STARTING WITH DEVSECOPS

Starting with DevSecOps

TABLE OF CONTENTS

Preface 1
Introduction 1
Understanding DevSecOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 

Essential Themes in DevSecOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

Unveiling the "Phoenix" Initiative. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3  

Advantages and Disadvantages of DevSecOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3  

DevSecOps Journey: A Beginner’s Guide 5

DevSecOps Pipeline: Building the Bridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5  

Security Tools and Technologies: Making Informed Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6  

Core Practices in DevSecOps 8

DevSecOps with Additional Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10  

Different DevSecOps Tools 11

Configuration Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11  

Continuous Integration and Delivery Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12  

Containerization and Orchestration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13  

Security Information and Event Management (SEM) Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14  

Open-Source Tools and Projects 15

Resources for learning DevSecOps 16

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 1 STARTING WITH DEVSECOPS

PREFACE
PREFACE more secure and reliable software products.
Moreover, by integrating security into the
Welcome to the world of DevSecOps! As technology development process, organizations can achieve
continues to advance at an unprecedented pace, better alignment between security and business
organizations are constantly seeking ways to objectives, leading to enhanced customer trust and
deliver software faster while maintaining the competitive advantage.
highest level of security. In this rapidly evolving
landscape, DevSecOps has emerged as a crucial UNDERSTANDING DEVSECOPS
approach to bridge the gap between development,
security, and operations teams. DevSecOps is an approach to software development
that combines development (Dev), security (Sec),
This cheatsheet serves as a handy reference guide and operations (Ops) practices into a unified and
to help you navigate the key principles, practices,
collaborative process. It aims to integrate security
and tools of DevSecOps. Whether you’re a software measures and considerations into every stage of the
developer, security professional, operations software development lifecycle, from design and
engineer, or anyone involved in the software coding to testing, deployment, and operations.
development lifecycle, this cheatsheet aims to equip Traditionally, software development processes have
you with the essential knowledge and best practices often treated security as a separate and isolated
required to integrate security seamlessly into your concern, addressed late in the development cycle or
development process. as an afterthought. This approach can lead to
vulnerabilities and security issues being discovered
INTRODUCTION
INTRODUCTION too late, causing delays, increased costs, and
potential breaches.
The primary goal of DevSecOps is to foster a culture
of shared responsibility, collaboration, and DevSecOps, on the other hand, advocates for
continuous improvement. By incorporating security security to be an inherent part of the development
from the very beginning and throughout the process from the beginning. It promotes a shift-left
software development lifecycle, organizations can mentality, where security practices are applied
proactively address vulnerabilities and ensure the early on and continuously throughout
resilience of their applications and systems. development. By incorporating security practices
into the DevOps workflow, organizations can
DevSecOps, short for Development, Security, and proactively identify and address security risks,
Operations, is an innovative approach to software reduce vulnerabilities, and ensure that software is
development that emphasizes integrating security secure by design.
practices and principles into every phase of the
software development lifecycle. It represents a DevSecOps also embraces automation and tooling
fundamental shift in how organizations to streamline security practices, enabling
traditionally approach software development by developers to easily incorporate security controls
prioritizing security from the very beginning and into their workflows. By providing developers with
integrating it seamlessly into the development the necessary tools and resources to build secure
process.DevSecOps aims to break down the silos code, DevSecOps empowers them to take ownership
between development, security, and operations of security and ensures that security measures are
teams, fostering collaboration and shared implemented consistently and efficiently across the
responsibility throughout the software software development lifecycle.
development process. By adopting this approach,
organizations can address security concerns ESSENTIAL THEMES IN DEVSECOPS
proactively, minimize vulnerabilities, and deliver
more secure and resilient software solutions. The The key themes of DevSecOps can be summarized
benefits of adopting a DevSecOps approach are as follows:
numerous. It allows organizations to respond more
effectively to the constantly evolving threat
landscape, reduce the time required to detect and
mitigate security issues, and ultimately deliver

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 2 STARTING WITH DEVSECOPS

Key Principles Of business objectives.

Description
Devsecops
Avoid These Three Mistakes in Enterprise
Collaboration and DevSecOps emphasizes
Organizations
Shared Responsibility collaboration and
shared responsibility Here are three common mistakes to avoid in
among development, enterprise organizations when implementing
security, and operations DevSecOps:
teams.

Shift-Left Security DevSecOps promotes the • Lack of Collaboration and Communication:

