Scribd
Upload
26 views3 pages

DevSecOps Class Notes

DevSecOps integrates security practices into the DevOps process, aiming to shift security left in the software development lifecycle. Key principles include Security as Code, continuous monitoring, and collaboration among teams, while tools and practices such as SAST, DAST, and container scanning are essential for implementation. Benefits include reduced vulnerabilities and faster secure delivery, though challenges like tool integration and false positives exist.

Uploaded by

mounikakaringula13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views3 pages

DevSecOps Class Notes

DevSecOps integrates security practices into the DevOps process, aiming to shift security left in the software development lifecycle. Key principles include Security as Code, continuous monitoring, and collaboration among teams, while tools and practices such as SAST, DAST, and container scanning are essential for implementation. Benefits include reduced vulnerabilities and faster secure delivery, though challenges like tool integration and false positives exist.

Uploaded by

mounikakaringula13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

DevSecOps Class Notes

1. What is DevSecOps?

- DevSecOps stands for Development, Security, and Operations.

- It integrates security practices within the DevOps process.

- Goal: Shift security left - bring it early into the SDLC.

2. Key Principles of DevSecOps

- Security as Code

- Continuous Monitoring & Feedback

- Automation of Security Checks

- Collaboration across Dev, Sec, Ops teams

- Compliance as Code

3. DevSecOps vs DevOps

- DevOps focuses on speed, automation, and CI/CD.

- DevSecOps adds integrated security checks at every phase.

4. DevSecOps Practices

- Threat Modeling

- Static Application Security Testing (SAST)

- Dynamic Application Security Testing (DAST)

- Software Composition Analysis (SCA)

- Secrets Management (e.g., HashiCorp Vault)

- Container Scanning (e.g., Trivy, Clair)

- Infrastructure as Code (IaC) scanning (e.g., Checkov, tfsec)

- CI/CD Pipeline Security


5. DevSecOps Tools

- SAST: SonarQube, Checkmarx

- DAST: OWASP ZAP, Burp Suite

- SCA: Snyk, WhiteSource

- Container Security: Aqua, Prisma, Trivy

- IaC Scanning: tfsec, Checkov

- Secrets Detection: GitLeaks, TruffleHog

6. DevSecOps Workflow

- Code - Build - Test - Release - Deploy - Monitor

- At each stage, embed security gates and scanning tools.

7. Benefits of DevSecOps

- Reduces vulnerabilities early

- Speeds up secure delivery

- Promotes collaboration

- Supports compliance (e.g., ISO, SOC2)

8. Challenges

- Tool integration complexity

- Developer awareness/training

- False positives in scanning tools

9. Best Practices

- Automate security in CI/CD

- Regular security training for devs


- Use versioned, trusted base images

- Monitor and log security events

10. Real-World Use Cases

- Financial Institutions: Secure pipelines for banking apps

- Healthcare: HIPAA-compliant CI/CD pipelines

- Government: Secure software supply chains

You might also like