What is DevSecOps?
This is basically building security in the DevOps process. DevOps is the combination of a Development with Operations; these were once different disciplines which now have fused into one. Now we add security to that mixture, and we get DevSecOps. This brings concepts like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), RASP (Runtime Application Self Protection), IAST (Interactive Application Security Testing).
So Why is This Important?
With today's abundance in web applications, organizations have now become mindful of protecting these applications. A lot of these organizations these days have had major data leaks. While the developer once only worried about business logic now there are other considerations taken into account such as putting boundary checks on for loops, sanitizing inputs, input validation and so forth.
What Tools Are Needed?
- Cloud (AWS, Azure, GCP)
- CI/CD (Jenkins, GitLab, Travis CI, Circle CI, GitHub Actions)
- Scripting (Bash, Python)
- Configuration Management (Ansible, Puppet, Chef, Packer)
- SAST Tools (SonarQube)
- DAST Tools (OWASP ZAP)
- Container Security Tools (Sysdig, Trivy)
What Are Some Books for Learning?
- Phoenix Project by Gene Kim
- Agile Application Security by Laura Bell, Michael Brunton-Spall, Rick Smith & Jim Bird
- DevOpsSec by Jim Bird
- Hands-On Security in DevOps by Tony Hsu
What Certifications to Go For?
- CompTIA Certification
- AWS/Azure/GCP Certification
- SANS Certification
- CISSP Certification
After all of this, it will not make you an expert but will give you the knowledge you need to get there. Security is a never-ending battle!
Top comments (0)