concept of "shifting left" One of the biggest mistakes in DevSecOps
security, which means implementation is failing to foster
integrating security collaboration and communication between
practices and development, security, and operations teams.
considerations early in It’s crucial to break down silos and establish
the software regular communication channels to ensure that
development lifecycle. security considerations are integrated into
every stage of the software development
Automation and DevSecOps relies on lifecycle.
Tooling automation tools to
streamline security • Inadequate Security Training and
practices and reduce Awareness: Neglecting to provide sufficient
manual efforts. security training and awareness programs to
developers and other stakeholders can
Continuous Security DevSecOps advocates undermine the effectiveness of DevSecOps. It’s
Testing for continuous security essential to educate and empower team
testing throughout the members with the necessary knowledge and
development lifecycle. skills to identify and address security issues. A
Compliance and DevSecOps promotes lack of security awareness can lead to the
Governance integrating security introduction of vulnerabilities and weak
controls and compliance security practices in software development
requirements into the processes.
development process. • Insufficient Automation and Tooling:
Risk Management DevSecOps emphasizes Another mistake is not investing in automation
a risk-based approach to and appropriate tooling to support the
security. DevSecOps workflow. Automation plays a
crucial role in streamlining security practices,
Continuous Monitoring DevSecOps advocates
such as continuous integration, continuous
and Feedback for continuous
deployment, and automated security testing.
monitoring of the
Without adequate automation and tooling,
software in production.
organizations may struggle to effectively
Education and DevSecOps recognizes integrate security into their development
Awareness the importance of pipelines and detect vulnerabilities on time.
education and
awareness among These three mistakes highlight the importance of
developers, security collaboration, training, awareness, and automation
professionals, and other in successful DevSecOps implementation within
stakeholders. enterprise organizations. By avoiding these pitfalls,
organizations can enhance their security posture
By embracing these key themes, organizations can and ensure the successful integration of security
create a culture of security and collaboration, into their software development practices.
enabling them to build and deploy software that is
inherently secure, resilient, and aligned with

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 3 STARTING WITH DEVSECOPS

UNVEILING THE "PHOENIX" INITIATIVE By drawing parallels between the three ways of
security in DevSecOps and the principles discussed
The three ways of security in DevSecOps talk about in The Phoenix Project, organizations can
the Phoenix project. The Phoenix Project is a book understand the importance of aligning goals,
written by Gene Kim, Kevin Behr, and George leveraging automation and feedback loops, and
Spafford that explores the challenges and solutions fostering a culture of learning and improvement in
in transforming an organization’s IT operations. their security practices.
While the book doesn’t specifically address security
in DevSecOps, we can relate the three ways of
ADVANTAGES AND DISADVANTAGES OF
security in DevSecOps to the principles discussed in
DEVSECOPS
The Phoenix Project. Here’s an interpretation:

• Shift-Left Security and Alignment of Security Advantages

Goals: The first way of security in DevSecOps
DevSecOps offers several advantages for
aligns with the principle of shifting security to
organizations:
the left. Similarly, in The Phoenix Project, the
first way focuses on creating an understanding
• Improved security posture: DevSecOps
and alignment of goals across different teams.
integrates security practices throughout the
In the context of security, this means involving
software development lifecycle, ensuring that
security professionals early in the development
security considerations are addressed early on
process and ensuring that security objectives
and continuously. By embedding security into
and requirements are communicated to all
every stage of development, organizations can
stakeholders.
enhance their overall security posture and
• Automated Security Testing and reduce the risk of vulnerabilities and security
Amplification of Feedback: The second way of breaches.
security in DevSecOps aligns with the concept
• Faster time to market: DevSecOps promotes
of automated security testing. In The Phoenix
automation, continuous integration, and
Project, the second way emphasizes the need
continuous delivery (CI/CD) practices. This
for feedback loops and amplifies feedback
automation streamlines the development and
quickly and effectively. Similarly, in DevSecOps,
deployment processes, allowing organizations
organizations implement automated security
to release software faster and more frequently.
testing tools and processes to provide
By integrating security into these automated
continuous feedback on the security of their
processes, security measures can be
software. This helps identify vulnerabilities
implemented without significantly slowing
early, enabling faster remediation and reducing
down development cycles.
security risks.
• Early detection and mitigation of
• Continuous Monitoring and Response, and
vulnerabilities: DevSecOps incorporates
Creating a Culture of Learning: The third way
security testing and scanning tools into the
of security in DevSecOps relates to continuous
development pipeline, enabling the early
monitoring and response. In The Phoenix
detection and mitigation of vulnerabilities.
Project, the third way focuses on creating a
Automated security testing helps identify
culture of learning and improvement. In the
security weaknesses, such as code flaws or
context of security, this means establishing
misconfigurations, and allows developers to
continuous monitoring mechanisms, such as
address them promptly before they become
real-time security monitoring and incident
more complex and expensive to fix.
response processes, to identify and respond to
security incidents promptly. It also involves • Increased collaboration and communication:
fostering a culture of learning from security DevSecOps fosters collaboration between
events, conducting post-incident reviews, and development, operations, and security teams.
implementing improvements to prevent similar This collaboration improves communication,
incidents in the future. knowledge sharing, and mutual understanding
of each team’s requirements and concerns. By

