DevSecOps: Automating security in the development lifecycle

Learn how security teams are using DevOps principles and CI/CD pipelines to automate application security.

Automate application security with OpenShift Pipelines

In this self-paced tutorial, learn how to use OpenShift Pipelines to automate the deployment of your applications.

OpenShift Pipelines is a cloud-native, continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework that enables automating deployments across multiple platforms (e.g. Kubernetes, serverless, VMs, and so forth) by abstracting away the underlying details.

Automate deployment
Deployment feature image

What is DevSecOps?

DevSecOps automates and modernizes application security using familiar DevOps principles:

  • Traceable, transparent specifications
  • Version control for document management
  • Automated tools and testing through CI/CD pipelines

In traditional security, developers run tests for code security, while operators ensure that firewalls and other protections work in the production environment. Access control and other tasks are handled by security experts and managers. DevSecOps uses version control and CI/CD pipelines to configure and manage security tasks automatically, across all teams, before deployment.

Who should learn DevSecOps?

DevSecOps brings together developers, systems architects, operators, security experts, and managers. Anyone with a role in security can define specifications and review system behavior:

  • For developers, DevSecOps is a way to scan their code at every check-in for coding flaws and vulnerabilities in package dependencies.
  • For system architects and operators, DevSecOps ensures that the intrusion detectors, firewall rules, and access control lists they've prepared are consistently applied.
  • For security experts and managers, DevSecOps allows formal requirements and reviews of their implementation.

Why is DevSecOps important?

The cyber landscape offers attackers many opportunities for targeting your organization, so security must be a top priority. DevSecOps automates security best practices across all of your applications and networks.

More people

DevSecOps spans the application lifecycle

You can integrate virtually any security tool you use in production–such as intrusion detection, monitoring, and access control–with version control and CI/CD to create a comprehensive DevSecOps pipeline.

Data science

Automated processes are more secure

DevSecOps removes the overhead of remembering to run your security tools and processes. You can set up tests and scans to run at check-ins or other key points during deployment, eliminating the risk of skipping a step.

Hundreds of Python

Transparent implementation reviews

DevSecOps removes the gap between security policies and how they’re implemented. Organizations can use DevSecOps to specify security goals–such as how often to run a scanner–and verify they've been implemented.

interpreted language

DevSecOps fosters a security mindset

At a technical level, DevSecOps is just DevOps with an added security layer. But done right, it can transform how your team thinks about security. Adopting DevSecOps requires conversations that improve how teams understand security. For developers, DevSecOps is a natural pathway to a security mindset.

Learn DevSecOps

Featured image for DevSecOps topics.
Article
Dec 01, 2021

How DevSecOps brings security into the development process

Andy Oram

Extend common DevOps tools and processes with DevSecOps to improve app...

Learn more
Four reasons developers should use Ansible
Article
Sep 27, 2021

Four reasons developers should use Ansible

Don Schenck

Why should developers learn Ansible? Find out how this simple yet powerful...

Learn more
Featured image for Kubernetes topics.
Article
Sep 17, 2021

Kubernetes admission control with validating webhooks

Ricardo Lourenço

Learn to write, configure, and install a webhook that intercepts and...

Learn more
More DevSecOps resources

DevSecOps is the way | Red Hat Livestreaming

In this monthly livestream series, learn how Red Hat weaves together DevOps and security automation to master DevSecOps. This show introduces you to Red Hat products used for DevSecOps and our security ecosystem partners to aid in your journey.

What developers need to know about security compliance

A developer's guide to security standards. Sharpen your understanding of key security standards and how they work together, then get tips for establishing responsibility for different aspects of your security infrastructure and incorporating security into your daily workflow—even when the requirements change from project to project.

Read more
Iptables cyber security

Popular DevSecOps resources

Kubernetes configuration and security policies with KubeLinter | DevNation Tech Talk

Kubernetes configuration and security policies with KubeLinter | DevNation Tech Talk

Learn more
Security and authentication strategies for apps on Kubernetes | DevNation Tech Talk

Security and authentication strategies for apps on Kubernetes | DevNation Tech Talk

Learn more
GitOps + Kubernetes A
Article
Jun 29, 2021

How to apply machine learning to GitOps

Ip Sam +1

Improve deployment processes and outcomes by applying machine learning in...

Learn more
Featured image: Tekton Pipelines
Article
Jan 13, 2021

Getting started with Tekton and Pipelines

Cedric Clyburn

Learn how to create a Kubernetes-native CI/CD pipeline by installing Tekton,...

Learn more
container security
Article
Oct 21, 2019

3 steps toward improving container security

David Strom

The basic steps of container security involve securing the build environment,...

Learn more
Featured image for GitOps + Kubernetes
Article
Aug 03, 2021

Managing GitOps control planes for secure GitOps practices

Shoubhik Bose +2

Learn about the tools Red Hat has available to implement GitOps workflows....

Learn more