DevSecOps Overview

Rapid software delivery brings enormous benefits – nimble engineering teams can iterate quickly on customer feedback, optimize time-to-market, and adapt to shifting business conditions. Companies embracing CI/CD, DevOps, and cloud-based IT strategies enjoy significant competitive advantages. Successful security teams embrace these shifts, leaning into DevSecOps and everything-as-code.

What’s In These Posts?

This series aims to teach security practitioners and developers about DevSecOps strategy, architecture, and tools. I’ve done my best to simplify things, weaving together architectural perspective with practical tips and tool suggestions.

DevSecOps is a complex, rapidly-evolving landscape. Links are sprinkled throughout so you can dig into topics you’re curious about. This series is a work-in-progress, check back for updates!

DevSecOps Topics

Dive right into the topics that most interest you:

1. CI/CD Background & Context
   • An Example Pipeline
   • Pipeline Components & Tools
   • CI/CD Terms
   • CI/CD Characteristics
2. DevSecOps Strategy
   • Strategic Landscape
   • Why Shift Left
   • People-Process-Culture
3. DevSecOps Technical Strategy
4. Touchpoint: SAST & Code Quality
   • SAST Overview
   • Choosing SAST Tools
   • Semgrep
   • Other Security Tools
   • Code Quality Tools
5. Touchpoint: Git Hooks
   • Git Hooks Overview
   • Git Hooks For Security
6. Touchpoints: Security Testing
   • Security Unit Tests
   • Security Integration Tests
   • Behavior-driven Development Frameworks
7. Touchpoints: Software Supply Chain
   • Software Supply Chain Context
   • Dependency Risks
   • Patching Best Practices
   • Dependency Management Tools