DevSecOps Fundamentals
Author: Damien Burks
OKAY! You've reach my favorite section of the blueprint - What is DevSecOps?
At this point, you should have a fundamental understanding all the concept I've listed below:
- DevOps
- Version Control System(s)
- Programming
- Linux/Bash Scripting
- CI/CD
- Application Security
- the Secure Software Development Life Cycle (SSDLC)... and the Software Development Life Cycle (SDLC)
If you do, then you're free to move forward. If you haven't, then I HIGHLY suggest you go back, read, experiment, and try to play around with the projects and tools.
Overview
According to RedHat, DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
The beautiful thing about this is that it extends the principles of DevOps (collaboration, automation, and continuous delivery) by embedding security into every phase of the software development lifecycle (SDLC), which will be covered later.
Ultimately, the goal is to shift security "left," or earlier, in the SDLC, ensuring that vulnerabilities are identified and mitigated before they can become critical issues.
Image Source: Atlassian | DevSecOps Tools
Over time, DevSecOps has evolved as a response to the limitations of DevOps, where security was often an afterthought. It emerged from the need to include security in the agile and continuous delivery practices of DevOps, which allows organizations to reduce the risk of security vulnerabilities and ensure compliance with industry regulations.
Why is it important?
Well, traditional security practices often creßate bottlenecks in the fast-paced world of DevOps, as they typically occur at the end of the development cycle. DevSecOps addresses this by incorporating security measures from the start, enabling faster and more secure software releases.
Core Principles of DevSecOps
To get a better understanding of DevSecOps as a whole, you need to understand the core principles of DevSecOps. I've listed the four key principals that you need to understand below:
-
Integration of Security
Security is integrated into every phase and sub-phase of the SDLC. In reality, the SSDLC is a precursor of DevSecOps. This holistic approach ensures that security is NOT an afterthought but a fundamental aspect of the development process.
-
Automation
Automation is crucial in DevSecOps to ensure that security checks are consistently applied without severly impacting the developer experience. Extra emphasis on minimizing the impact on the developer experience. In addition, automated security tests, such as static code analysis and vulnerability scans, can and should be integrated into CI/CD pipelines to catch issues early in the development lifecycle.
-
Collaboration
DevSecOps fosters a culture of collaboration among development, security, and operations teams. This cultural movement breaks down silos and encourages a shared responsibility between the developers, operations, and security team, leading to creation of a very cohesive and effective strategy for secure software development and deployment.
-
Continuous Feedback & Monitoring
Continuous feedback loops and monitoring allows for real-time insights into the security posture of the application and infrastructure. This enables teams to quickly identify and remediate security issues as they arise.
Additional Resources
Before you move onto the next section, here are some of the various resources that I recommend you look into, such as certifications, books to read, and YouTube videos, etc:
Books
| Book Name | Author | Link |
|---|---|---|
| The Phoenix Project | Gene Kim, Kevin Behr, and George Spafford | Amazon |
| Continuous Delivery | Jez Humble and David Farley | Amazon |
| The DevOps Handbook | Gene Kim, Patrick Debois, John Willis, and Jez Humble | Amazon |
| Securing DevOps | Julien Vehent | Amazon |
| DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement | Glenn Wilson | Amazon |
| Cloud Native DevOps with Kubernetes | John Arundel and Justin Domingus | Amazon |
| Infrastructure as Code | Kief Morris | Amazon |
| Kubernetes Security | Liz Rice | Amazon |
| Securing DevOps | Julien Vehent | Amazon |
Articles
- https://developer.ibm.com/articles/devsecops-what-and-why/
- https://www.microsoft.com/en-us/security/business/security-101/what-is-devsecops
- https://www.redhat.com/en/topics/devops/what-is-devsecops
- https://aws.amazon.com/compliance/shared-responsibility-model/
Certifications
So if I had to recommend certifications that you should get in order to transition into DevSecOps, here are the list of things that I would recommend (not in a specific order):
| Name | Level |
|---|---|
| CompTIA Security+ | Beginner |
| CompTIA Linux+ | Beginner |
| Certified Kubernetes Administrator (CKA) | Intermediate |
| Certified Kubernetes Application Developer (CKAD) | Intermediate |
| Certified DevSecOps Professional (CDP) | Intermediate |
| Certified DevSecOps Expert (CDE) | Expert |
| ISC^2 CSSLP | Expert |
If you're looking to specialize in Cloud, then you'll want to look at these:
| Name | Level |
|---|---|
| AWS Certified Security – Specialty | Intermediate |
| Microsoft Certified: Azure Security Engineer Associate | Intermediate |
| Google Professional Cloud Security Engineer | Intermediate |