DevSecOps - DeveloPassion

# DevSecOps DevSecOps extends [[DevOps]] by integrating security practices throughout the entire software development lifecycle, rather than treating security as an afterthought. The philosophy is "security as code": automated, continuous, and embedded in every stage. Also known as "shift-left security," DevSecOps moves security considerations earlier in the development process, making vulnerabilities cheaper and easier to fix. ## Core Principles - **Shift left**: Address security early in development - **Automate security**: Integrate security checks into CI/CD - **Shared responsibility**: Everyone owns security, not just the security team - **Continuous monitoring**: Real-time threat detection and response - **Compliance as code**: Automate regulatory compliance checks ## Security Integration Points ``` ┌─────────────────────────────────────────────────────────┐ │ DevSecOps Pipeline │ │ │ │ Code → SAST → Build → DAST → Deploy → Monitor │ │ ↓ ↓ ↓ ↓ ↓ ↓ │ │ Lint Secrets SCA Pentest Config Runtime │ │ Check Scan Check Audit Protection │ │ │ └─────────────────────────────────────────────────────────┘ ``` ## Security Testing Types | Type | Description | When | |------|-------------|------| | **SAST** | Static Application Security Testing | During coding | | **DAST** | Dynamic Application Security Testing | Running application | | **SCA** | Software Composition Analysis | Dependencies | | **IAST** | Interactive Application Security Testing | Runtime | | **Container scanning** | Image vulnerability detection | Build/deploy | | **Secret scanning** | Detect exposed credentials | Commit time | ## Common Tools - **SAST**: SonarQube, Semgrep, CodeQL - **DAST**: OWASP ZAP, Burp Suite - **SCA**: Snyk, Dependabot, OWASP Dependency-Check - **Secrets**: GitLeaks, TruffleHog - **Container**: Trivy, Clair, Anchore - **Platform**: [[GitLab]] Ultimate, [[GitHub]] Advanced Security ## DevSecOps vs DevOps | Aspect | DevOps | DevSecOps | |--------|--------|-----------| | Focus | Speed + reliability | Speed + reliability + security | | Security | End-stage gate | Continuous throughout | | Responsibility | Ops + Dev | Ops + Dev + Sec | | Testing | Functional | Functional + security | ## References - https://www.redhat.com/en/topics/devops/what-is-devsecops - https://en.wikipedia.org/wiki/DevOps#DevSecOps ## Related - [[DevOps]] - [[Static Application Security Testing (SAST)]] - [[Software Composition Analysis (SCA)]] - [[CI CD pipelines]] - [[Vercel DeepSec]] - [[Warden]] - [[GitHub]] - [[GitLab]] - [[Git]]