DevSecOps accelerates the pace of digital transformation. But what is DevSecOps? Developers + Security + Operations. It’s a big deal in software development because it directly impacts speed and security. By adopting the DevSecOps philosophy, teams can more quickly produce code that's secure and reliable.
Let’s break this down into the 12 most common DevSecOps practices and definitions, and how Chef can help.
CI/CD Continuous Integrations and Continuous Deployment
Continuous integration occurs when developers regularly merge their code changes into a central repository and run automated builds and tests. Continuous delivery is when code changes are automatically built, tested, and prepared for production release. Chef Infra and Chef Habitat make codified software releases easier and more consistent across a wide range of platforms.
A breach is an incident where information is stolen or released from a system without authorization. A data breach could be an unauthorized user gaining access to a database or, if data is published accidentally or intentionally, to an unsecured system. Chef Infra can apply configurations that help prevent unauthorized access, and Chef InSpec can quickly show you where you’re vulnerable.
DevOps combines software development (Dev) and IT operations (Ops). Merging the two disciplines brings IT operations into the entire development lifecycle. DevOps shortens the development process and provides continuous delivery and higher software quality, usually implemented using agile software development practices. Chef automation makes DevOps practices easier by using a common language across engineering teams.
Combines development, security, and operations. Security is a shared responsibility by all teams, and starts at the beginning of the software-development lifecycle and continues throughout. Chef Policy as Code brings together configuration management, security, and visibility.
DLP Data Loss Prevention
DLP are tools and methodologies used to detect and prevent potential data breaches by monitoring, detecting, and blocking sensitive data while it’s in motion and at rest. It’s often referred to as data loss, data leak, or a data breach. Chef InSpec can audit any device in your fleet and let you know where you’re vulnerable.
A microservice is a software architecture that uses several small (micro) individual services linked together into one application. Examples include Docker containers and Kubernetes pods. Chef offers resources to scan container images, running containers and container hosts Each service communicates with the other and runs independently of other services, typically through an application programming interface (API). Advantages of using microservices include:
- Independently deploy each service
- Use multiple frameworks and languages
- Easily use existing external services
Digital authentication credentials authenticate a user or system to access any external or internal service, data, or application. Secrets are passwords, usernames, security certificates, API tokens, and database URLs. Chef Vault includes secrets management to enable teams to use Akeyless, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.
The tools and methods used to securely store, distribute and rotate secrets include API tokens, credentials, and security certificates. Secrets management assures that only authenticated users can access secrets, which remain in a controlled, central location.
An approach to software and system-testing occurs early in the life cycle. Code tests are performed throughout the delivery process, bringing security in as early as possible and allowing developers to test policies directly on their workstations. Chef includes Test Kitchen to local test and verifies code using Docker, Vagrant (and other local hypervisors), and public cloud instances. Test Kitchen enables developers to do real-world testing right on their laptops.
People performing actions or revealing sensitive information that can be used by bad actors or hackers to gain access to sensitive information or services. An example of social engineering is impersonating a team member to trick an employee into divulging company credentials. Chef helps secure widely distributed systems by making teams aware of changes via Chef InSpec and enforcing system rules via Chef Infra.
A standard indicator is used to evaluate the performance of classification algorithms.
A flaw inside the software, firmware, or hardware unknown to the teams responsible for patching and fixing system security vulnerabilities and defects. "Zero-day" refers to the number of days between vulnerability awareness and the time an engineering team has had to fix them. Chef enables teams to test and roll out fixes more quickly by giving them the tools they need to test updated code and push it to thousands or millions of nodes quickly and consistently.
Chef Can Help
Chef enables DevSecOps teams to create workflows that help solve these problems and vulnerabilities, and speed remediation. With Policy as Code, users can rapidly detect and correct issues across thousands or millions of nodes in easy, repeatable ways. Chef users standardize on-prem, cloud, and edge environments, and use Test-Driven Development practices to help ensure systems and applications are secure.
Watch this webinar to learn how Chef is Making DevSecOps an Automated Reality with Policy as Code.
Join Chef Community: https://community.chef.io/slack