DevOps & Security

If you're in a DevOps-related role. Security is no different. Here's my list of ways to keep up to date on the security front while keeping your DevOps hat on and some security tools.

• Read one article each week about something related to security in whatever you're working on.
• Look at the CVE website weekly to see what's new.
• Try doing a hackathon. Some companies do this once a month; check out the Beginner Hack 1.0 site if yours doesn't and you'd like to learn more.
• Try to attend at least one security conference a year with a member of your security team to see things from their side.

Container scanning tools:

• Anchore Engine
• Clair
• Vuls
• OpenSCAP

Code scanning tools:

• OWASP SonarQube
• Find Security Bugs
• Google Hacking Diggity Project

Kubernetes security tools:

• Project Calico
• Kube-hunter
• NeuVector

DevSecOps

DevSecOps evolves DevOps to ensure security remains an essential part of the process.

Like DevOps, DevSecOps is a mindset or a culture that developers and IT operations teams follow while developing and deploying software applications. It integrates active and automated security audits and penetration testing into agile application development.

Note:  No matter what you call it, SecDevOps, DevSecOps, or DevOpsSec, it’s important to have a DevSecOps pipeline with highly valuable security during integration, deployment, and delivery.

Most of theses scanners and tools should be embedded in the CI/CD pipeline. The goal is providing a reasonable assurance of the application's security while balancing the effect these tools have on our CI/CD pipeline's timeline.

The last layer of DevSecOps is continuous scanning or continuous security (CS). Just as continuous integration, testing, and deployment are synonymous with DevOps, continuous security is synonymous with and the cornerstone of DevSecOps.