DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a 'Security as Code' culture with ongoing, flexible collaboration between release engineers and security teams. It is a mind-shift change. Security is a vital part of DevOps.

"Fundamentally, if somebody wants to get in, they're getting ii..accept that. What we tell clients is number one: you're in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated." - Michael Hayden, Former Director of NSA and CIA

The Mindset Shift

The Mindset Shift to a DevSecOps culture included critical thinking about not only preventing breaches but assuming breaches as well.

Preventing Breaches:

• Threat models

• Code reviews

• Security testing

• Security development lifecycle (SDL)

Assuming Breaches:

• War game exercises

• Central security monitors

• Live site penetration tests

Both strategies are essential, and the items in the preventing breaches mindset are great, but we have found that they aren't enough.

Assuming breaches helps answer some crucial questions in security (so they don't have to be answered in an emergency):

• How will I detect an attack?

• What am I going to do if there is an attack or penetration?

• How am I going to recover from the attack? (e.g., data leaking or tampering)

There are six steps to get DevSecOps started

1. Secure your subscription

A secure cloud subscription provides a core foundation upon which subsequent development and deployment can be conducted. A development team should have the capabilities to deploy and configure across the different stages of DevOps while maintaining controls on security and governance

2. Enable Secure Development

During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications.

3. Integrate Security into CICD

Test automation is a core tenet of DevOps. We emphasize this by providing the ability to run Secure Verification Tests (SVTs) as part of the Azure CICD pipeline.

4. Continuous Assurance

In the continually changing dev-ops environment, it is essential to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system.

5. Alerting & Monitoring

The visibility of security status is vital for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both.

6. Cloud Risk Governance

Audit and compliance risks including issues around data jurisdiction, data access control, and maintaining an audit trail. Security risks, including data integrity, data confidentiality, and privacy.

For additional information refer to https://azsk.azurewebsites.net/