Introduction to

by TWN
DevSecOps
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.

TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Let’s compare without and with
DevSecOps approach

Security as an afterthought “Shifting security left”

The old way of doing security The new - DevSecOps - way of doing it

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Issues with Traditional Approach to Security

Late Integration of Security - Blocking automated DevOps process

Security is typically considered late in So while DevOps enabled these automated,

the development process. Often during streamlined processes. Security checks and
pre-production phase audits are still blocking the whole process
delaying the release for weeks

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Issues with Traditional Approach to Security

Siloed Teams - Lack of Collaboration

While DevOps united Development and

Operations, Security is often still a
separate team

This leads to communication gaps,

delays in addressing security issues and
a lack of responsibility for security

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Issues with Traditional Approach to Security

Manual Processes, No automations Slow Feedback Loop

Traditional security practices often rely on Delayed security feedback can make it
manual security assessments and more challenging to fix the security issue
reviews, which can be slow and error-prone
The longer it takes to identify and
Manual processes are not well-suited to remediate vulnerabilities, the greater the
the fast-paced, automated nature of potential impact and the higher the
DevOps costs

Copyright 2023 nnSoftware GmbH. All rights reserved.

 More attack surfaces
In addition to all of these, security has become more complex

Microservices

Containers

Cloud platform

Kubernetes

Security tools were also developed before these new developments

Copyright 2023 nnSoftware GmbH. All rights reserved.

To address these issues, organizations are adopting DevSecOps

So, how does DevSecOps

solve these problems?
 DevSecOps Approach

Integrating Security into DevOps Shifting Security to the Left

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is DevSecOps
No DevSecOps

Thinking about security after a new

feature is developed and tested,
right before releasing it:

DevSecOps

Start thinking about security right

at the beginning and solve it
right away as soon as security
issues appear:

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is DevSecOps

DevSecOps encourages

automation
collaboration
and a proactive approach to security
helping organizations identify and remediate security issues
earlier in the development lifecycle

This approach improves security posture while also maintaining the

speed and agility of DevOps practices

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is DevSecOps

Shared Responsibility and Collaboration

Security becomes a developer responsibility

too, instead of just being a responsibility of
dedicated security professionals

Security team becomes a facilitator

and advisor for DEV and OPS teams

Security team trains engineers on how to

interpret the output of security tools, so they can
identify and fix the issues themselves

Copyright 2023 nnSoftware GmbH. All rights reserved.

 What is DevSecOps

Automation Faster Release Cycles and Shorter Feedback Cycles

Automation security tools are

No security issues?
integrated in the CI/CD pipeline to
Pipeline will deploy the application
detect security issues on every Git push

Developers get automated output of

the application’s security status and Security issues found?

what vulnerabilities need to be fixed Bugs are easier to fix the earlier
they are found in the development
lifecycle
Which means less time and costs

Copyright 2023 nnSoftware GmbH. All rights reserved.

 How DevSecOps works in practice

Tools for Automated Security Tests

 How DevSecOps works in practice

Just like we have automated unit tests, integration

Automated tests in
Software Development tests to test new features, application functionality
and integration with other services etc....

...In the same way, we add automated tests for the

different aspects of our application and systems’ security:
Automated tests for application security
Automated tests for infrastructure and cloud security
Automated tests for platform security Automated tests for Security

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Different Types of Automated Tests

Automated tests in Just like we have different types of automated

Software Development tests in software development...

...In the same way, we have

Automated tests for Security
different types of security tests

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Types of Security Tests

Static Application Security Testing

Static code analysis (app is not running)
Identifies security vulnerabilities in app’s source code, configuration files etc.
Looks for common coding errors, deviations from secure coding practices etc.
SAST

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Types of Security Tests

Software Composition Analysis

Check third-party and open-source libraries and frameworks
SCA tool goes through the dependencies of your application and checks
whether any known vulnerabilities for that dependency and the specific version
SCA
you use
It’s also static code analysis

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Types of Security Tests

Dynamic Application Security Testing

Testing the app’s running instance or deployed version
Simulating security attacks and analyzing behavior and responses in real-time
Does not require access to the code
DAST

Copyright 2023 nnSoftware GmbH. All rights reserved.

 White Box vs Black Box Testing
SAST Tools belong to this category

Knowledge: Tester has detailed knowledge of the internal workings,

code and architecture.

Focus: Examining the internal logic, code paths and data flows within
the application.

White Box Testing Advantages: Can provide precise information about the security flaws.
Also helpful for addressing issues related to code quality and design
flaws.

Limitations: Does not capture vulnerabilities that only surface when

interacting with the application.

Copyright 2023 nnSoftware GmbH. All rights reserved.

 White Box vs Black Box Testing

DAST Tools belong to this category

Knowledge: No access to the source code and relies solely on the system's
inputs and outputs.

Focus: Focuses on evaluating the system's functionality, its external behavior,

and how it responds to various inputs and scenarios.

Black Box Testing Advantages: Simulates real-world attacks and provides a more user-centric
perspective on security. Testers do not need to be familiar with the application's
codebase.

