DevSecOps

This chapter briefly describes the individual building blocks of the DevSecOps principle, each with some examples of tools/standards/methods, etc.

Food for thought

Today, we live our lives online. The internet has no geography. It has no borders. By creating the internet, mankind opened up a Pandora’s Box where tangible borders and recognizable enemies ceased to exist.

Mikko Hypponen, Chief Research Officer, F-Secure

Shift left

What does shift left means?

Security practices and testing are performed earlier in the development lifecycle, hence the term shift left can be used.

With the shift left approach, the development cycle will be improved:

• Better test coverage
• Costs will drop
• Time savings are possible
• Bugs are removed early in the process
• Team must work closely together

Find your vulnerabilities as soon as possible!

The earlier vulnerabilities are found, the easier and less costly they can be remedied. The differences between early and late detection can reach factors of up to 100x. See the following graph (IBM):

DevSecOps building blocks

The different stages in the traditional SDLC must be extended with the security building blocks that are depicted in the following sub chapters:

• Training and Awareness
• Organizational scaling
• Security in planning activities
• Technical security activities
• Deployment pipeline security
• Productive operations and attack responses