There are no items in your cart
Add More
Add More
Item Details | Price |
---|
Sun May 28, 2023
What is DevSecOps ?
DevSecOps is the integration of security practices into the software development process, specifically in the areas of continuous integration (CI) and continuous delivery/deployment (CD). This approach emphasizes the importance of building security into the development process from the beginning, rather than treating it as an afterthought. By implementing DevSecOps, organizations can catch and fix security vulnerabilities early in the development cycle before they become critical issues. Additionally, DevSecOps can help organizations achieve compliance and reduce the risk of data breaches.
DevOps Vs DevSecOps ??
Advantages of DevSecOps :
Tools we used for Security
Tflint : It is a linter for Terraform, an open-source infrastructure as code software tool. It helps to detect errors, potential issues, and to improve the overall quality of the Terraform code. TFLint can be used to check for best practices, conventions and to ensure that the Terraform code is written according to the organization’s standards. It can also check for potential errors, such as missing required variables, before Terraform code is executed. TFLint can be integrated into the development pipeline, allowing developers to catch and fix issues early in the development cycle, and to improve the overall quality of their Terraform code.
Tfsec : It is an open-source security scanner for Terraform, an infrastructure as code software tool. It helps to detect potential security issues and vulnerabilities in Terraform code before it is executed.
It checks for potential issues such as misconfigured resources, exposed secrets, and insecure configurations. It also checks for compliance with industry standards and best practices for securing infrastructure as code.It can be integrated into the development pipeline, allowing developers to catch and fix security issues early in the development cycle, and to improve the overall security of their Terraform code. It can also be used as a pre-deployment check to ensure that the infrastructure beingdeployed is secure.
SonarQube : It is an open-source platform for continuous inspection of code quality. It helps developers to identify and fix bugs, vulnerabilities, and code smells in the early stages of development. It can be used to analyze code written in a variety of programming languages such as Java, C#, Python, JavaScript, among others.
SonarQube can be integrated with a variety of development tools such as IDEs, build tools, and version control systems. It can be used to analyze code on-premises or in the cloud.
Trivy : It is an open-source vulnerability scanner for container and non-container environments. It scans for known vulnerabilities in the operating system packages, libraries, and application dependencies. It can be used to scan images in a container registry, or running containers and servers. It is a lightweight and easy to use tool that can be integrated into the development pipeline, allowing developers to catch and fix vulnerabilities early in the development cycle, and to improve the overall security of their systems.
Terrascan : It is an open-source security scanner for Terraform, an infrastructure as code software tool. It helps to detect potential security issues and misconfigurations in Terraform code before it is executed. Terrascan can check for a wide range of issues such as misconfigured security groups, exposed secrets, and insecure configurations. It can also check for compliance with industry standards and best practices for securing infrastructure as code.It supports multiple cloud providers such as AWS, Azure, Google Cloud and can also scan for issues related to Kubernetes. Terrascan provides a detailed report of the issues found, including the severity level, and suggested remediation. It also allows to ignore or whitelist specific issues, and to update the security rules.
Github Actions Secrets : They are encrypted environment variables that can be used to store sensitive information, such as API keys, passwords, and other confidential data. This information can be securely passed to GitHub Actions workflows, allowing them to access the necessary resources to run properly.
Secrets can be created, managed, and accessed via the GitHub web interface, the GitHub API, or the GitHub CLI. They can be scoped at the repository level, meaning that they can only be used by GitHub Actions workflows within the same repository. Secrets can be used to authenticate to other services, for example for deployments, tests, or integrations, or to access private resources.
AWS s3 : It is an object storage service provided by Amazon Web Services (AWS). An S3 bucket is a container for storing and managing data in S3. It is a logical unit of storage in S3 and can be thought of as a virtual folder or directory. An S3 bucket can be used to store and retrieve any amount of data, at any time, from anywhere on the web. S3 buckets are highly durable and available, meaning that data stored in a bucket is automatically replicated across multiple devices in multiple locations to protect against data loss.
From Tflint and Tfsec we are doing Terraform code security checks . We are using Trivy to scan our Docker Images and we are pushing the reports to AWS s3 Bucket to get a detailed analysis report. To scan our yaml files for k8s cluster we are using Terrascan tools and for keeping our secret values secure we are using Github Actions Secrets.