what is DevSecOps?

 In the DevOps stage, we have automated our deploy stages using CI/CD pipes this will be virtually displayed below the image

this will fast and automate our deploying process. so after the pipeline, all stages are a success then the app will deploy to the server then what about the security of the application?

when your application deals with users' confidential data need to verify production has no issues with the security.

so before releasing a new release the security team must test if there are any vulnerabilities and other security issues.

vulnerabilities will come one or many of the below reasons when developer develop the solution

• when used vulnerable/outdated 3rd party libraries
• licensing issues
• sensitive data leak (eg: passwords are not protected or encrypted)
• when used vulnerable docker base images
• Kubernetes misconfigurations 

then for identifying the above issues security teams will run tests for hours, days, or even weeks.

after identifying the issues security team may send issues to the developer to fix in the next release cycle,

if they are not fixed as the security team want then release a new version again this process is not optimized

so DEVSECOPS comes into a playground.

so what are the reasons for improving security issues of applications nowadays? 

In the early days, we have one monolith application for the whole application but now we have a number of microservices so we need to test issues in all microservices this will takes more time and increase issue count. 

microservice connected to each other microservice so this will increase the attack surface to an attacker.

    

Security team be updated their knowledge about testing issues in the above type of microsystem layers,

they need to replace their tools with new ones because some of them are using tools that come before these modern technologies are implemented.

So now security testing will become the bottleneck of application deployment because another deployment process was automated.

so now we move to discuss solutions for the above issues It is called DevSecOps means integrate security testing to DevOps

Before DevSecOps

After DevSecOps applied 

How to implement the above DevSecOps solution?

• make developers are also responsible for security.
• security team becomes an advisor od dev and ops team

The security team will create security policies.

Then the team will select automation tools to detect security issues.

After the security team will teach to devs and ops team how to use those tools.

Security Automation Tools

Pre-commit hooks

Source Composition Analysis(SCA): used tools such as dependency check, requires.io, retire.js

Static App Security Testing(SAST): used tools such as bandit, rips, solarcube 

Dynamic App Security Testing(DAST): used tools such as bandit, rips, solarcube 

Security in Infrastructure as a Code

Secret Management

Injecting SEC in a DevOps pipeline

after running the above DevSecOps pipeline developer will get what are the issues and other issue-related data.

Benefits of DevSecOps Process

Integrate security via tools

Security as Code

Faster Release Cycle

Prevent security bugs in production

Shorter Feedback Cycle

all images and knowledge credit goes to https://www.youtube.com/channel/UCdngmbVKX1Tgre699-XLlUA.