メインコンテンツまでスキップ

DevSecOps Fundamentals

Author: Damien Burks

OKAY! You've reach my favorite section of the blueprint - What is DevSecOps?

At this point, you should have a fundamental understanding all the concept I've listed below:

  1. DevOps
  2. Version Control System(s)
  3. Programming
  4. Linux/Bash Scripting
  5. CI/CD
  6. Application Security
  7. the Secure Software Development Life Cycle (SSDLC)... and the Software Development Life Cycle (SDLC)

If you do, then you're free to move forward. If you haven't, then I HIGHLY suggest you go back, read, experiment, and try to play around with the projects and tools.

Overview

According to RedHat, DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.

The beautiful thing about this is that it extends the principles of DevOps (collaboration, automation, and continuous delivery) by embedding security into every phase of the software development lifecycle (SDLC), which will be covered later.

Ultimately, the goal is to shift security "left," or earlier, in the SDLC, ensuring that vulnerabilities are identified and mitigated before they can become critical issues.

DevSecOps Model

Image Source: Atlassian | DevSecOps Tools

Over time, DevSecOps has evolved as a response to the limitations of DevOps, where security was often an afterthought. It emerged from the need to include security in the agile and continuous delivery practices of DevOps, which allows organizations to reduce the risk of security vulnerabilities and ensure compliance with industry regulations.

Why is it important?

Well, traditional security practices often creßate bottlenecks in the fast-paced world of DevOps, as they typically occur at the end of the development cycle. DevSecOps addresses this by incorporating security measures from the start, enabling faster and more secure software releases.

Core Principles of DevSecOps

To get a better understanding of DevSecOps as a whole, you need to understand the core principles of DevSecOps. I've listed the four key principals that you need to understand below:

  1. Integration of Security

    Security is integrated into every phase and sub-phase of the SDLC. In reality, the SSDLC is a precursor of DevSecOps. This holistic approach ensures that security is NOT an afterthought but a fundamental aspect of the development process.

  2. Automation

    Automation is crucial in DevSecOps to ensure that security checks are consistently applied without severly impacting the developer experience. Extra emphasis on minimizing the impact on the developer experience. In addition, automated security tests, such as static code analysis and vulnerability scans, can and should be integrated into CI/CD pipelines to catch issues early in the development lifecycle.

  3. Collaboration

    DevSecOps fosters a culture of collaboration among development, security, and operations teams. This cultural movement breaks down silos and encourages a shared responsibility between the developers, operations, and security team, leading to creation of a very cohesive and effective strategy for secure software development and deployment.

  4. Continuous Feedback & Monitoring

    Continuous feedback loops and monitoring allows for real-time insights into the security posture of the application and infrastructure. This enables teams to quickly identify and remediate security issues as they arise.

Additional Resources

Before you move onto the next section, here are some of the various resources that I recommend you look into, such as certifications, books to read, and YouTube videos, etc:

Books

Book NameAuthorLink
The Phoenix ProjectGene Kim, Kevin Behr, and George SpaffordAmazon
Continuous DeliveryJez Humble and David FarleyAmazon
The DevOps HandbookGene Kim, Patrick Debois, John Willis, and Jez HumbleAmazon
Securing DevOpsJulien VehentAmazon
DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvementGlenn WilsonAmazon
Cloud Native DevOps with KubernetesJohn Arundel and Justin DomingusAmazon
Infrastructure as CodeKief MorrisAmazon
Kubernetes SecurityLiz RiceAmazon
Securing DevOpsJulien VehentAmazon

Articles

Certifications

So if I had to recommend certifications that you should get in order to transition into DevSecOps, here are the list of things that I would recommend (not in a specific order):

NameLevel
CompTIA Security+Beginner
CompTIA Linux+Beginner
Certified Kubernetes Administrator (CKA)Intermediate
Certified Kubernetes Application Developer (CKAD)Intermediate
Certified DevSecOps Professional (CDP)Intermediate
Certified DevSecOps Expert (CDE)Expert
ISC^2 CSSLPExpert

If you're looking to specialize in Cloud, then you'll want to look at these:

NameLevel
AWS Certified Security – SpecialtyIntermediate
Microsoft Certified: Azure Security Engineer AssociateIntermediate
Google Professional Cloud Security EngineerIntermediate

YouTube Videos

What is DevSecOps? DevSecOps explained in 8 Mins

What is DevSecOps? DevSecOps explained in 7 Mins

Accelerate Your DevSecOps Journey: 5 Key Skills in 5 Minutes