate systems and data.