2. CONTENTS
• INTRODUCTION
• WHY WE NEED DEVSECOPS
• HOW DOES IT WORK
• IMPORTANCE OF DEVSECOPS
• DEVSECOPS PRACTICES
• PROS OF DEVSECOPS
• CONS OF DEVSECOPS
• LIMITATION OF DEVSECOPS
3. INTRODUCTION
● DevSecOps stands for development, security, and operations. It is about
implementing the security right from the initial stage of the application
development until the final product delivery.
● Its purpose is to ensure that every security breach is addressed and
vulnerabilities are reduced. During the process, everybody is accountable
for the security and actions from the developer to the operation
department. Whereas in the traditional practice, security was the least
concern of each department.
4. ● Every organization that has DevOps should shift its gears towards the
DevSecOps to get a higher level of proficiency and more secure application
development experience. Instead of rushing at the last moment of a
hazardous situation, DevSecOps ensures security at each level of
development.
5.
6. WHY WE NEED DEVSECOPS?
• Every day we come up with the news of data breaching and hacking. Is there
any loophole in the application development ? don’t we have any established
laws against these breachers ? answer to these questions is a big yes.
• A security breach can results in loss of billions, even trillions of personal
records, confidential information, and overall effects on the business. The
traditional methodology for development is outdated in this tech-savy world.
• Today, where countless applications are created and uploaded on the webstore,
a security breach is a prime concern for businesses and application developers.
To cope with this critical security crises, devsecops is the savior.
7. EXAMPLE OF DATA BREACH
AADHAAR DATA BREACH :
• Date: march 2018
• Impact: 1.1 billion people
• In march of 2018, it became public that the personal information of more than a
billion indian citizens stored in the world’s largest biometric database could be
bought online.
• This massive data breach was the result of a data leak on a system run by a
state-owned utility company. The breach allowed access to private information
of aadhaar holders, exposing their names, their unique 12-digit identity
numbers, and their bank details.
• The type of information exposed included the photographs, thumbprints, retina
scans and other identifying details of nearly every indian citizen.
8.
9. HOW DOES IT WORK?
• In the first step, a code is created in the version control
management system by a developer.
• All changes are seen and done in the same system,
• After that, another developer takes the code from the same
system, analyzes it, and identifies bugs or security breach in the
code,
• Once the developer rectify the error, the environment is created
using infrastructure as the tool,
10. • Next step is the deployment of the application, here test data
automation is carried out including security test, UI, integration &
API,
• Once the application clears these test, it is suitable for the
production step,
• Even under the production environment, continuously monitoring
is done to identify and rectify security threats.
11.
12. IMPORTANCE OF DEVSECOPS
• The last decade was very crucial and progressive for the IT
industry as it has witnessed substantial growth in the terms of
cloud computing, storage, and new applications. however, with
the entry of DevOps, the speed and functionality took the industry
to the next level of success.
• but the only concern of DevOps was its security inefficiency. due
to this reason, DevSecOps is welcomed warmly. it caters to the
need for speed, functionality, security, and scale under a single
umbrella.
13. SOME OF DEVSECOPS PRACTICES
With the implementation of DevSecOps, the resources will be utilized in a better
and efficient way. Here are some practices that help in operating things in a
smooth way:
14. • 1. SAFE AND SECURE CODING:
• It is very important and necessary to practice safe and secure
software development to cut down the high risk of vulnerabilities.
Unsecure coding is a threat to the breach of confidential
information. Hire the service of a highly experienced and skilled
developer to avoid high risk.
• 2. IMPLEMENT AUTOMATION:
• Automation is the key factor for the secure and safe development
of an application. Embed the automation with continuous
integration and deployment environment to match the speed of
your security with the process. It becomes necessary for a larger
organization where varied versions of code are pushed in the
production environment for multiple times.
15. • 3. IMPLEMENTATION FROM THE BEGINNING:
• Implement security from the first stage of application development. Till
now, we have understood why it is necessary to implement a security
check from the beginning. This practice may take time, but in the long
run, it is handy and safest way for risk-free application development.
• 4. PEOPLE + TECHNOLOGY + PROCESS = RISK FREE
• The major role for the success of DevSecOps is played by the perfect
trio of people, technology, and process. Convincing people about the
shift from traditional methods to DevSecOps may need lots of effort, but
the result will be worth of those efforts made by you. Just after
convincing people, frame a common process to strengthen the security
aim. After the merger of people and process, next comes is technology.
With practices like automated compliance scan, confirmation
management, host hardening, and others devsecops, the aim for the
secured and safe application is not far.
16.
17. PROS OF DEVSECOPS
• While there’s no full guarantee that a software product will be free from all possible
malicious attacks, DevSecOps can ensure that an application is pretty stable and less
vulnerable, upon release or off the shelf. This new approach to software creation is
beneficial due to the following reasons:
• 1. ENHANCES COLLABORATION AND COMMUNICATION BETWEEN ALL TEAMS
• The DevSecOps method encourages IT professionals with different skills to
collaborate and work together to achieve one goal. Team integration is one of the
main objectives of DevSecOps.
• 2. INCREASES THE SPEED AND AGILITY OF DEVELOPMENT TEAMS
• The nature of this approach pushes DevSecOps team members to react fast, as well
as review and correct vulnerabilities and other software problems as the
development process is ongoing.
• 3. PROMOTES BETTER QUALITY CONTROL AND THREAT DETECTION
• While the DevOps team may consider the security team as a cause of delay, this
should not be the case. Problems are identified and corrected immediately before
18. CONS OF DEVSECOPS
• 1. WON’T WORK WITHOUT OPEN COMMUNICATION
• For DevSecOps to work properly, communication and collaboration of key teams
from the security, software development, and IT departments must be established. If
any of these teams keeps important information from each other, it may not work as
intended.
• 2. SHOULD BE ACCEPTED BY EVERYONE
• Not all employees are keen on accepting non-traditional working arrangements.
Some live by the mantra, “if it ain’t broke, don’t fix it.” It can be difficult to ditch the
old ways of doing things and choose new working methods. Employees with this
mindset may be hard to convince about the importance of DevSecOps. Additionally,
they need time and few success stories to accept the new workflow.
• 3. MAY NOT BE THE MANAGEMENT’S MAIN PRIORITY
• Not all executives in a software development agency view security as a priority. As
such, a company executive may not be accepting of the proposed changes drafted
by a DevSecOps consultant or manager. As such, the company may revert to putting
19. LIMITATIONS OF DEVSECOPS
• As a new approach integrated in the DevSecOps, applications are quite limited
at this stage. For instance, it can’t be applied to the following:
• DevSecOps don’t work with web application firewalls (WAF) because wafs
function by monitoring real user requests. The latter is only applicable in
production environments and can’t resolve issues.
• DevSecOps are fully reliant on automation. This renders manual penetration
testing tools, useless as they can’t be used in DevSecOps.
• Simple web vulnerability scanners aren’t meant to work with continuous
integration (ci) and continuous delivery (cd) tools. Thus, it follows that it can’t
work with security vulnerability assessment under DevSecOps, too.