The document discusses the integration of security practices into DevOps, highlighting the need for security professionals to be involved from the design phase to maintain both speed and security. It outlines three key security behaviors: threat modeling, code review, and red teaming, which help identify and resolve vulnerabilities early in development. Additionally, it emphasizes the principles of 'security as code' and 'infrastructure as code' to enhance security in the DevOps pipeline.

1. DEV OPS
SEC
Integrating Security
Into DevOps

2. Implementing DevOps is known for:
Boosting efficiency
Cutting costs
Helping businesses flourish better

3. Security has not been the easiest to set up around a DevOps implementation. Security professionals need
to have a crystal clear understanding as to how their practices can be applied in the development and
production stages. They need time.
The ever-increasing demand for lightning pace delivery of software using DevOps and agile strategies,
with technologies like containers and public cloud, has caused a rift between the software production
teams and the security teams who, instead, need time.

4. Putting security at the end often fails because
many issues can be resolved at an initial level if
security experts were involved right from the
design phase. So the perfect solution is to have
security practices integrated throughout the entire
software delivery cycle.

5. Why
DevSecOps?

6. The key benefit of DevOps is speed and continuous delivery. But, with
secure DevOps, teams often suffer from the notion that there’s a tradeoff
between security and speed. However, that is not the scenario always.

7. Prudent use of Security automation allows the teams to maintain both security
and speed. The automated security testing makes the security consistent and
less vulnerable to human errors.
Shifting of the security practices left towards the design phase is a major
advantage. It is a big achievement to catch the security loophole at the design or
the development phase of a new feature.
This is what DevSecOps tooling strategies aim at.

8. How To
Approach?

9. People often avoid documentation and it is highly possible to change the security
skeleton of the DevOps team without even going for a single line of
documentation. Though it is hard to imagine, it is possible through instilling
security behaviors.
The 3 security behaviors to focus on:
● Threat modeling
● Code review
● Red teaming

10. Threat Modeling
Threat modeling involves considering the various
security impact of every design decision and you
need to start thinking like attackers, hackers or
infiltrators to your own system to search for the
loopholes.

11. Threat Modeling
You need to verify and select the design that will
protect the integrity of the customer data. In a
majority of the cases, DevOps teams view the
design form agile perspective, leaving behind the
security concerns. However, Threat Modeling
ensures to embed security directly into the
practices and design decisions.

12. Code Review
The code review security behavior revolves
around finding security concerns and flaws in the
code. This security behavior ensures to figure out
the errors in the code that may prove to be fatal if
it reaches the production. The DevOps teams use
stringent infrastructure and make sure that code
review is mandatory with each check-in to the
main line.

13. Red Teaming
The last security behavior, red teaming involves
attacking your code with the same level of ferocity
as potential attackers would do when it reaches
production. This helps in revealing the flaws using
rigorous testing, fixing them and pushing it to
production quickly.

14. Principles to
follow

15. The aim at establishing secure DevOps lies on two
major principles:
● Security as code
● Infrastructure as a code

16. The security as code involves building security into
the existing tools in the DevOps pipeline. It includes
usage of static analysis tools to validate portions
of code that has been modified rather than
scanning the entire codebase.

17. On the other hand, Infrastructure as code defines
the various DevOps tools to set up and update the
infrastructure components. A few examples include
Ansible, Puppet, etc. The system administrators no
longer fix the issues on a system. With the IaC if
your system lacks or faces an issue it is completely
disintegrated and a new one is generated to fill in
the gap.

18. Official Blog Link -
http://www.algoworks.com/blog/devsecop
s-integrating-security-into-devops/
Mail us at: sales@algoworks.com
Contact us at: +1-877-284-1028