What Is DevSecOps and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | All-in-one cloud-based AppSec platform with Polaris
AppSec IDE Plug-ins | Secure code as you write it in your IDE with Code Sight
Software Risk Management | Correlate and prioritize AppSec risks with Code DX
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Find vulnerabilities in proprietary code during development with Coverity
Software Composition Analysis (SCA) | Find vulnerabilities in open source and 3rd party components with Black Duck SCA
Interactive Analysis (IAST) | Find and verify vulnerabilities during build and QA with Seeker IAST
Dynamic Analysis (DAST) | Automated web application security testing in production with WhiteHat Dynamic
Penetration Testing | Find business logic errors before hackers do
Protocol Fuzzing | Discover unknown vulnerabilities to prevent zero-day attacks with Defensics Fuzz Testing

Program Strategy & Planning | Measure, scale and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Education on coding basics and advanced skills to build secure code
Implementation & Deployment | Optimize utilization, management and deployment of tools
Security Testing Services | On-demand security testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A with Black Duck Audit Services

Manage software risk at the speed your business demands | automation with Genetec & Mateso

Dev and DevOps Teams | building security into your software development lifecycle (SDLC)
Security Teams | Are your AppSec tools, programs, and people equipped to secure all that software?
Legal Teams | Solutions to protect your IP, manage your risk

API Security Testing | with a holistic API security testing program
Application Security Testing | at every stage of the application life cycle
DevSecOps | Synopsys solutions help shift security left without slowing down your development teams
Software Supply Chain Security | Synopsys solutions help you identify and manage software supply chain risks end-to-end
Cloud & Container Security | secure deployment and operation in the cloud
Open Source Security & License Management | security and compliance for open source
M&A Due Diligence | identify software risks that could negatively impact the value of acquired IP
Quality & Security Standards Compliance | demonstrate compliance with specific standards to maintain customer trust and avoid legal or regulatory penalties

Financial Services | protect sensitive customer and financial data from rapidly evolving security threats
IoT & Embedded | ensure your embedded and IoT devices are safe, secure, and reliable
Automotive | build software security & reliability into the modern connected car
Telecommunications | we help you create seamless and safe mobile experiences, from silicon to software
Aerospace & Defense | solutions for automating mission-critical development
Public Sector | application security for government agencies and their suppliers
Medical Device | ensure your medical devices and applications meet patient expectations and comply with regulations

AppSec Program Strategy News | Get insights from Synopsys cyber security experts on building a security program
DAST News | articles about how to apply DAST effectively across your application portfolio
IAST News | articles from Synopsys cyber security experts to learn how IAST tools can grow with your needs
SAST News | articles from Synopsys cyber security experts to learn how to leverage SAST
Open Source and Software Supply Chain News | Discover supply chain risk management best practices from Synopsys cyber security experts
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices, from Synopsys cyber security experts
Security and Developer Training News | articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition News | Read SCA articles to learn how to manage the security, license compliance, and code quality risks that arise from open source in apps
Secure Software Development News | Read related articles from Synopsys cyber security experts
Security Risk News | Read articles from Synopsys cyber security experts to learn how to manage security risks
Security Research News | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Case Studies | Application Security Customer Stories
eBooks | Discover the latest software security trends and best practices to ensure security in a DevOps environment while maintaining developer velocity
Glossary | Glossary of Application Security, EDA & Semiconductor IP
Reports | Discover the latest application security trends and best practices to ensure security in a DevOps environment while maintaining velocity
Webinars | latest & upcoming Synopsys Webinars
White Papers | Discover industry best practices to ensure security in a DevOps environment while maintaining developer velocity

Overview | leverages Synopsys’ expertise, technology, and resources to conduct high-quality software security research
Research | Get an analysis of today’s application security news and research from Synopsys cyber security experts

Press Releases | complete list of our most recent news releases

Table of Contents

What is DevSecOps?
What is DevOps?
How is DevOps different from DevSecOps?
Why is DevSecOps important?
Which application security tools are used in DevSecOps?
How are application security testing tools integrated into DevSecOps?
What to read next

Definition

DevSecOps is a trending practice in application security (AppSec) that involves introducing security earlier in the software development life cycle (SDLC). It also expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle. DevSecOps requires a change in culture, process, and tools across these core functional teams and makes security a shared responsibility. Everyone involved in the SDLC has a role to play in building security into the DevOps continuous integration and continuous delivery (CI/CD) workflow.

The Top Three Ways to Build Security into DevOps

This eBook details three ways of achieving security with speed.

Run the right test at the right time and to the right depth
Align remediation efforts with business risks
Empower developers to secure code as fast as they write it

Get the eBook

What is DevOps?

DevSecOps evolved to address the need to build in security continuously across the SDLC so that DevOps teams could deliver secure applications with speed and quality. Incorporating testing, triage, and risk mitigation earlier in the CI/CD workflow prevents the time-intensive, and often costly, repercussions of making a fix postproduction. This concept is part of “shifting left,” which moves security testing toward developers, enabling them to fix security issues in their code in near real time rather than “bolting on security” at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.

DevOps is an approach to software development that centers on three pillars—organizational culture, process, and technology and tools. All three are geared toward helping development and IT operations teams work collaboratively to build, test, and release software in a faster, more agile, and more iterative manner than traditional software development processes.

According to The DevOps Handbook, “In the DevOps ideal, developers receive fast, constant feedback on their work, which enables them to quickly and independently implement, integrate, and validate their code, and have the code deployed into the production environment.”

