What is DevSecOps?
DevSecOps is a portmanteau of development, security and operations. Like DevOps, DevSecOps refers to a combination of culture, processes and technologies. But while DevOps focuses on optimizing and streamlining the software development lifecycle, DevSecOps seeks to improve security throughout an organization’s product delivery pipeline. Further, DevSecOps directly addresses potential security weaknesses introduced by the DevOps model.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
DevSecOps terms you need to know
An organization’s attack surface refers to the potential vulnerabilities within a system that can be exploited by an attacker—the exposure that the network has to potential threats. Internet of Things (IoT) devices, mobile devices, cloud computing and remote work have all expanded the average organization’s attack surface.
In general, automation refers to the use of technology to complete a task that would otherwise be completed by a human. In the context of DevSecOps, automation refers to the use of automated technology—scripts, bots and algorithms—to automate security tasks throughout the software development life cycle.
Chain of custody
The chain of custody is the record of who had possession of evidence at a given time. In the context of digital evidence, the chain of custody must be maintained to ensure that the evidence has not been altered and that its authenticity can be verified. Modern document management systems, for example, contain thorough audit logs.
CI/CD, or continuous integration and continuous delivery, is a software development practice in which developers integrate code changes into a shared repository frequently, and software changes are automatically built, tested and deployed to production. These exceptionally fast iterations produce value for the organization faster, but they also demand higher levels of security to reduce the possibility of disruption.
Code dependencies are the external libraries, frameworks and modules your code requires in order to run. These dependencies can introduce vulnerabilities into your codebase if they are not properly managed. Third-party vulnerabilities are the most common vulnerabilities within a system.
Compliance refers to an organization’s adherence to external regulations, standards or best practices. In the context of DevOps and security, compliance can refer to everything from adherence to industry-specific regulations, such as the CMMC for Department of Defense contractors, to internal company policies.
Configuration drift occurs when the configuration of a system changes without being tracked or approved. Configuration drift can lead to security vulnerabilities over time as the organization increasingly broadens its scope.
Containerization is a method of packaging software, so it can be run in isolated environments. Containers are self-contained and include all the dependencies necessary to run the software, making them portable and easy to deploy. Importantly, containerized instances have a limited impact on each other, making them more secure.
A data breach is any unauthorized access to or disclosure of sensitive information. Data breaches can occur when a malicious attacker gains access to a system, but they can also occur when an authorized user mishandles data—for example, by sending it to the wrong person or posting it online. Most companies will experience a data breach at some point, but the right DevSecOps practices will mitigate harm.
Data loss prevention
Data loss prevention refers to the practice of preventing the unauthorized disclosure of sensitive information, whether through the use of automated tools or restricted access. Data loss prevention tools can be used to encrypt data in transit and at rest as well as to monitor and control access to data.
Endpoint security is the practice of securing the devices that connect to a network. Endpoints can include laptops, smartphones, tablets and IoT devices. Endpoint security solutions typically include antivirus software, firewalls and intrusion detection and prevention systems.
Identity and access management (IAM)
IAM is the practice of managing identities—both digital and physical—and the access they have to sensitive information and systems. IAM includes the provisioning and de-provisioning of user accounts as well as the management of access controls. To be truly effective, IAM suites must be paired with the appropriate security processes.
A maturity model is a framework that can be used to assess an organization’s progress in adopting a particular practice or capability. In the context of DevSecOps, a maturity model can be used to assess an organization’s progress in adopting DevSecOps practices and achieving DevSecOps objectives.
Passwordless authentication is a method of authenticating users without the use of passwords. Instead, it can be accomplished with the use of biometrics, hardware tokens or one-time passcodes (OTPs). Many security analysts believe this type of authentication is more secure than traditional passwords, as passwordless authentication does not rely upon the user to uphold security standards.
Penetration testing, also known as pen testing, is the practice of simulating an attack on a system in order to identify vulnerabilities. Pen tests can be conducted manually or with automated tools, and they can be targeted at individual systems or the entire network.
Perimeter security is the practice of protecting the boundaries of a network. Perimeter security solutions typically include firewalls and intrusion detection and prevention systems. Today, organizations are drifting away from perimeter-based security and toward access-based security.
Risk management is the process of identifying, assessing and mitigating risks. In the context of security, risk management is an essential component that includes the identification of threats and vulnerabilities as well as the assessment of their impact on the organization.
Security information and event management (SIEM)
SIEM is a security management approach that combines the functions of security information management (SIM) and security event management (SEM). SIEM provides organizations with a real-time view of their security posture as well as the ability to detect, investigate and respond to security incidents.
Security as code
Security as code is the practice of treating security configurations and policies as code, which can then be managed like any other software asset. Security as code helps to ensure security configurations are consistent across environments and that changes can be tracked over time.
An organization’s security posture refers to the overall state of its security, including the effectiveness of its controls and the adequacy of its policies and procedures. The security posture can be measured through the use of security assessments and audits.
Shift Left is a DevOps principle that advocates for the earlier inclusion of security in the software development process. By shifting left, organizations can find and fix security vulnerabilities earlier in the development cycle, which can save time and money.
Siloed security is the practice of isolating security functions from other parts of the organization. Siloed security can lead to inefficiencies and blind spots as well as an increased risk of security incidents.
Threat modeling is the practice of identifying, assessing and mitigating threats. It helps organizations to understand their attack surface and identify the most likely and impactful threats by auditing existing systems and identifying potential gaps.
Zero trust is a security model that assumes all users and devices are untrustworthy. In a zero-trust environment, all traffic is treated as malicious and all assets are protected accordingly. Zero trust is often used in conjunction with micro-segmentation to further isolate systems and data.