4 Releasing secure code

This chapter covers

Exploring how organizations can release secure code
Explaining what a DevSecOps pipeline looks like
Looking at why DevSecOps supports security better than other release methods
Differentiating a DevOps model compared to other models
Discovering how to use a fast feedback loop for security issues

In this chapter, I will show some release methods that are in practice in most organizations. While each has its pros and cons, release methods such as DevOps can support a more secure method of delivering software. If you are not familiar with DevOps, it is a set of practices that bring together development and operations to deliver software in an efficient manner.

Definition

Microsoft defines DevOps as a compound of development (Dev) and operations (Ops). DevOps is the union of people, process, and technology to continually provide value to customers.

4.1 Security in DevOps

4.1.1 DevOps pipelines

4.2 DevOps isn’t the only game in town

4.2.1 Waterfall

4.2.2 Agile

4.2.3 Lean

4.2.4 DevOps supports security better

4.2.5 DevSecOps example

4.3 Application security tooling in the pipeline

4.3.1 Threat modeling in DevSecOps

4.3.2 SAST in DevSecOps

4.3.3 DAST and IAST in DevSecOps

4.3.4 SCA in DevSecOps

4.3.5 Run-time protection in DevSecOps

Summary