DevSecOps
What is DevSecOps ?
The DevOps model isn’t just for development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, you must also integrate IT security into the entire lifecycle of your applications.
Why ? In the past, security-related processes were isolated and assigned to a specific team at the final stage of development. This was okay at a time when development cycles lasted for months, if not years. But those days are over. While an effective DevOps approach ensures fast and frequent development cycles (sometimes weeks or days), outdated security practices can negate the benefits of the most effective DevOps projects.
Now, within the collaborative framework of the DevOps model, security is a shared, integrated responsibility. from beginning to end. This notion is so important that it gave birth to the term “DevSecOps” to emphasize the need to integrate security into DevOps projects.
The DevSecOps approach involves thinking about application and infrastructure security from the start. It is also necessary to automate certain security gateways to avoid any slowdown in DevOps workflows. To achieve these objectives, it is necessary to start by selecting the tools capable of ensuring the continuous integration of security, for example with an integrated development environment. common which provides security functions. However, for DevOps security to be effective, it takes more than new tools. There is a need to implement DevOps cultural shifts within security teams early.
Whether the approach is called “DevOps” or “DevSecOps”, it has always been best to make security an integral part of the application lifecycle. The DevSecOps approach is based on built-in security, not a security perimeter that protects applications and data. When security is relegated to the end of the development process, companies that embrace DevOps can find themselves facing long development cycles, which they were trying to avoid.
In particular, DevSecOps highlights the need to involve security teams from the start of DevOps projects, with a view to integrating information security functions and planning their automation. This approach also emphasizes the need to help developers code with security in mind. To do this, security teams must share the visibility they enjoy, as well as their feedback and information on identified threats. As security has not always been seen as a priority in traditional application development, it may be useful to provide security training for developers.
What is integrated security really? To begin with, a good DevSecOps strategy involves determining risk tolerance and performing a risk / benefit analysis. How many security checks does a given application require? How important is speed to market for different applications? Since performing manual security checks can be time consuming, automating repeated tasks is a key part of the DevSecOps approach.
Source : Redhat