DevSecOps is an extension of the DevOps model, in which developers, security, and operations teams work together closely through all stages of the software development lifecycle (SDLC) and continuous integration / continuous deployment (CI/CD) pipelines.

DevOps introduced the use of automation and streamlined processes to increase development velocity and improve software quality. DevSecOps adds security to this equation—building security into the process and eliminating silos between development, operations, and security teams. It ensures that a DevOps environment incorporates security best practices and security testing, from planning and development, through testing, staging, and deployment.

Tools are a critical part of DevSecOps because, in a fast-paced DevOps environment, security must be automated and closely integrated with the CI/CD pipeline.

DevSecOps tools have two main goals. The first is to minimize risk in development pipelines, without slowing down velocity, by detecting and fixing security vulnerabilities through continuous security testing. The second is to support security teams, allowing them to oversee security of development projects without needing to manually review and approve every release.

Open Source Vulnerability Scanning

Scanning in development:

Developers can automatically be notified of security issues in components they are including. They can
then make faster, informed decisions on how to address or avoid introducing these risks.

Scanning in security testing:

Any component with vulnerabilities that exceed a predefined risk threshold should raise an alert and
be inspected before deployment to production. These alerts can trigger remediation activities from
development teams or be reviewed and prioritized by security teams.

Scanning in production and pre-production:

Any new vulnerabilities or risks that enter the application after security review can be detected,
alerted upon, and addressed. This includes risks from artifacts that entered the project through means
other than the SDLC or CI/CD pipeline, zero-day vulnerabilities, and malware.
 

• Static Application Security Testing (SAST)

• Dynamic Application Security Testing (DAST)

• Image Scanning

• Infrastructure Automation Tools

• Dashboard and Visualization Tools

• Threat Modeling Tools

• Alerting Tools