<!DOCTYPE html><html lang="en"><head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://resources.github.com/devops/fundamentals/devsecops/","20221215181001","https://web.archive.org/","web","/_static/", "1671127801"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta name="viewport" content="width=device-width"/><meta charset="utf-8"/><meta http-equiv="Content-Security-Policy" content=""/><link rel="apple-touch-icon" sizes="180x180" href="/web/20221215181001im_/https://resources.github.com/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="/web/20221215181001im_/https://resources.github.com/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="/web/20221215181001im_/https://resources.github.com/favicon-16x16.png"/><link rel="manifest" href="/web/20221215181001/https://resources.github.com/site.webmanifest"/><link rel="mask-icon" href="/web/20221215181001im_/https://resources.github.com/safari-pinned-tab.svg" color="#ab3f8b"/><meta name="apple-mobile-web-app-title" content="GitHub Resources"/><meta name="application-name" content="GitHub Resources"/><meta name="msapplication-TileColor" content="#ab3f8b"/><meta name="theme-color" content="#151920"/><link rel="canonical" href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/fundamentals/devsecops/"/><meta name="ha-url" content="https://collector.githubapp.com/resources/collect"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:site" content="@github"/><meta name="twitter:creator" content="@GitHub"/><meta property="og:url" content="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/fundamentals/devsecops/"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:site_name" content="GitHub Resources"/><title>The Fundamentals of DevSecOps in DevOps - GitHub Resources</title><meta name="robots" content="index,follow"/><meta name="description" content="The meaning of DevSecOps is a combination of development, security, and operations automating the integration of security into every phase of the software development lifecycle."/><meta property="og:title" content="The Fundamentals of DevSecOps in DevOps"/><meta property="og:description" content="The meaning of DevSecOps is a combination of development, security, and operations automating the integration of security into every phase of the software development lifecycle."/><meta property="og:image" content="//web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png"/><meta property="og:image:alt" content="GitHub Resources"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="628"/><script type="application/ld+json">{"@context":"https://web.archive.org/web/20221215181001/https://schema.org","@type":"Article","datePublished":"2022-05-23T12:00+00:00","description":"DevSecOps builds on the ideas of DevOps by applying security practices throughout the software development lifecycle to ship more secure code faster.","mainEntityOfPage":{"@type":"WebPage","@id":"https://web.archive.org/web/20221215181001/https://resources.github.com/devops/fundamentals/devsecops"},"headline":"DevSecOps explained","image":["//web.archive.org/web/20221215181001/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png"],"dateModified":"2022-05-23T12:00+00:00","author":{"@type":"Person","name":"GitHub"}}</script><meta name="next-head-count" content="31"/><link rel="preload" href="/web/20221215181001/https://resources.github.com/_next/static/css/4fd560af2d6ec27b.css" as="style"/><link rel="stylesheet" href="/web/20221215181001cs_/https://resources.github.com/_next/static/css/4fd560af2d6ec27b.css" data-n-g=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/polyfills-5cd94c89d3acac5f.js"></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/webpack-318765b79fb60248.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/framework-5f4595e5518b5600.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/main-9e7d3fa9e9b13de1.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/pages/_app-8e9c7d4fb497d2bc.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/650-9a304ef3b20bdc2d.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/chunks/pages/%5B...path%5D-30483e7f0951bfb8.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/C8OG16dqN1YRAAs9VS1ix/_buildManifest.