In simple terms, DevOps is about removing the barriers between two traditionally siloed teams. In a DevOps model, development and operations teams work together across the entire software application life cycle, from development and testing through deployment and operations.

How is DevOps different from DevSecOps?

Modern software development leverages an agile-based SDLC to accelerate the development and delivery of software releases, including updates and fixes. DevOps and DevSecOps use the agile framework for different purposes. DevOps focuses on the speed of app delivery, whereas DevSecOps augments speed with security by delivering apps that are as secure as possible as quickly as possible. The goal of DevSecOps is to promote the fast development of a secure codebase.

Core to DevSecOps is integrating security into every part of the SDLC—from build to production. In DevSecOps, security is the shared responsibility of all stakeholders in the DevOps value chain. DevSecOps involves ongoing, flexible collaboration between development, release management (or operations), and security teams. In short, DevOps focuses on speed; DevSecOps helps maintain velocity without compromising security.

Why is DevSecOps important?

Ultimately, DevSecOps is important because it places security in the SDLC earlier and on purpose. When development organizations code with security in mind from the outset, it’s easier and less costly to catch and fix vulnerabilities before they go too far into production or after release. Organizations in a variety of industries can implement DevSecOps to break down silos between development, security, and operations so they can release more secure software faster.

Automotive: DevSecOps reduces lengthy cycle times while still ensuring that software compliance standards such as MISRA and AUTOSAR are met
Healthcare: DevSecOps enables digital transformation efforts while maintaining the privacy and security of sensitive patient data per regulations such as HIPAA
Financial, retail, and ecommerce: DevSecOps helps ensure that the OWASP Top 10 web application security risks are addressed and maintains PCI DSS data privacy and security compliance for transactions among consumers, retailers, financial services, and so on
Embedded, networked, dedicated, consumer, and IoT devices: DevSecOps enables developers to write secure code that minimizes the occurrence of the CWE Top 25 most dangerous software errors

Which application security tools are used in DevSecOps?

To implement DevSecOps, organizations should consider a variety of application security testing (AST) tools to integrate within various stages of their CI/CD process. Commonly used AST tools include

Static application security testing (SAST).

SAST tools scan proprietary or custom code for coding errors and design flaws that could lead to exploitable weaknesses. SAST tools, such as Coverity^®, are used primarily during the code, build, and development phases of the SDLC.

Software composition analysis (SCA).

SCA tools such as Black Duck^® scan source code and binaries to identify known vulnerabilities in open source and third-party components. They also provide insight into security and license risks to accelerate prioritization and remediation efforts. In addition, they can be integrated seamlessly into a CI/CD process to continuously detect new open source vulnerabilities, from build integration to preproduction release.

Interactive application security testing (IAST).

IAST tools work in the background during manual or automated functional tests to analyze web application runtime behavior. For example, the Seeker^® IAST tool uses instrumentation to observe application request/response interactions, behavior, and dataflow. It detects runtime vulnerabilities and automatically replays and tests the findings, providing detailed insights to developers down to the line of code where they occur. This enables developers to focus their time and effort on critical vulnerabilities.

Dynamic application security testing (DAST).

DAST is an automated opaque box testing technology that mimics how a hacker would interact with your web application or API. It tests applications over a network connection and by examining the client-side rendering of the application, much like a pen tester would. DAST tools do not require access to source code or customization; they interact with your website and find vulnerabilities with a low rate of false positives. For example, Synopsys Web Scanner^™ and Synopsys API Scanner^™ DAST tools identify vulnerabilities on web applications and APIs, including web-connected devices such as mobile back-end servers, IoT devices, and RESTful or GraphQL APIs.

How are AST tools integrated in DevSecOps?

Although AST tools are useful for identifying vulnerabilities, they can also add complexity and slow down software delivery cycles. Sorting through an overwhelming number of findings from siloed tools without the means to understand what needs to be done to prioritize them or when it is necessary to test can cause significant friction for security and development teams.

Optimizing testing tools and deriving meaningful insight from their data requires an application security orchestration and correlation (ASOC) solution. ASOC tools combine the capabilities of application security testing orchestration (ASTO) and application vulnerability correlation (AVC) tools to provide a management framework for AppSec tools, workflows, and prioritization of security activities. An effective ASOC tool is key to DevSecOps because it enables security and development teams to orchestrate testing intelligently, consolidate data from all AST tools, deduplicate any redundant results, correlate this data based on threat intelligence, and contextualize software risk to prioritize critical findings.

Together, Synopsys Intelligent Orchestration and Code Dx® provide an ASOC solution that integrates within the SDLC to mitigate software risk and build security into DevOps. Intelligent Orchestration enables organizations to determine the most impactful security activities by assessing the criticality of applications, defining application security policies as code, and using that policy to evaluate code changes and other SDLC events to trigger appropriate testing. It is an ASTO solution that, when combined with an AVC solution like Code Dx , provides a holistic ASOC approach. Code Dx integrates across 100+ developer and AST tools to consume, normalize, and correlate application security data, prioritize key findings, coordinate remediation workflows, and provide visibility to stakeholders across development and security. Importantly, Intelligent Orchestration and Code Dx support bidirectional integrations with a variety of ticketing systems to enable continuous feedback loops and communicate defects or security activities with developers directly. This provides a necessary foundation for organizations to bridge process gaps, facilitate collaboration between stakeholders across security and development, and fully migrate to DevSecOps.

Learn more about Synopsys solutions for DevSecOps