DevSecOps: Automating security in the development lifecycle

Learn how security teams are using DevOps principles and CI/CD pipelines to automate application security.

Deployment feature image

Automate application security with OpenShift Pipelines

In this self-paced tutorial, learn how to use OpenShift Pipelines to automate the deployment of your applications.

OpenShift Pipelines is a cloud-native, continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework that enables automating deployments across multiple platforms (e.g. Kubernetes, serverless, VMs, and so forth) by abstracting away the underlying details.

Automate deployment

What is DevSecOps?

DevSecOps automates and modernizes application security using familiar DevOps principles:

  • Traceable, transparent specifications
  • Version control for document management
  • Automated tools and testing through CI/CD pipelines

In traditional security, developers run tests for code security, while operators ensure that firewalls and other protections work in the production environment. Access control and other tasks are handled by security experts and managers. DevSecOps uses version control and CI/CD pipelines to configure and manage security tasks automatically, across all teams, before deployment.

Who should learn DevSecOps?

DevSecOps brings together developers, systems architects, operators, security experts, and managers. Anyone with a role in security can define specifications and review system behavior:

  • For developers, DevSecOps is a way to scan their code at every check-in for coding flaws and vulnerabilities in package dependencies.
  • For system architects and operators, DevSecOps ensures that the intrusion detectors, firewall rules, and access control lists they've prepared are consistently applied.
  • For security experts and managers, DevSecOps allows formal requirements and reviews of their implementation.

Why is DevSecOps important?

The cyber landscape offers attackers many opportunities for targeting your organization, so security must be a top priority. DevSecOps automates security best practices across all of your applications and networks.

 

Community icon

DevSecOps spans the application lifecycle

You can integrate virtually any security tool you use in production–such as intrusion detection, monitoring, and access control–with version control and CI/CD to create a comprehensive DevSecOps pipeline.

Code icon

Automated processes are more secure

DevSecOps removes the overhead of remembering to run your security tools and processes. You can set up tests and scans to run at check-ins or other key points during deployment, eliminating the risk of skipping a step.

Virtual environments icon

Transparent implementation reviews

DevSecOps removes the gap between security policies and how they’re implemented. Organizations can use DevSecOps to specify security goals–such as how often to run a scanner–and verify they've been implemented.

Object oriented icon

DevSecOps fosters a security mindset

At a technical level, DevSecOps is just DevOps with an added security layer. But done right, it can transform how your team thinks about security. Adopting DevSecOps requires conversations that improve how teams understand security. For developers, DevSecOps is a natural pathway to a security mindset.

Learn DevSecOps

odo/kubernetes release feature image

How DevSecOps brings security into the development process

Ansible feature image

Four reasons developers should use Ansible

kubernetes feature image

Kubernetes admission control with validating webhooks

More DevSecOps resources

DevSecOps is the way | Red Hat Livestreaming

In this monthly livestream series, learn how Red Hat weaves together DevOps and security automation to master DevSecOps. This show introduces you to Red Hat products used for DevSecOps and our security ecosystem partners to aid in your journey.

computer security

What developers need to know about security compliance

A developer's guide to security standards. Sharpen your understanding of key security standards and how they work together, then get tips for establishing responsibility for different aspects of your security infrastructure and incorporating security into your daily workflow—even when the requirements change from project to project.

Read more

Popular DevSecOps resources

DevNation Tech Talks image

DevNation Tech Talk: Kubernetes configuration and security policies with KubeLinter

Learn more
devnation

DevNation Tech Talk: Security and authentication strategies for apps on Kubernetes

Learn more
How to apply machine learning to GitOps

How to apply machine learning to GitOps

Learn more
Get started with Tekton and Pipelines

Get started with Tekton and Pipelines

Learn more
3 steps toward improving container security

3 steps toward improving container security

Learn more
2020_GitOps_Kubernetes_Featured_ArticleA_0

Managing GitOps control planes for secure GitOps practices

Learn more

Achieving DevOps with Containers: 3 things people miss by Scott McCarty

Learn more
devops

DesOps is "DevOps 2.0"

Learn more