DevSecOps in Practice

What You Will Learn

Putting DevSecOps into practice at scale is not an easy task and requires a shift in mindset, culture, and processes. However, taking the whole problem apart and addressing each piece separately can make it easier to implement. Taking a step back and looking at the big picture is important, but not at the expense of the details—it's not enough to have the high-level view of the problem, and if it's the only thing you have, chances are you will miss the details that are important to make it work.

Charles Eames said: "The details are not the details. They make the design." This is true for DevSecOps as well. The details are what make DevSecOps work, and if you don't pay attention to them, you will end up with a broken implementation that doesn't deliver the expected results. This guide is designed to help you with that through a series of chapters that cover different stages and aspects of the process. In this guide, you will understand the following concepts:

• The DevSecOps philosophy, mindset, and practices.

• Establishing a secure and structured Git workflow for collaboration, managing repositories safely, ignoring sensitive data, and rewriting Git history to remove leaked secrets.

• Implementing robust security practices for your Git repositories, including access controls, branch protection, commit signing with GPG keys, secure authentication using SSH keys, and more.

• Preventing and detecting secret leaks proactively through tools like TruffleHog, implementing pre-commit hooks, and using scanning tools for secrets management.

• Scanning dependencies for vulnerabilities using OWASP Dependency-Check and understanding CVEs, CVSS, CWE, and CPE identifiers to keep your software supply chain secure.

• Improving your code quality and security using security linting tools like Bandit, identifying issues such as SQL injections, insufficient input validation, improper error handling, insecure deserialization, and weak cryptographic practices.

• Security linting your Dockerfiles using tools like Hadolint to catch common issues like overly permissive configurations and insecure instructions.

• Building secure container images with best practices for writing Dockerfiles and managing Docker registries, including using multi-stage builds, setting proper user permissions, and avoiding pitfalls.

• Scanning your Docker images for vulnerabilities using container-scanning tools like Trivy, interpreting scan reports, and applying findings proactively.