Learning Library

← Back to Library

Integrating Security into DevOps Pipelines

6mUnknown Channeldevopsdeep-diveintermediateWatch on YouTube ↗

Key Points

  • DevSecOps expands traditional DevOps by embedding security throughout the software delivery pipeline, ensuring the process is observable, traceable, and compliant from user story to production.
  • Key benefits include enhanced observability of the delivery flow, full traceability of requirements to runtime artifacts, increased business confidence in delivered software, and built‑in compliance for regulated industries.
  • Security‑focused practices are layered into each stage: well‑crafted user stories, test‑driven development and pair programming to reduce coding bugs, linting and static scans for vulnerable code, and immutable image verification via notary services.
  • Runtime safeguards such as mutation detection ensure that containers in production do not introduce new vulnerabilities that were missed during build‑time checks.
  • By integrating these risk‑mitigation activities throughout the pipeline, organizations achieve continuous security, faster remediation, and a stronger trust relationship between IT and the business.

Sections

Full Transcript

# Integrating Security into DevOps Pipelines **Source:** [https://www.youtube.com/watch?v=J73MELGF6u0](https://www.youtube.com/watch?v=J73MELGF6u0) **Duration:** 00:06:51 ## Summary - DevSecOps expands traditional DevOps by embedding security throughout the software delivery pipeline, ensuring the process is observable, traceable, and compliant from user story to production. - Key benefits include enhanced observability of the delivery flow, full traceability of requirements to runtime artifacts, increased business confidence in delivered software, and built‑in compliance for regulated industries. - Security‑focused practices are layered into each stage: well‑crafted user stories, test‑driven development and pair programming to reduce coding bugs, linting and static scans for vulnerable code, and immutable image verification via notary services. - Runtime safeguards such as mutation detection ensure that containers in production do not introduce new vulnerabilities that were missed during build‑time checks. - By integrating these risk‑mitigation activities throughout the pipeline, organizations achieve continuous security, faster remediation, and a stronger trust relationship between IT and the business. ## Sections - [00:00:00](https://www.youtube.com/watch?v=J73MELGF6u0&t=0s) **DevSecOps Benefits and Practices** - Andrea Crawford explains how integrating security into DevOps enhances observability, traceability, confidence, and compliance while emphasizing disciplined practices such as well‑formed user stories, test‑driven development, and pair programming. ## Full Transcript
0:00hi I'm Andrea Crawford with IBM cloud so 0:05we're going to talk about dev sec ops 0:08dev sec ops is all about DevOps with the 0:12lens on security the benefits of dev sec 0:16ops primarily address observability this 0:24is observability in context of how 0:29observable is your application delivery 0:33process in and of itself do we know 0:36what's happening between user story all 0:39the way through to code bill deploying 0:42manage and continuous improvement 0:45another benefit is traceability so are 0:49we able to understand what user stories 0:53are being deployed and managed in the 0:56runtime environment and can we prove it 0:59the next benefit is confidence and this 1:02is all about the business having a 1:05trustful relationship with the IT 1:07organization that what is being 1:10delivered is actually what started off 1:13in the beginning of the pipeline as a 1:15requirement or a user story and the last 1:18benefit here is compliance this becomes 1:25increasingly important for specific 1:27industries like healthcare public 1:29federal banking and the like we need to 1:34have compliance built into this release 1:37pipeline and it needs to be engineered 1:39from day one dev sack ops can really 1:44involve a lot of different activities in 1:47the supply chain or this pipeline part 1:50of those are things like well-formed 1:53user stories over here these user 2:00stories have to be the appropriate sized 2:02well-formed and be understandable by the 2:05development team additional security 2:09features are going to be piped in over 2:11here in the code phase 2:13these involve things like test-driven 2:16development 2:18pair programming these are specific 2:26activities and new ways of working that 2:28mitigate the risk of someone or somebody 2:32introducing a bug or a defect at the 2:36coding level we also are able to achieve 2:39better test code coverage by writing our 2:42test cases first and then writing our 2:45code we also have security aspects that 2:49we can infuse into the build phase here 2:51and this is more along the lines of 2:55linting and making sure that our code is 2:58able to conform to standard coding 3:02practices we also have this notion of 3:05scanning particularly for things like 3:10infinite loops or undeclared variables 3:13these are all potential vulnerabilities 3:16that could manifest themselves in very 3:18adverse ways once we get into production 3:20and then some additional security 3:23practices around the deploy aspect can 3:26also be infused so with the advent of 3:29cloud native and images there are even 3:33things like notary services where we can 3:36ensure that images are not only 3:40immutable but docker images that are 3:43being deployed are in fact the same in 3:45images that are produced from the build 3:47process and then we have in the manage 3:50section here activities such as mutation 3:55detection and this is all about making 4:00sure that any runtime containers that 4:03are in your operational environment 4:04don't all of a sudden spark some sort of 4:08vulnerability in the runtime environment 4:10that you may not have caught in the 4:13build phase so dev sack ops is all about 4:17infusing risk mitigating activities 4:21throughout this pipeline here so what 4:24are some of the use cases for infusing 4:26secure 4:27well pretty much everything but in 4:31particular if you have issues with a 4:34lack of visibility in terms of how how 4:40your applications are progressing 4:42through the pipeline and who's deploying 4:45what when and in which environment if 4:48you have cases where you are troubled 4:53with audits and being able to prove with 4:59empirical data that what you are 5:02delivering is in fact what you started 5:04out with in the beginning of the 5:05pipeline empirically tracing back all 5:09the way through from beginning to end if 5:12you have issues with unified governance 5:17and being able to use this pipeline here 5:25across your enterprise in a uniform way 5:28so making sure that we are delivering 5:31software by appropriate by appropriating 5:34the right kind of risk mitigation are we 5:42doing the right kind of activities 5:43throughout this pipeline to mitigate the 5:46risk of getting our digital reputation 5:50in trouble at an enterprise level so 5:53these are the use cases for employing 5:55some of these dev sec ops principles 5:58there are industry standard 6:01organizations like Oh wasp or open web 6:04application security project that 6:08actually have Software Assurance 6:10maturity models to address not just 6:14these pipeline activities but also 6:16governance construction and even 6:19recommending secure coding practices 6:21that you would find over here so to sum 6:25all of this up 6:26Duff's a cop's is all about a holistic 6:29secured by design approach to code to 6:33delivery and it all involves people 6:36process and tools thanks for watching 6:40this video 6:41if you have any questions or comments be 6:42sure to drop a line below if you want to 6:45see more videos like this in the future 6:47be sure to LIKE and subscribe