Limitations: May not uncover all security vulnerabilities that can be identified
through code-level inspection, and it may miss some complex or logic-based
vulnerabilities.

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Continuous Testing necessary

Code changes constantly

Scanning code once is not enough

Applications are developed continuously,
libraries are developed continuously and
new versions are released. Infrastructure
changes.

Continuously test and fix

So we need to continuously test and fix

security vulnerabilities in the software
development lifecycle

Copyright 2023 nnSoftware GmbH. All rights reserved.

 When to run which security scans

Pipeline becomes a bottleneck Approaches to solve this

Security scans and tests can slow down the

Pipeline for basic security tests
CI/CD pipeline
Runs on every commit
Security checks only for affected code
parts
Run 3rd-party library checks when
dependencies changed

Pipeline for comprehensive and

complete tests
Runs once per night
Nobody’s work is interrupted

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Logging and Monitoring

There is always a chance that security issues slip into production environment
Or that 3rd-party vulnerabilities appear after production deployment

That’s why we need proper continuous logging, monitoring and alerting in place, that:

Continuously monitors the systems

Alerts the team when security

threats are detected or suspicious
behavior is detected

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Benefits of DevSecOps
Integrating security across the whole software development lifecycle can be challenging,
but has many benefits

More efficient

Saves costs, as security fixes are

more expensive the later they are
discovered

Avoiding security breaches, which

eventually would mean losing
customers’ trust

Copyright 2023 nnSoftware GmbH. All rights reserved.

DevSecOps Engineer
Role and Skills
 Shared Responsibility

The idea of DevOps and DevSecOps is to distribute responsibility for

Architect of
security across teams
DevSecOps processes
DevSecOps professional helps team integrate these automated
checks into the pipeline. They work to embed security practices and
controls by collaborating with Dev and Ops teams

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Shared Responsibility

Visibility: Setting up processes that shows the teams what current

security posture is
Help them understand the security findings and fix these issues
Build security know-how step by step with the help of these tools

Educate and raise awareness among teams about security best

practices

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Shared Responsibility

This promotes a security-first mindset within the team

By getting constant and immediate feedback, engineers

will learn how to write secure code

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Working with Security Engineers

Security experts with specialized DevSecOps engineers work closely with

expertise in the field of cybersecurity security engineers
Well-versed in regulatory requirements They can tap into their deep understanding
and compliance frameworks of security principles to implement effective
security measures

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Working with Security Engineers

Experts in code security Intermediary between Experts in coding

different teams

Copyright 2023 nnSoftware GmbH. All rights reserved.

 DevSecOps is all about collaboration

Different roles working together Having a security-conscious

towards the same goal culture within the organization

Copyright 2023 nnSoftware GmbH. All rights reserved.

Summary of Tasks and Responsibilities

Architect of DevSecOps processes

Facilitates the integration of security testing into the

development and deployment process

Provide guidance on security coding standards, perform

code reviews etc.

Establish mechanisms for continuous security monitoring,

threat detection and vulnerability scanning

Copyright 2023 nnSoftware GmbH. All rights reserved.

 DevSecOps Engineer vs Security Engineer

Security Engineer focuses on securing Broader approach by integrating security into entire
systems, networks and infrastructure DevOps process
Bridging the gap between Dev, Ops and Security
teams
Help automate security checks
Help Devs and Security Engineers to discover, visualize
and fix efficiently

Copyright 2023 nnSoftware GmbH. All rights reserved.

 Skills of a DevSecOps Engineer

Combination of skills in software development, operations & security

Bridge between DEV, OPS and SECURITY

Create the processes and demonstrate what needs to be
done
Train people in different aspects of security
Facilitate knowledge sharing

Strong collaboration, communication & leadership skills are essential

So it’s not just about learning the tools to implement the DevSecOps
processes, but about working with people
DevSecOps Concept vs Role
 DevSecOps as a Concept

DevSecOps is a concept or philosophy In Theory:

Implementation without DevSecOps Engineer role

It’s a way of working together Many roles working together to integrate security
It ‘s about shared responsibility and shifting Divide and share responsibilities
security left No dedicated DevSecOps engineer that orchestrates
Catch security issues early and develop everything, teams should pro-actively collaborate
more secure applications

Copyright 2023 nnSoftware GmbH. All rights reserved.

 DevSecOps as a Role
In Reality: Need for a dedicated person

Everybody is busy with their daily tasks and Often someone is needed in the company
responsibilities that actually make things happen
Engineers don’t have time to think about DevSecOps Someone whose main focus and task is to
Concepts are not yet ingrained into every single set up processes and making sure teams
engineer, so that they pro-actively build DevSecOps work together, share knowledge and
processes responsibility
Copyright 2023 nnSoftware GmbH. All rights reserved.
 Varies between organizations
Specific roles and responsibilities associated with implementing
DevSecOps vary between organizations

Self-driven and efficient teams that can work together,

No need for a separate DevSecOps engineer

In most cases: no efficient, self-directed teams

So having a separate DevOps and/or DevSecOps engineer is essential
for the company

Copyright 2023 nnSoftware GmbH. All rights reserved.