# DevSecOps

## Definition
DevSecOps integrates security practices into the DevOps process, embedding security throughout the entire software development lifecycle rather than treating it as a separate phase.

## Key Principles
- **Shift Left**: Integrate security early in the development process
- **Automation**: Security checks automated in CI/CD pipelines
- **Continuous Compliance**: Ongoing security validation and compliance monitoring
- **Proactive Vulnerability Management**: Early detection and remediation of security issues

## Core Practices
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- Container security scanning
- Infrastructure as Code security validation
- Secret management and rotation

## Tools
- SAST: SonarQube, Checkmarx, Semgrep
- Container scanning: Trivy, Clair, Snyk
- Secret management: HashiCorp Vault, AWS Secrets Manager

## Security Progression Across DevOps Maturity Levels

| Maturity | Security Integration Level |
|----------|--------------------------|
| Phase 1 | Security involvement only weeks before release, minimal compliance scans |
| Phase 2 | Security operates separately from the rest of the team |
| Phase 3 | Security involved in design, architecture, and operations discussions; scans integrated throughout development |
| Phase 4 | Dependency vulnerability management; continuous security monitoring across the team |
| Phase 5 | Prevent insecure/non-compliant code from reaching production; high-level security integration |

## Sources
- [[sources/cloud-devop-maturity-guideline.md]]
- [[sources/what-is-devsecops-best-practices-benefits-and-tools.md]]
- [[sources/devops-maturity-model-from-traditional-it-to-advanced-devops.md]]

## Related Concepts
- [[concepts/DevOps-Maturity]]
- [[concepts/CI-CD-Pipeline]]
- [[concepts/Infrastructure-as-Code]]
- [[concepts/DORA-Metrics]]
- [[concepts/Change-Failure-Rate]]

## Ingested
- Date: 2026-04-21
- Date: 2026-04-24 (updated with maturity level progression)