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 4 STARTING WITH DEVSECOPS

working together, teams can align their efforts introduce complexities. Organizations may face
toward building secure and reliable software. challenges in integrating security tools and
practices seamlessly into their existing
• Continuous compliance and auditing:
development workflows. Compatibility issues,
Compliance with regulatory standards and
configuration challenges, and the need to align
industry best practices is essential for many
with different development environments and
organizations. DevSecOps enables continuous
technologies can create additional overhead
compliance by integrating compliance checks
and slow down the development process.
and audits into the development process. This
approach ensures that security controls and • Balancing speed and security: DevSecOps
requirements are met consistently, reducing aims to enable faster software delivery while
the effort and potential disruptions associated ensuring security. However, there can be a
with compliance assessments. potential tension between speed and security
requirements. Striking the right balance
• Risk reduction and mitigation: By addressing
between rapid development cycles and robust
security early in the development process,
security measures can be challenging.
DevSecOps helps mitigate risks associated with
Organizations need to find ways to prioritize
software vulnerabilities and security breaches.
security without causing significant delays or
Proactive identification and mitigation of
compromising the agility and speed of software
security issues minimize the likelihood of
delivery.
successful attacks and potential damage to the
organization’s reputation, financial stability, • Skill gaps and expertise: Implementing
and customer trust. DevSecOps requires skilled personnel who
possess expertise in both development and
• Agile and adaptive security: DevSecOps
security domains. Finding individuals with a
promotes an agile and adaptive security
strong understanding of both areas can be
mindset. Security measures can be
challenging, and organizations may need to
continuously evaluated, adjusted, and
invest in training or hiring specialized talent.
improved based on emerging threats, evolving
Bridging the skill gaps between development
security standards, and changing business
and security teams can take time and effort.
requirements. This allows organizations to stay
resilient and respond effectively to new • Cultural and organizational challenges:
security challenges. DevSecOps requires a cultural shift and a
collaborative mindset across different teams,
Disadvantages including developers, operations, and security
professionals. Overcoming organizational silos,
While DevSecOps brings numerous benefits, there fostering effective communication, and
are also some potential disadvantages or challenges promoting a shared responsibility for security
associated with its implementation. Here are a few can be challenging. Resistance to change and
disadvantages of DevSecOps: the need to align different teams with varying
priorities and perspectives may slow down the
• Initial investment and learning curve: adoption of DevSecOps practices.
Adopting DevSecOps practices may require an
• Continuous monitoring and maintenance:
initial investment in terms of resources, tools,
DevSecOps promotes continuous monitoring
and training. Organizations need to allocate
and maintenance of security measures
time and resources to train their teams on
throughout the software development lifecycle.
security practices, implement new tools and
This ongoing effort requires dedicated
technologies, and establish new processes. This
resources and attention to ensure that security
initial learning curve and investment can be a
controls remain effective, vulnerabilities are
challenge for some organizations, especially
promptly addressed, and compliance is
those with limited resources or resistance to
maintained. Organizations need to allocate
change.
resources and establish processes for
• Integration complexities: Integrating security continuous monitoring, maintenance, and
practices into the development process can updating of security practices.

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 5 STARTING WITH DEVSECOPS

DEVSECOPS JOURNEY: A BEGINNER'S any security incidents or vulnerabilities

discovered. Define roles and responsibilities,
GUIDE
establish communication channels, and
Here’s an example of how you can get started with document procedures for identifying,
DevSecOps by incorporating security into a "Hello, mitigating, and resolving security incidents.
World!" application: • Education and Awareness: Promote security
education and awareness among your
• Set Up Version Control: Start by setting up a
development and operations teams. Conduct
version control system like Git to manage your
security training sessions to educate team
codebase. Initialize a new repository and create
members on secure coding practices, common
a simple "Hello, World!" application.
vulnerabilities, and security best practices.
• Integrate Security Code Analysis: Choose a Encourage a security-first mindset and foster a
security code analysis tool such as SonarQube culture of continuous learning and
or Snyk. Configure the tool to scan your code improvement.
for potential security vulnerabilities, coding
best practices, and other issues. This can be Remember, this is a basic "Hello, World!" example,
done as part of your CI/CD pipeline or during but the principles can be applied to more complex
the development process. applications. The key is to integrate security
throughout the entire software development
• Implement Automated Testing: Create
lifecycle, automate security practices, and
automated security tests to validate the security
continuously monitor and improve the security of
of your application. This can include testing for
your applications.
common vulnerabilities such as injection
attacks, cross-site scripting (XSS), or insecure
DEVSECOPS PIPELINE: BUILDING THE
direct object references (IDOR). Integrate these
security tests into your CI/CD pipeline to run BRIDGE
them automatically with each code commit or
Creating a DevSecOps pipeline involves integrating
deployment.
security practices and tools into your software
• Containerize Your Application: development lifecycle. Here are the key steps to
Containerization provides an additional layer create a DevSecOps pipeline:
of security and portability. Docker is a popular
choice for containerization. Containerize your • Define Security Requirements: Identify the
"Hello, World!" application by creating a security requirements and objectives specific to
Dockerfile and packaging your application into your application or organization. This could
a Docker container. include compliance regulations, security
standards, or industry best practices.
• Container Image Scanning: Use container
image scanning tools like Clair or Anchore to • Plan and Design: Plan and design your
scan your Docker image for known DevSecOps pipeline. Consider the stages of your
vulnerabilities. This helps identify and address pipeline, such as code development, testing,
any security issues within the container image deployment, and monitoring. Determine how
before deployment. security practices and tools will be integrated
into each stage.
• Continuous Monitoring and Logging:
Implement continuous monitoring and logging • Version Control and Code Management: Use a
practices to gain visibility into the runtime version control system like Git to manage your
behavior of your application. Utilize tools like codebase. Implement branching strategies and
Prometheus, ELK stack (Elasticsearch, Logstash, policies to ensure code integrity and
and Kibana), or Splunk to collect and analyze traceability.
logs and metrics. Set up alerts to detect any
• Infrastructure as Code (IaC): Apply
suspicious activities or security-related events.
Infrastructure as Code principles to define and
• Security Incident Response: Establish a manage your infrastructure. Use tools like
security incident response process to handle Terraform or AWS CloudFormation to automate

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 6 STARTING WITH DEVSECOPS

the provisioning and configuration of coding practices, common vulnerabilities, and

infrastructure resources, ensuring consistency security best practices. Foster a culture of
and security. continuous learning and improvement by
conducting security-related retrospectives and
• Security Code Analysis: Integrate security
implementing lessons learned.
code analysis tools into your pipeline. Tools like
SonarQube or Snyk can scan your code for • Compliance and Auditing: Ensure your
potential security vulnerabilities, coding best DevSecOps pipeline complies with relevant
practices, and other issues. Set up automated regulations and standards. Conduct regular
scans triggered by code commits or pull audits to assess the effectiveness of your
requests. security practices and address any compliance
gaps.
• Automated Testing: Implement automated
security testing to validate the security of your
application. This can include static application
security testing (SAST), dynamic application
security testing (DAST), or software
composition analysis (SCA) tools. Include
security tests as part of your continuous
integration and continuous deployment (CI/CD)
pipeline.

• Containerization and Image Scanning:

Containerize your application using tools like Figure 1. DevSecOps Pipeline
Docker or Kubernetes. Scan your container
Remember that each organization’s DevSecOps
images for known vulnerabilities using tools
pipeline will vary based on specific requirements
like Clair or Anchore before deployment.
and technology stack. It’s important to continuously
Automate this process as part of your CI/CD
assess and refine your pipeline to adapt to evolving
pipeline.
security threats and best practices.
• Configuration and Secrets Management: Use
configuration management tools like Ansible or
SECURITY TOOLS AND TECHNOLOGIES:
Chef to manage and secure your application
MAKING INFORMED CHOICES
configurations. Implement secrets management
tools to securely store and manage sensitive
When choosing security tools and technologies for
information such as passwords and API keys.
DevSecOps, it’s important to consider your specific
• Continuous Monitoring and Logging: requirements, the nature of your applications, and
Implement continuous monitoring practices to the overall goals of your DevSecOps initiative. Here
gain real-time visibility into the security of your are some factors to consider when selecting
application. Utilize tools like Prometheus, ELK security tools and technologies:
stack (Elasticsearch, Logstash, and Kibana), or
Splunk to collect and analyze logs and metrics. • Comprehensive Security Coverage: Look for
Set up alerts for security-related events. tools that offer a wide range of security
capabilities to cover various aspects of
• Incident Response and Vulnerability
application security, such as code analysis,
Management: Establish a security incident
vulnerability scanning, threat detection, access
response process to handle security incidents
management, and compliance.
or vulnerabilities discovered. Define roles,
responsibilities, and communication channels. • Integration with DevOps Toolchain: Ensure
Implement vulnerability management practices that the security tools can seamlessly integrate
to identify, prioritize, and remediate with your existing DevOps toolchain, including
vulnerabilities. version control systems, CI/CD platforms, and
deployment automation tools. The integration
• Continuous Education and Improvement:
enables smooth collaboration and automation
Promote security education and awareness
across the entire development and deployment
among your teams. Provide training on secure

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 7 STARTING WITH DEVSECOPS

lifecycle. • Community and Ecosystem: Assess the size

and activity of the tool’s user community and
• Automation and Continuous Monitoring:
ecosystem. A vibrant community can provide
Choose tools that support automation and
valuable resources, plugins, and integrations
continuous monitoring to provide real-time
that enhance the functionality and usefulness
insights into the security posture of your
of security tools.
applications. Automated security testing,
vulnerability scanning, and log analysis help
Remember to prioritize the tools that align with
identify and address security issues at an early
your specific security goals and requirements. It’s
stage.
also recommended to conduct proof-of-concept
• Scalability and Performance: Consider the evaluations or trials to assess the suitability of the
scalability and performance requirements of tools within your organization’s environment
your applications and evaluate whether the before making a final decision.
security tools can handle the expected
workload without causing performance Different code scanning and security tools
bottlenecks or delays in the development and
deployment processes. • SAST Tools (Static Application Security
Testing): These tools, such as SonarQube and
• Open Source or Commercial: Decide whether
Veracode, analyze the source code or compiled
to use open-source security tools or opt for
code of an application to identify potential
commercial solutions. Open-source tools often
security vulnerabilities and coding errors.
offer flexibility and community support, while
commercial tools may provide additional • DAST Tools (Dynamic Application Security
features, support, and dedicated customer Testing): OWASP ZAP and Burp Suite are
service. examples of DAST tools. They evaluate the
security of running applications by sending
• Vendor Reputation and Support: Research the
various requests and analyzing the responses,
reputation and track record of the tool vendors.
helping to identify vulnerabilities that may
Look for vendors with a good reputation,
arise during runtime.
established customer base, and positive
reviews. Also, consider the level of support they • IAST Tools (Interactive Application Security
provide, including documentation, training, Testing): IAST tools like Contrast Security and
and customer support channels. Synopsys provide real-time monitoring of
applications during runtime. By instrumenting
• Compliance and Regulatory Requirements: If
the code, they detect vulnerabilities and
your applications need to comply with specific
provide insights into the specific components
regulations or standards, ensure that the
causing the issues.
security tools align with those requirements.
Look for tools that provide compliance checks, • SCA Tools (Software Composition Analysis):
reporting, and auditing capabilities to help you SCA tools like Black Duck and WhiteSource
meet the necessary security standards. examine the open-source components used in
an application’s codebase. They identify any
• User-Friendly Interface and Usability:
known vulnerabilities or license compliance
Evaluate the user interface and usability of the
issues associated with the third-party libraries
security tools. A user-friendly interface
and dependencies.
simplifies configuration, monitoring, and
analysis, making it easier for your development
and security teams to collaborate effectively. Difference code scanning and security tools

• Cost Considerations: Consider the costs

associated with the security tools, including
licensing fees, maintenance, and ongoing
support. Evaluate the value provided by the
tools about their cost and ensure that they fit
within your budget constraints.

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 8 STARTING WITH DEVSECOPS

Tool Advantages Disadvantages Tool Advantages Disadvantages

Static * Can detect * May generate Software * Identifies * May generate

Application security issues false positives Composition vulnerabilities false positives
Security Testing early in the or false Analysis and license or false
development negatives * compliance negatives *
process * Cannot detect issues in third- Does not assess
Provides vulnerabilities party custom code
detailed that are components * vulnerabilities *
information on introduced Offers insights Relies on
code-level dynamically * into the accurate and
vulnerabilities * May require security of up-to-date
Offers the configuration software vulnerability
ability to and tune for dependencies * databases
analyze code accurate results Enables
even before it is tracking and
compiled or management of
deployed component
versions
Dynamic * Tests the * May produce
Application application in false positives
Security Testing its running or false COREPRACTICES
CORE PRACTICESIN
INDEVSECOPS
DEVSECOPS
state * negatives *
Identifies Requires a DevSecOps practices refer to the integration of
vulnerabilities running security practices and principles into the DevOps
introduced by application to approach. It aims to ensure that security is treated
application test * May not as an integral part of the software development and
behavior or provide deployment process, rather than an afterthought.
configuration * detailed By incorporating security early on and throughout
Provides insights into the the development lifecycle, DevSecOps practices
insights into code-level help organizations build secure and resilient
runtime vulnerabilities systems. Here are some key DevSecOps practices:
security issues
Key Practices In Description
Interactive * Provides * Requires
Devsecops
Application real-time application
Security Testing feedback on instrumentatio Shift-Left Security DevSecOps emphasizes
security n * May impact shifting security
vulnerabilities performance practices and
* Offers deeper during runtime considerations to the
insights into the monitoring * left, meaning security is
root causes of Requires incorporated early in
vulnerabilities * integration the development
Reduces false with the process. This involves
positives by application’s involving security
analyzing the development professionals from the
application in process beginning, conducting
its running security reviews, threat
state modeling, and
integrating security
tools into the
development
environment.

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 9 STARTING WITH DEVSECOPS

Key Practices In Description Key Practices In Description

Devsecops Devsecops

Security Automation Automation plays a Infrastructure as Code In DevSecOps, security

crucial role in (IaC) Security is extended beyond
DevSecOps practices. By application code to
automating security include infrastructure.
processes, such as code Infrastructure as Code
analysis, vulnerability (IaC) practices allow
scanning, and organizations to define
compliance checks, and manage their
organizations can infrastructure through
identify security issues code. By incorporating
early and address them security controls and
efficiently. Automation best practices into IaC
also helps ensure templates and scripts,
consistency and organizations can
repeatability in security ensure consistent and
practices. secure infrastructure
provisioning.
Continuous Security Continuous security
Testing testing is a core practice Secure Configuration Secure configuration
in DevSecOps. It Management management involves
involves integrating implementing secure
security testing, such as configurations for all
static application components of the
security testing (SAST), application stack,
dynamic application including servers,
security testing (DAST), databases, and network
and software devices. By following
composition analysis security configuration
(SCA), into the CI/CD guidelines and regularly
pipeline. This enables auditing and updating
security vulnerabilities configurations,
and weaknesses to be organizations can
detected and addressed mitigate security risks.
rapidly as part of the
Continuous Monitoring Continuous monitoring
development and
and Incident Response is crucial to identify and
deployment process.
respond to security
incidents promptly.
DevSecOps encourages
the implementation of
real-time security
monitoring, log analysis,
and threat intelligence
to detect and respond to
security events. Incident
response plans and
processes should be
established to handle
security incidents
effectively.

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 10 STARTING WITH DEVSECOPS

Key Practices In Description organizations can build secure, scalable, and

Devsecops resilient systems while maintaining the speed and
agility provided by the DevOps approach.
Security Awareness Building a security-
and Education conscious culture is vital
DEVSECOPS WITH ADDITIONAL
in DevSecOps.
Organizations should
PRACTICES
invest in security
In addition to the core practices of integrating
awareness and
security into the software development process,
education programs to
several additional practices can enhance the
train developers,
effectiveness of DevSecOps:
operations teams, and
other stakeholders on
Security Practices Description
secure coding practices,
security threats, and Threat modeling Conducting threat
best practices. modeling helps identify
Continuous learning and potential security
knowledge sharing help threats and
foster a security-first vulnerabilities in the
mindset. system early on. This
practice involves
Compliance and DevSecOps practices
analyzing the system
Governance should align with
architecture, identifying
relevant regulations,
potential attack vectors,
industry standards, and
and prioritizing security
compliance
measures based on the
requirements.
identified risks. Threat
Organizations need to
modeling helps in
integrate compliance
designing and
checks, reporting, and
implementing
auditing capabilities into
appropriate security
their processes to
controls.
ensure adherence to
security standards and Secure coding Establishing and
regulations. guidelines enforcing secure coding
guidelines is crucial for
Collaboration and Effective collaboration
building secure
Communication and communication
software. These
between development,
guidelines provide
operations, and security
developers with best
teams are essential in
practices for writing
DevSecOps. Teams
secure code, such as
should work together to
input validation, output
share information,
encoding, and secure
identify risks, and
authentication
implement security
mechanisms. Regular
controls. Collaboration
code reviews and
tools and practices
automated code analysis
should be adopted to
tools can help ensure
facilitate seamless
adherence to these
communication and
guidelines.
cooperation.

By embracing these DevSecOps practices,

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 11 STARTING WITH DEVSECOPS

DIFFERENT
DIFFERENTDEVSECOPS
DEVSECOPSTOOLS
TOOLS Ansible

Ansible is an open-source automation platform

CONFIGURATION MANAGEMENT TOOLS that simplifies the management and configuration
of systems and applications. It uses a declarative
Configuration management is a vital aspect of
language called YAML (YAML Ain’t Markup
modern software development and IT operations. It
Language) to define the desired state of
involves managing and controlling the
infrastructure and perform tasks across multiple
configuration of software systems, infrastructure,
machines. Here’s a sample code snippet that
and applications throughout their lifecycle.
demonstrates the use of Ansible to install and
Configuration management tools play a critical role
configure a web server:
in automating and simplifying this process.

Configuration management tools enable

- name: Install and configure
organizations to standardize and automate the
deployment, configuration, and maintenance of
Apache web server
software and infrastructure components. These   hosts: webserver
tools provide a centralized platform for managing   become: true
configuration files, settings, and parameters across   tasks:
different environments, ensuring consistency and - name: Install Apache package
reliability. apt:
name: apache2
One of the key benefits of configuration
state: present
management tools is their ability to enforce desired
states. They allow teams to define and maintain the
- name: Enable Apache service
desired configuration of systems and automatically
apply any necessary changes to ensure the systems
service:
align with the desired state. This helps in reducing name: apache2
configuration drift, where systems deviate from enabled: true
their intended configuration over time. state: started

These tools also facilitate infrastructure as code - name: Copy custom index.html
(IaC) practices, where infrastructure and file
configuration are defined and managed using code.
copy:
By treating infrastructure as code, organizations
src: /path/to/index.html
can version control their configuration, track
dest:
changes, and reproduce environments accurately.
/var/www/html/index.html
Configuration management tools offer a range of owner: root
features and capabilities, including declarative group: root
configuration languages, dependency management, mode: 0644
automated provisioning, and orchestration. They
integrate with various platforms, cloud providers,
and operating systems, enabling organizations to Puppet
manage complex and diverse environments
seamlessly. Puppet is a configuration management tool that
automates the provisioning, configuration, and
Some popular configuration management tools management of systems. It uses a declarative
include Ansible, Puppet, and Chef. These tools language called Puppet DSL to define the desired
provide robust solutions automating state of the infrastructure. Here’s a sample Puppet
for
configuration management tasks, enabling teams to manifest that installs and configures a web server:
scale their operations, improve efficiency, and
reduce manual errors.
node 'webserver' {
  package { 'apache2':

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 12 STARTING WITH DEVSECOPS

  ensure => installed, end

  }

  service { 'apache2': CONTINUOUS INTEGRATION AND

  ensure => running, DELIVERY TOOLS
  enable => true, Continuous Integration and Delivery (CI/CD) has
  require => Package['apache2'], become a crucial practice in modern software
  } development, enabling teams to deliver high-
quality software faster and more efficiently. CI/CD
  file { '/var/www/html/index.html': tools play a vital role in automating the build,
  ensure => file, testing, and deployment processes, ensuring
  source => '/path/to/index.html', smooth and reliable software delivery pipelines.
  owner => 'root',
CI/CD tools facilitate the integration of code changes
  group => 'root',
from multiple developers into a shared repository,
  mode => '0644', where automated builds and tests are triggered.
  require => Package['apache2'], These tools enable teams to catch integration issues
  notify => Service['apache2'], early, identify bugs, and ensure that the codebase
  } remains stable. By continuously integrating code
} changes, developers can collaborate effectively and
detect and resolve issues more efficiently.

Chef Continuous Delivery (CD) takes CI a step further by

automating the deployment process. CD tools
Chef is a powerful configuration management and enable organizations to package, deploy, and
automation tool that allows you to define release software applications consistently across
infrastructure as code. It uses a domain-specific different environments. By automating the
language (DSL) to describe the desired state of deployment process, teams can reduce manual
systems and automate the configuration process. errors, ensure consistency, and achieve faster time-
Here’s a sample Chef recipe that installs and to-market.
configures a web server:
CI/CD tools offer a wide range of features to support
the development and delivery lifecycle. They often
package 'apache2' do provide capabilities such as code repository
  action :install integration, build automation, automated testing,
end artifact management, and deployment
orchestration. These tools integrate with popular
service 'apache2' do version control systems like Git and support
  action [:enable, :start] various programming languages and frameworks.
end
One of the key benefits of CI/CD tools is the ability
to automate the entire software delivery pipeline,
cookbook_file from source code management to production
'/var/www/html/index.html' do deployment. They provide visibility into the build
  source 'index.html' and deployment process, allowing teams to track
  owner 'root' changes, monitor progress, and identify
  group 'root' bottlenecks. With automated testing and quality
  mode '0644' checks, these tools help maintain code quality and
  action :create ensure that only reliable and well-tested software is
  notifies :restart, released.

'service[apache2]'

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 13 STARTING WITH DEVSECOPS

Jenkins - npm install

Jenkins is an open-source automation server that

test:
enables continuous integration and continuous
  stage: test
delivery (CI/CD) of software projects. It provides a
  script:
wide range of plugins and integrations, allowing for
easy customization and extensibility. Here’s an
- npm test
example of a Jenkins pipeline script that builds and
deploys a web application: deploy:
  stage: deploy
  script:
pipeline { - npm run deploy
  agent any
  stages {
  stage('Build') { CircleCI
  steps {
CircleCI is a cloud-based CI/CD platform that
sh 'npm install'
automates the build, test, and deployment
  }
processes. It provides a simple and intuitive
  }
configuration file called config.yml to define the
  stage('Test') { pipeline. Here’s an example config.yml file for
  steps { building and deploying a web application:
sh 'npm test'
  }
  } version: 2.1
  stage('Deploy') { jobs:
  steps {   build-and-deploy:
sh 'npm run deploy'   docker:
  } - image: node:latest
  }   steps:
  } - checkout
} - run:
name: Build
command: npm install
GitLab CI/CD - run:
name: Test
GitLab CI/CD is a built-in continuous integration
command: npm test
and continuous delivery platform provided by
- run:
GitLab. It allows you to define CI/CD pipelines using
a configuration file called .gitlab-ci.yml. Here’s an
name: Deploy
example .gitlab-ci.yml file that builds and deploys command: npm run deploy
a web application:

CONTAINERIZATION AND
stages: ORCHESTRATION TOOLS
- build
- test Containerization and orchestration have become
fundamental pillars of modern application
- deploy
deployment and management. Containerization
tools enable organizations to package applications
build: and their dependencies into lightweight, portable
  stage: build containers, while orchestration tools automate the
  script: deployment, scaling, and management of these

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 14 STARTING WITH DEVSECOPS

containers. Together, they revolutionize software application on OpenShift.

delivery, scalability, and resilience. Some popular
containerization and orchestration tools include: SECURITY INFORMATION AND EVENT
MANAGEMENT (SEM) TOOLS
Docker
SIEM tools provide a centralized platform for
Docker is an open-source platform that allows you collecting, analyzing, and correlating security event
to automate the deployment and management of data from various sources, such as logs, network
applications within lightweight, isolated containers. devices, applications, and endpoints. By aggregating
It provides a way to package applications and their and analyzing this data, SIEM tools enable
dependencies into portable containers that can run organizations to detect and respond to security
consistently across different environments. Here’s incidents in real time, as well as proactively
an example of using Docker to run a web server: identify potential threats.

docker run -d -p 80:80 nginx - This command pulls The primary goal of SIEM tools is to provide
the Nginx image from the Docker registry and runs comprehensive visibility into an organization’s
it in a container, mapping port 80 of the host to port
security posture. They help security teams monitor
80 of the container. This allows the Nginx web and analyze logs and events from diverse sources,
server to be accessed on the host machine. identify patterns, and generate actionable insights.
SIEM tools use advanced correlation algorithms,
Kubernetes anomaly detection, and threat intelligence feeds to
identify potential security incidents, such as
Kubernetes is an open-source container unauthorized access attempts, malware infections,
orchestration platform that automates the or data breaches.
deployment, scaling, and management of
containerized applications. It provides a highly SIEM tools offer a wide range of features and
flexible and resilient architecture to run and capabilities. They provide real-time event
manage containers across clusters of machines. monitoring, log management, and log analysis
Here’s an example of deploying an application on capabilities. They can automatically aggregate and
Kubernetes: normalize log data from different sources, making
it easier to identify patterns and detect security
kubectl create deployment my-app events. SIEM tools also provide alerting and
--image=myapp:1.0 - This command creates a
notification mechanisms to ensure that security
deployment called "my-app" using the container teams can respond promptly to potential threats or
image "myapp:1.0". Kubernetes will automatically incidents.
schedule and manage the application pods based on
the desired state defined in the deployment. Another critical aspect of SIEM tools is their
reporting and compliance capabilities. They help
OpenShift organizations meet regulatory requirements by
providing pre-built reports and facilitating audit
OpenShift is a container application platform that processes. SIEM tools can generate compliance
builds on top of Kubernetes. It provides an reports, track user activities, and provide evidence
enterprise-ready, fully managed container platform of security controls, thereby supporting
with additional features and capabilities for organizations in demonstrating adherence to
application development, deployment, and scaling. industry standards and regulations.
Here’s an example of deploying an application on
OpenShift: Some popular SIEM tools include:

oc new-app myapp:1.0 - This command creates a new

Splunk
application called "myapp" using the container
image "myapp:1.0" and automatically sets up the Splunk is a powerful platform used for monitoring,
necessary resources, such as deployment
searching, analyzing, and visualizing machine-
configurations, services, and routes, to run the generated data. It collects and indexes data from

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 15 STARTING WITH DEVSECOPS

various sources, including logs, events, and metrics, IBM QRadar is widely used for security monitoring,
and provides real-time insights and actionable threat detection, and compliance reporting, helping
intelligence. Splunk’s features include powerful organizations proactively identify and mitigate
search capabilities, data visualization, alerting, and security risks.
machine learning. It helps organizations gain
valuable insights from their data and enables OPEN-SOURCETOOLS
OPEN-SOURCE TOOLSAND
ANDPROJECTS
PROJECTS
effective troubleshooting, security monitoring, and
business intelligence.
Tool/project Key Features Primary Use
Name Case
ELK Stack (Elasticsearch, Logstash, Kibana)
Jenkins Extensive Building,
The ELK Stack, now known as the Elastic Stack, is a plugin testing, and
combination of three open-source tools: ecosystem, deploying
distributed applications in
Elasticsearch: Elasticsearch is a highly scalable builds easy a continuous
and distributed search and analytics engine. It integration integration and
stores and indexes data in near real-time, allowing with version delivery
for fast and efficient search, analysis, and retrieval control systems. pipeline.
of structured and unstructured data.
Ansible Agentless Configuration
architecture, management,
Logstash: Logstash is a data collection and
declarative application
processing pipeline. It helps in ingesting and
language, and a deployment,
parsing data from various sources, such as logs,
large and
metrics, and event streams. Logstash enables data
community- infrastructure
transformation and enrichment before sending it to
driven library orchestration.
Elasticsearch for indexing and analysis.
of modules.

Kibana: Kibana is a data visualization and Docker Containerizatio Application

exploration tool that works in conjunction with n, portability, deployment,
Elasticsearch. It provides a web-based interface for and efficient microservices
querying and visualizing data stored in resource architecture,
Elasticsearch. Kibana offers powerful visualization utilization. container
options, dashboards, and search capabilities, orchestration.
enabling users to interactively explore and gain
Kubernetes Scalability, high Container
insights from their data.
availability, orchestration,
self-healing managing
IBM QRadar capabilities, complex
and service microservices
IBM QRadar is a security information and event
discovery. architectures.
management (SIEM) platform that helps
organizations detect and respond to security Git Branching, Source code
threats. It collects and correlates log data from merging, management
various sources, including network devices, version history, and
servers, and applications, to provide collaboration. collaboration
comprehensive visibility into security events. among
QRadar offers features like real-time threat developers.
detection, incident response workflows, log
Prometheus Time-series Monitoring
analysis, and security event correlation. It utilizes
database, infrastructure,
advanced analytics and machine learning
flexible query applications,
algorithms to identify potential security incidents
language, and services.
and provides actionable insights to security
extensive
analysts.
integrations.

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!

 16 STARTING WITH DEVSECOPS

Tool/project Key Features Primary Use RESOURCESFOR

RESOURCES FORLEARNING
LEARNING
Name Case DEVSECOPS
DEVSECOPS
Grafana Customizable Monitoring,
dashboards, a observability, Here are some resources for learning DevSecOps.
wide range of and
data source visualization of • What is DevSecOps? - Red Hat
integrations, metrics and • DevSecOps on AWS - Amazon Web Services
and alerting logs.
• Introduction to DevSecOps - IBM Cloud
capabilities.

Terraform Declarative Infrastructure

language, multi- provisioning
cloud support, and
dependency management in
management. a cloud
environment.

Nagios Monitoring host Monitoring and

and service alerting for
availability, infrastructure
alerting, and and
extensibility applications.
through
plugins.

Gradle Dependency Building and

management, packaging
multi-project software
builds, projects.
extensible
plugin system.

JCG delivers over 1 million pages each month to more than 700K software
developers, architects and decision makers. JCG offers something for everyone,
including news, tutorials, cheat sheets, research guides, feature articles, source code
and more.
CHEATSHEET FEEDBACK
WELCOME
[email protected]

Copyright © 2014 Exelixis Media P.C. All rights reserved. No part of this publication may be SPONSORSHIP
reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, OPPORTUNITIES
mechanical, photocopying, or otherwise, without prior written permission of the publisher. [email protected]

JAVACODEGEEKS.COM | © EXELIXIS MEDIA P.C. VISIT JAVACODEGEEKS.COM FOR MORE!