Part II
DevSecOps Tooling
Having looked at container security in the preceding six chapters, we will now move on to DevSecOps tooling. The next six chapters walk through a series of security tools suitable for continuous integration/continuous deployment (CI/CD) software development pipelines. This pipeline concept is a widely used model for integrating security measures into every stage of development and deployment. A common DevSecOps expression is “shifting security to the left,” a model in which developers become empowered to run their own security tests much earlier on in the development process. Although there is some debate, the term DevSecOps appears to have originated because the “Sec,” or security, is intertwined within DevOps processes directly. SecOps, on the other hand, tends to refer to security operation staff and processes in a more traditional security setting, such as a Security Operations Center where live services are monitored.
While the DevSecOps tooling explored in these chapters can be used in specific sections of a pipeline, it should be noted that they are often deployed in different stages. For example, you would probably want to check that your initial build is not saving secrets to your code repositories very early on within a pipeline, but you could potentially check that your applications satisfy baseline compliance checks at the start of the build process and once again before the build is promoted to a new environment. As a result, make use of the security tooling in the most sensible way you see fit, and do not feel limited by certain conventions suggested by the tool authors. The quality of the tests in use is of paramount importance; however, more important is that builds fail when previously agreed conditions are not satisfied, and issues are resolved before builds are permitted to proceed.