Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

How DevSecOps brings security into the development process

December 1, 2021
Andy Oram
Related topics:
CI/CDDevOpsDevSecOpsKubernetesSecurity
Related products:
Red Hat OpenShift

Share:

    DevSecOps is an extension of DevOps that emphasizes security automation and cooperation across the organization. More than just hype, DevSecOps is a crucial addition to your organization's development and deployment processes, especially given the range of ransomware groups, industrial spies, identity thieves, and other attackers plaguing today's cyberworld. In this article, you will learn how DevSecOps extends familiar DevOps tools and processes to help cross-functional teams work together on the design and implementation of security policies and procedures.

    What is DevSecOps?

    Essentially, DevSecOps is a way to ensure that security policies set by your organization—such as static analysis, vulnerability scanning, and access controls—are applied consistently in production, even if you are launching hundreds of virtual machines or containers every hour. With DevSecOps, the tools that carry out security policies are baked into the build process, through well-known DevOps techniques such as continuous integration and continuous deployment (CI/CD). The development team can assure managers and administrators that their security policies are being enforced without depending on individual developers to manually run the tools.

    DevSecOps tools and processes

    Developers and teams familiar with DevOps tools and processes can adopt them for DevSecOps. The basic elements of DevSecOps are:

    • Tools: DevSecOps adds vulnerability scanners, penetration testing, firewall rules, intrusion detection systems, and other common security features to the version control and CI/CD processes used for DevOps.
    • Processes: DevSecOps automates security practices in order to apply them consistently and verifiably across all the containers and services created by the development team.
    • Transparency and review: All decisions made by the development team are open to discussion among managers and security experts. Test and production systems can log their activities, and these logs can be checked to ensure that the development team has implemented the decisions of the larger organization.

    Let's look at a few hypothetical examples of DevSecOps in action to show how it brings organizational priorities into production.

    Vulnerability scanning in the DevSecOps pipeline

    Vulnerabilities exist at many levels. You may have coding errors such as buffer overflows and incorrect type conversions, poorly secured user interfaces that allow SQL injection, or dependencies on third-party libraries that contain security flaws. A range of automatic vulnerability checkers now exists for all these problems, suited to various application types and sizes. Many of these tools can be added to a build process with just a few clicks in popular developer repositories, such as DevSecOps in GitHub and DevSecOps with GitLab.

    But a developer can't check everything all the time. The team must decide at what point to run checks, how much time they want to add to the build process, and where the most urgent priorities lie. A DevSecOps pipeline documents these decisions and ensures they are carried out.

    For instance, where should you incorporate a tool such as Red Hat's Project Thoth, which checks common security databases and reveals flaws in your third-party libraries? If you discover a problem in a function call buried deep within your application, you had better determine right away whether your application is at risk, and if so how to fix the problem. Should you upgrade, back off to an old version of the library, or replace the library altogether? You'll want to learn about the flaw as early in the development cycle as you can, so you might take the time to run the tool upon every check-in to version control.

    On the other hand, when it comes to running a common code scanner for, say, bugs in memory management code, you might choose to wait until you are ready to build a full version of the app for testing. Memory management flaws might be critical, but they are usually quick to fix.

    The key to DevSecOps is that a team and its security advisors can discuss the tools and trade-offs available for each code base and then bake their decisions into builds.

    Dynamic scanning and penetration testing

    Security experts know that they can't rely on applications to be safe in a production environment, even if the developers have run a battery of static tests. DevSecOps lets developers ensure that every container they launch is checked regularly at runtime by a penetration tester, intrusion detection system, and other such tools.

    An automated approach to securing devices

    Many organizations are losing control over their endpoints. During the COVID-19 shutdowns, workers obtained access to critical systems and assets from their homes and even their local cafes. Within the workplace, "bring your own device" (BYOD) became popular well before that.

    The standard security practice in this situation is to scan networks for all devices that connect. A database of approved devices helps restrict access to authorized devices. Such access can also be restricted to particular locations and times of the week. Penetration tests and other tools can even check whether the device has a password and up-to-date software.

    To institute such protections, the IT team has to consult with managers of all departments. The organization needs processes for registering devices along with their owners, and for scanning networks regularly. Some of these processes can be incorporated into the development process through DevSecOps. For instance, your configurations can ensure that a scanner is running, as well as a process that monitors logs and alerts.

    Similar processes can formalize other organizational protections, such as firewall rules and access control lists.

    Conclusion

    DevSecOps is about more than tools and processes. It brings transparency and validation to the crucial area of cybersecurity. All relevant stakeholders can weigh in on security decisions and be sure that the developers incorporate their concerns into development and build processes. Security on a 24/7 basis no longer depends on the day-to-day vigilance of developers or operators; instead, it is enforced by a system where cross-functional teams are working in alignment.

    In organizations with constant innovation and heavy dependence on network applications interacting with people around the world, DevSecOps gives developers, operators, and managers more peace of mind.

    Last updated: September 20, 2023

    Related Posts

    • What enterprise developers need to know about security and compliance

    • The present and future of CI/CD with GitOps on Red Hat OpenShift

    • Security Considerations for Container Runtimes

    • 3 steps toward improving container security

    • Wearable Tech: A Developer’s Security Nightmare

    Recent Posts

    • How Trilio secures OpenShift virtual machines and containers

    • How to implement observability with Node.js and Llama Stack

    • How to encrypt RHEL images for Azure confidential VMs

    • How to manage RHEL virtual machines with Podman Desktop

    • Speech-to-text with Whisper and Red Hat AI Inference Server

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue