By Kavindu Sahan

DevOps vs DevSecOps

Trying to explain about what differences we can see in DevOps and DevSecOps

Trying to explain about what differences we can see in DevOps and DevSecOps

DevOps → Combination of Software Development (Dev) and Operations (Ops).

DevSecOps → Combination of Development (Dev), Security (Sec), and Operations (Ops).

In a typical DevOps environment, developers care about the security of the application in the last stages of the development, and this can lead to various issue like finding a critical bug in the build and had to remediate it when the application on live. This increases the risk of exploiting the vulnerable application by an attacker and at the same time this will increase the cost for application to deploy.

So, if this Testing the security of application part comes to an early stage this issue can be answered. Here comes the DevSecOps!

In DevSecOps, each step of SDLC has a step of testing the application for bugs, typos, standards and vulnerabilities. By using this module developers can build fast without worrying that they have to correct bugs at the end of the Lifecycle because the bugs will be found and fixed in the exact part of Lifecycle. It’s obvious that risk will decrease drastically.

Security Aspects care about in DevSecOps

  • Secure Configuration — Prevent exposing the sensitive data to external systems
  • Secure Code — Perform code analysis
  • Secure Dependencies — Carry out dependency scans
  • Secure Interfaces — Perform scans that verify the security of external exposed parts of the application
  • Secure Artifacts — Scan the containers and docker images
  • Monitor and Prevent — Check for runtime security and remediate any issue happen

Adding Security to each step of DevOps pipeline

  • Develop

Pre-Commit Hooks — Check the code before commit | Pre-Publish Hooks | IDE Plugins

  • Git

Code scans | Secret Vault

  • Test

Unit Test | Mutation Test | Static Code Analysis

  • Build

Dependency Scan | Container Image Scan

  • Deploy — stage

Validate Image Signature | Integration Testing

  • Deploy — Prod

Validate runtime Configs | DAST pen test | Infrastructure Compliance Checks | Performance Test

  • Monitor

Log aggregation | Security Logs | Resource Utilization

  • Security

SSL/TLS | Network Policies | Auditing

Common Tools for DevSecOps

  • Version Control & Pre-Commit: Talisman, GitHub
  • CI/CD Pipelines: Maven, Jenkins
  • Testing: PIT Test (Mutation Testing), JMeter (Performance)
  • Code Analysis: SonarQube (SAST)
  • Container Security: Trivy (Container Scanning), KubeSec
  • Policy Enforcement & Auditing: OPA, Kube-bench
  • Pen Testing & DAST: OWASP ZAP
  • Monitoring & Alerts: Falco, Grafana
  • Networking & Traffic Monitoring: Istio, Kiali
  • Collaboration & Alerts: Slack