DevSecOps — What’s it all about? Part 1

Definition

There are various definitions available for DevSecOps, but the one which i like the most is —

The Problem

Earlier security came into picture at a considerably later stage in DevOps. Due to this the time taken to fix the bugs/issues related to security took considerable time. For eg: if the static code analysis stage in your pipeline reports a security issue then the developer would have to fix it and again go through all the steps of pushing the code through your scm and building it. Also various security operations like VAPT, threat detection and prevention, SIEM, etc. were secluded from DevOps lifecycle. This greatly decreased the agility when it came to security operations and also made the management of security operations cumbersome.

DevSecOps to the rescue !

In DevSecOps, the idea is to bring the security controls as near to the beginning of the lifecycle as possible. It also aims at incorporating more security operations in the automated lifecycle that were previously a separate process.This helps in early detection and early resolution, enabling agility in security operations too.

  1. Security at Developer’s workstation
  2. Secrets Management
  3. Source Control Security
  4. SAST & DAST
  5. Infrastructure Vulnerability Scanning
  6. Compliance-as-code
  7. Observability

Enough talk, let’s get right to it !

I will be working on a MEAN stack app which you can find at my github here. For this application i have created a simple jenkins pipeline with no security measures implemented. Also there are some common security flaws in the app which we will try to tackle using our DevSecOps implementation. Also as i wanted to focus more on integrating security, i haven’t implemented different stages like dev, test, prod, etc.

Pools-App Jenkins Pipeline
Pools-App architecture

--

--

Just your friendly neighborhood techie with a mouth !!!

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store