This page is in draft, please update as you see fit
DevSecOps is a methodology, where security considerations are incorporated into software development and DevOps practices to ensure that any development operations, including fast paced automated CD/CI pipelines, are not blocked by manual security checks and interventions.
Existing Operations:
Here are key processes that already happen which fit into DevSecOps:
- Release & coding guidelines include a description of keeping code and configuration separate <include link to R&C guidelines>
- Code quality review - using a tool
- Secrets stored in vaults (this line needs a bit more detail)
- private key in Puppet Master, and only key individuals have access to this (this line needs a bit more detail)
What Gaps and Problems Have Been Identified:
- Additional security concerns should be included within the release and coding guidelines
- Code quality review doesn't add gates for specific quality and security requirements
- Documentation of how we are taking care of some areas of security within Software Development and DevOps already, doesn't fully exist
How Will We Close The Gap
- Release & coding guidelines are being reviewed to improve security advice
- thoughts on code review gates for security
- Update/create documentation to detail the many things already done within the Software Development and DevOps teams to give appropriate attention to security.