Summary
DevOps and DevSecOps are not separate things: security must be fully integrated with DevOps. In this chapter, we discussed how we integrate security in DevOps, not only focusing on scanning tools but mainly on governance, applying threat modeling, and monitoring our DevOps environments. For governance, we looked at the principles of GRC that allow enterprises to manage uncertainties – such as security risks – while defining strategies to achieve their business goals. This is the foundational step to integrating security into all the layers of the enterprise and with that, the development of products and services.
To detect, recognize, and counterfeit attacks, we need to work with threat modeling. In this chapter, we discussed OWASP, which provides insights into how security events can impact businesses. Next, we look at security scanning in a more detailed way. SAST and DAST are necessities in DevSecOps.
In the last section, we learned about the various...
