One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 2665989 |
| Date de publication | 2021-04-19 09:05:28 (vue: 2021-04-19 14:05:33) |
| Titre | DevSecOps in Practice: How to Embed Security into the DevOps Lifecycle |
| Texte |  You???ve heard of DevOps. And by now, you???ve probably also heard of DevSecOps, which extends DevOps principles into the realm of security. In DevSecOps, security breaks out of its ???silo??? and becomes a core part of the DevOps lifecycle.
That, at least, is the theory behind DevSecOps. What???s often more challenging for developers to figure out is how to apply DevSecOps in practice. Which tools and processes actually operationalize DevSecOps? Until you can answer that question, DevSecOps will be just another buzzword.
To help bridge the gap between theory and practice, let???s walk through what DevSecOps means from a practical perspective, and how to go about embedding it into your development workflows.
DevSecOps, defined
If you???re familiar with DevOps (which encourages collaboration between developers and IT operations engineers in order to speed application delivery), then the meaning of DevSecOps is easy enough to understand. DevSecOps adds security operations teams into the equation so that they can collaborate seamlessly with developers and IT engineers.
DevSecOps places a DevOps spin on basic security concepts. Just as DevOps encourages continuous delivery, DevSecOps is all about continuous security ??? meaning the constant and holistic management of security across the software development lifecycle. Similarly, DevSecOps encourages continuous improvement in the realm of security ??? meaning that no matter how secure you believe your environment is, you should always be looking for ways to improve your security posture even further.
DevSecOps in practice
These are all great ideas to talk about, and it???s easy to see why they are valuable. Security postures are indeed stronger when developers, IT engineers, and security engineers work together, rather than working in isolation. It???s much easier to optimize security when developers prioritize security with every line of code they write, and when IT engineers think about the security implications of every deployment they push out, rather than viewing security as something that someone else will handle down the line.
The big question for teams that want to embrace DevSecOps, though, is how to go about putting these ideas into practice. That???s where things can get tougher. There is no simple methodology that allows you to ???do??? DevSecOps. Nor is there a specific tool that you can deploy or a particular role that you can add to your team.
Instead, operationalizing DevSecOps means building holistic combinations of processes and tools that make it possible to integrate security into DevOps workflows. While the best approach to this will vary from team to team, the following are some general best practices for implementing DevSecOps.
Scanning early and often
One basic step toward implementing DevSecOps is to ensure that you perform security tests and audits at the beginning of the software delivery pipeline. You don???t want to wait until code is written and built to start testing it for flaws (and you certainly don???t want to let it get into production before testing it). Instead, you should be scanning code as it is written, by integrating security tooling directly into your IDEs if possible.
Importantly, security scanning should continue as code ???flows??? down the pipeline. You should scan your test builds and application release candidates before deployment. Security monitoring and auditing should also continue once code is in production.
Automation
Automation is a founding principle of DevOps, and it???s just as important to DevSecOps. Automation not only makes processes faster and more efficient, but also helps reduce friction between the different stakeholders in DevSecOps |
| Envoyé | Oui |
| Condensat | about access across actually add adds adopt all allows alone along also always another answer any application applications apply applying approach are auditing audits automate automated automation based basic because becomes before beginning behind believe best between big breaks bridge building builds built but buzzword can candidates certainly challenging checks cloud clusters code coding collaborate collaboration combinations common concepts conceptually conclusion consistent consists constant container containers continue continuous core critical define defined delivery dependencies deploy deployment determine developed developers development devops devsecops devsecops: different directly don doubles down early easier easy efficient else embed embedding embrace encourages engineers enough ensure environment environments equation essential even every example excuse extends externally failing familiar faster figure files final flaws flows following founding friction from fully further gap general generation get goes great guidance hand handbook handle hardware heard heavy help helps holistic host how however iam ideas ides images implement implementing implications import important importantly impossible improve improvement indeed instead integrate integrating isolation its just kubernetes layered layers layers: least let lifecycle like likely line lines looking make makes making management manner manual many matter may meaning means merely methodology microservices monitoring more much multi multiple must native need next nor not now off often on; once one only open operating operationalize operationalizing operations opposed optimize orchestration order other out own part participants particular party perform perspective physical pipeline pipelines place places pod policies policy possible posture postures practical practice practice: practices principle principles prioritize probably processes production promote provide pull push putting question rather read realm reduce reference refers registries relates release rely relying remember repeatable repositories reused role rules run runtimes scalable scale scan scanning seamless seamlessly secure security see set should silo similar similarly simple software some someone something source specific speed spin stakeholders start state step stronger system systems talk team teams technologies test testing tests than then theoretically theory these theツ things think third though through together tool tooling tools tougher toward trust understand until upstream use valuable value variety vary viewing virtually vulnerabilities wait walk want ways what when where which why will without work workflows working write written your |
| Tags | Tool |
| Stories | Uber |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.