What is DevSecOps
DevSecOps stands for development, security, and operations. It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.
Key Principles of DevSecOps
DevSecOps is built on three core principles: collaboration, automation, and security. Collaboration involves breaking down silos between teams to encourage communication and cooperation throughout the software development lifecycle. Automation involves using tools and processes to reduce manual labor and increase efficiency. Security involves integrating security into every stage of the software development lifecycle, from design to deployment.
Security best practices
- Execution with non-root user
- Start containers in read-only mode
- Disable the setuid and setgid permissions
- Verifying images with Docker Content Trust
- Resource limitation
- Disabling ping command in a container
Security related modules
AppArmorallows you to regulate permissions and access of the containers in the filesystemSELinuxprovides a system of rules that allows you to implement access controls to the kernel resourcesSecure Computing Mode(Seccomp) monitors kernel system calls
Reading List
- 10 Best Free SSL Checker Tools for Troubleshooting and Analysis
- Calculate last failed login user with source ip in Linux
- Check last successful/failed login user in Linux
- DevSecOps
- Firewall testing checklist and cyber security tools
- Identity and Access Management (IAM)
- Implementing DevSecOps
- Kick out inactive user in Linux
- Modern Cybersecurity Strategies for Enterprises
- Nessus: The Ultimate Vulnerability Scanner
- One-time password (OTP) implementation in Shell, Python and Go
- OpenSSL Cheatsheet
- Private Search Engines
- Privilege escalation misconfigurations check for Linux
- Security Risks for Apache Hadoop System
- Security Tips for Apache Kafka
- Security Tips for Apache RabbitMQ
- Security tips for developers
- Security tips when using VPN
- Sign and Verify file with SSH Keys
- Summary of implementation of TLS/SSL protocol
- Tips of signatures with GnuPG
- Types of VPN
- Using Google Authenticator for SSH
- Vulnerability and bug scan in Linux
- get ssh public key from private key
- nich - quickly analyze open ports vulnerabilities
- nmap usage examples - Network Mapper
- usage of tunnels and proxies in SSH
DevSecOps is a software development practice that aims to integrate security into the software development process. It is a combination of the principles of DevOps, which emphasizes collaboration and automation, and the principles of security, which emphasizes protecting systems and data from threats.
The goal of DevSecOps is to build security into the software development process from the start, rather than trying to add it on later. This can be achieved by incorporating security practices and tools into the continuous integration and continuous deployment (CI/CD) pipeline.
One of the key elements of DevSecOps is to shift security left, which means to integrate security testing and analysis as early as possible in the development process. This can include things like static code analysis, security testing, and vulnerability scanning. By identifying and addressing security issues early on, teams can reduce the risk of vulnerabilities being introduced into the codebase.
Another important aspect of DevSecOps is to automate security testing and analysis. This can include using tools like automated penetration testing, threat modeling, and security testing frameworks. Automation helps to ensure that security testing is performed consistently and at regular intervals, which can help to identify and address issues before they become major problems.
Another important element of DevSecOps is to foster a culture of collaboration and communication between development, security, and operations teams. This helps to ensure that everyone is aware of security risks and that any issues are addressed in a timely manner.
DevSecOps also includes the practice of monitoring and logging the software and infrastructure to detect and respond to any security incidents.
Overall, DevSecOps is a software development practice that aims to integrate security into the software development process. By shifting security left, automating security testing and analysis, fostering a culture of collaboration and communication, and monitoring and logging, teams can build security into their software development process, and deliver high-quality software that is secure.
Reference
- Implementing DevSecOps with Docker and Kubernetes
https://github.com/DropsOfZut/awesome-security-weixin-official-accounts