chapter four

4 Releasing secure code

This chapter covers:

How organizations can release secure code leveraging people, process, and technology.
What a DevSecOps pipeline looks like and why it supports security better than other release methods.
What differentiates a DevOps model compared to other models like Waterfall, Agile, Lean.
How to take advantage of a fast feedback loop in order to provide security issues to the development team as rapidly as possible.

In this chapter I will show some of release methods that are in practice in most organizations. While some of these methods have been in practice for a long time, they can still be found in most organizations. While each have their pros and cons, release methods such as DevOps can support a more secure method of delivering software. If you are not familiar with DevOps, it is a set of practices that bring together development and operations to deliver software in an efficient manner.

Definition

Microsoft defines DevOps as a compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers.

4.1 Security in DevOps

4.1.1 DevOps pipelines

4.2 DevOps isn’t the only game in town

4.2.1 Waterfall

4.2.2 Agile

4.2.3 Lean

4.2.4 DevOps supports security better

4.2.5 DevSecOps Example

4.3 Application security tooling in the pipeline

4.3.1 Threat modeling in DevSecOps

4.3.2 SAST in DevSecOps

4.3.3 DAST and IAST in DevSecOps

4.3.4 SCA in DevSecOps

4.3.5 Run-time protection in DevSecOps

4.3.6 Security orchestration

4.3.7 Security education

4.4 Feedback Loop

4.5 Summary