2.0 KiB
2.0 KiB
DevSecOps
Definition
DevSecOps integrates security practices into the DevOps process, embedding security throughout the entire software development lifecycle rather than treating it as a separate phase.
Key Principles
- Shift Left: Integrate security early in the development process
- Automation: Security checks automated in CI/CD pipelines
- Continuous Compliance: Ongoing security validation and compliance monitoring
- Proactive Vulnerability Management: Early detection and remediation of security issues
Core Practices
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- Container security scanning
- Infrastructure as Code security validation
- Secret management and rotation
Tools
- SAST: SonarQube, Checkmarx, Semgrep
- Container scanning: Trivy, Clair, Snyk
- Secret management: HashiCorp Vault, AWS Secrets Manager
Security Progression Across DevOps Maturity Levels
| Maturity | Security Integration Level |
|---|---|
| Phase 1 | Security involvement only weeks before release, minimal compliance scans |
| Phase 2 | Security operates separately from the rest of the team |
| Phase 3 | Security involved in design, architecture, and operations discussions; scans integrated throughout development |
| Phase 4 | Dependency vulnerability management; continuous security monitoring across the team |
| Phase 5 | Prevent insecure/non-compliant code from reaching production; high-level security integration |
Sources
- sources/cloud-devop-maturity-guideline.md
- sources/what-is-devsecops-best-practices-benefits-and-tools.md
- sources/devops-maturity-model-from-traditional-it-to-advanced-devops.md
Related Concepts
- concepts/DevOps-Maturity
- concepts/CI-CD-Pipeline
- concepts/Infrastructure-as-Code
- concepts/DORA-Metrics
- concepts/Change-Failure-Rate
Ingested
- Date: 2026-04-21
- Date: 2026-04-24 (updated with maturity level progression)