What is DevSecOps?
Introduction​
According to RedHat, DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
The beautiful thing about this is that it extends the principles of DevOps (collaboration, automation, and continuous delivery) by embedding security into every phase of the software development lifecycle (SDLC), which will be covered later.
Ultimately, the goal is to shift security "left," or earlier, in the SDLC, ensuring that vulnerabilities are identified and mitigated before they can become critical issues.
Over time, DevSecOps has evolved as a response to the limitations of DevOps, where security was often an afterthought. It emerged from the need to include security in the agile and continuous delivery practices of DevOps, which allows organizations to reduce the risk of security vulnerabilities and ensure compliance with industry regulations.
Why is it important?​
Well, traditional security practices often create bottlenecks in the fast-paced world of DevOps, as they typically occur at the end of the development cycle. DevSecOps addresses this by incorporating security measures from the start, enabling faster and more secure software releases.
Core Principles of DevSecOps​
To get a better understanding of DevSecOps as a whole, you need to understand the core principles of DevSecOps. There are a total of 4 that you need to understand:
-
Integration of Security
Security is integrated into every phase of the SDLC, from planning and design to development, testing, deployment, and monitoring. This holistic approach ensures that security is not an afterthought but a fundamental aspect of the development process.
-
Automation
Automation is crucial in DevSecOps to ensure that security checks are consistently applied without slowing down the development process. Automated security tests, such as static code analysis and vulnerability scans, can be integrated into CI/CD pipelines to catch issues early.
-
Collaboration
DevSecOps fosters collaboration among development, security, and operations teams. It breaks down silos and encourages a shared responsibility for security, leading to a more cohesive and effective approach to software development and deployment.
-
Continuous Feedback
Continuous feedback loops allow for real-time insights into the security posture of the application and infrastructure. This enables teams to quickly identify and remediate security issues as they arise.
Recommended Resources​
Before you move onto the next section, here are some of the various resources that I recommend you look into getting, such as certifications, books to read, and YouTube videos to watch to deepen your understanding or add to your plan.
Certifications​
So I had to recommend certifications that you should get in order to transition into DevSecOps, here are the list of things that I would recommend (not in a specific order):
- CompTIA Security+
- Certified Kubernetes Administrator (CKA)
- CompTIA Linux+
- Certified DevSecOps Professional (CDP)
- Certified DevSecOps Expert (CDE)
If you're interested in the Cloud also, then you would want to check these certifications out:
- AWS Certified Security – Specialty
- AWS Certified Developer - Associate
YouTube Videos​
Here are some videos that I would recommend you watch to understand more about DevSecOps.
What is DevSecOps? DevSecOps explained in 8 Mins​
Accelerate Your DevSecOps Journey: 5 Key Skills in 5 Minutes​
Books​
For those of you who like to read, I'd encourage you to read these. They are going to really help prepare your mind for you DevSecOps career.
- The Phoenix Project
- Continuous Delivery
- The DevOps Handbook