The concept of DevSecOps¶
DevSecOps or DevOps security is about introducing security earlier in the life cycle of application development (a.k.a shift-left), thus minimizing the impact of vulnerabilities and bringing security closer to development team.
By embracing shift-left mentality, DevSecOps encourages organizations to bridge the gap that often exists between development and security teams to the point where many of the security processes are automated and are effectively handled by the development team.
This section covers different tools, frameworks and resources allowing introduction of DevSecOps best practices to your project at early stages of development. Topics covered:
- Credential Scanning - automatically inspecting a project to ensure that no secrets are included in the project's source code.
- Secrets Rotation - automated process by which the secret, used by the application, is refreshed and replaced by a new secret.
- Static Code Analysis - analyze source code or compiled versions of code to help find security flaws.
- Penetration Testing - a simulated attack against your application to check for exploitable vulnerabilities.
- Container Dependencies Scanning - search for vulnerabilities in container operating systems, language packages and application dependencies.