• Home
• Resume/CV
• Tech Learning
• Non-Tech Learning
• Email

• demiosphobos28@gmail.com

A foray into DevSecOps

September 2022

In September 2022, I decided to enroll in the Certified DevSecOps Professional course to learn a bit more about DevSecOps as well as gain real-world technical skills to incorporate security into a CI/CD pipeline. I supplemented this learning with tonnes of freely available internet resources and decided to document my learning to keep myself accountable.

devsecops terms

Before we jump in, here are a few terms that will constantly recur when learning about DevSecOps.

Term	Definition
SAST	Static Application Security Testing: A white-box testing method that analyses source code to identify security issues. Examples of tools are Fortify, Veracode SAST and SonarQube.
SCA	Software Composition Analysis: Code scanning to provide visibility into open-source (3rd party libray) components used in development, for example, libraries used. An example is Snyk.
DAST	Dynamic Application Security Testing: A black-box testing method whereby dynamic tests are conducted on a given application. Examples of tools are OWASP ZAP and Veracode DAST.
IAST	Interactive Application Security Testing: A testing method that scans specific code workflows. Examples of tools are Seeker IAST and Acunetix.
IAC	Infrastructure as Code: A method to create and configure(or destroy) infrastructure using code definition. Examples of tools are AWS CloudFormation, Ansible, Chef, Puppet and Terraform

what is devsecops?

As defined by Gartner, DevSecOps is the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility of speed of developers or requiring them to leave their development toolchain environment.
This concept is sometimes referred to as shifting security left, which simply implies introducing security at the early stages of the SDLC i.e. during design and implementation phases.
A myriad of tools can be utilised within DevSecOps as seen below:

• During Development
  • Git Secrets
  • Security plugins in VSCode, Intellij or your IDE of choice 😉
  • Trufflehog
• As Security add-ons
  • Code quality tools like Sonarqube
  • SAST security tools like Fortify, Veracode SAST and Checkmarx
  • DAST security tools like OWASP ZAP, WebInspect and Veracode DAST
  • IAC security tools like Cloudformation, Terraform
  • Container-based security like Aqua and Qualys Container Security
• During Operations
  • Build pipeline tools like Gitlab, GitHub Actions and GCP Cloudbuild
  • Cloud security posture management tools like Aqua CSPM
  • Container registry scanning tools like Aqua and AWS Registry Scanning
  • Infrastructure scanning tools like Nessus
  • Cloud security tools like Azure Defender

And hence, DevSecOps was born.