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/C8OG16dqN1YRAAs9VS1ix/_ssgManifest.js" defer=""></script><script src="/web/20221215181001js_/https://resources.github.com/_next/static/C8OG16dqN1YRAAs9VS1ix/_middlewareManifest.js" defer=""></script></head><body><div id="__next" data-reactroot=""><div data-color-mode="light" style="background:unset;min-height:100vh" class="d-flex flex-column"><div id="resources-navbar-container" data-color-mode="light" data-light-theme="light" style="position:fixed" class="light-mode"><header id="resources-navbar"><nav class="container-xl d-flex flex-items-center py-1" aria-label="Site navigation"><a href="https://web.archive.org/web/20221215181001/https://github.com/" target="_blank" rel="noreferrer" title="Visit GitHub" class="gh-icon Header-link d-none d-lg-block"><svg aria-hidden="true" role="img" class="nav-back-arrow" viewbox="0 0 24 24" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M15.28 5.22a.75.75 0 00-1.06 0l-6.25 6.25a.75.75 0 000 1.06l6.25 6.25a.75.75 0 101.06-1.06L9.56 12l5.72-5.72a.75.75 0 000-1.06z"></path></svg><svg aria-hidden="true" role="img" class="octicon octicon-mark-github" viewbox="0 0 16 16" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg></a><a class="Header-link d-lg-none" title="GitHub Resources - Home" href="/web/20221215181001/https://resources.github.com/"><svg aria-hidden="true" role="img" class="octicon octicon-mark-github" viewbox="0 0 16 16" width="32" height="32" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg></a><span class="ml-3 f1-mktg f2-md-mktg opacity-30">/</span><a data-analytics-click="Header, go to homepage" class="d-none d-lg-inline-block Header-link font-weight-semibold p-3 f2" href="/web/20221215181001/https://resources.github.com/">Resources</a><button class="d-lg-none btn-link Header-link font-weight-semibold p-3 mr-auto f2">Resources<svg aria-hidden="true" role="img" class="ml-2 rotatable " viewbox="0 0 24 24" width="24" height="24" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M5.22 8.72a.75.75 0 000 1.06l6.25 6.25a.75.75 0 001.06 0l6.25-6.25a.75.75 0 00-1.06-1.06L12 14.44 6.28 8.72a.75.75 0 00-1.06 0z"></path></svg></button><button class="d-none d-lg-inline-block btn-link Header-link font-weight-medium py-3 px-4" data-analytics-click="Nav, click to open nav,nav:Collections">Collections</button><button class="d-none d-lg-inline-block btn-link Header-link font-weight-medium py-3 px-4" data-analytics-click="Nav, click to open nav,nav:Topics">Topics</button><button class="d-none d-lg-inline-block btn-link Header-link font-weight-medium py-3 px-4 mr-auto" data-analytics-click="Nav, click to open nav,nav:Types">Types</button><button class="btn-link Header-link font-weight-medium py-3 pl-6" aria-label="Search" data-analytics-click="Search, click on seearch icon,isSearchOpen:true"><svg aria-hidden="true" role="img" class="octicon octicon-search" viewbox="0 0 16 16" width="21" height="21" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M11.5 7a4.499 4.499 0 11-8.998 0A4.499 4.499 0 0111.5 7zm-.82 4.74a6 6 0 111.06-1.06l3.04 3.04a.75.75 0 11-1.06 1.06l-3.04-3.04z"></path></svg></button><a data-analytics-click="Header, click to Header" class="d-none d-md-inline-block btn-mktg font-weight-semibold ml-4 mr-3" href="https://web.archive.org/web/20221215181001/https://github.com/enterprise/trial">Free trial</a><a class="d-none d-md-inline-block btn-mktg btn-muted-mktg font-weight-semibold" data-analytics-click="Header, click to Header" href="https://web.archive.org/web/20221215181001/https://github.com/enterprise/contact">Contact sales</a></nav></header><nav class="position-absolute nav-dropdown mobile-nav pt-8 pb-4 color-bg-dark color-fg-white " data-color-mode="dark" data-dark-theme="dark"><div class="container-sm px-6 overflow-auto height-full"><div class="d-flex flex-column color-bg-dark height-full"><div class="border-top-dotted-fancy"><a class="Link--primary f1-mktg d-block py-2" href="/web/20221215181001/https://resources.github.com/collections/">Collections</a></div><div class="border-top-dotted-fancy"><a class="Link--primary f1-mktg d-block py-2" href="/web/20221215181001/https://resources.github.com/topics/">Topics</a></div><div class="border-top-dotted-fancy"><a class="Link--primary f1-mktg d-block py-2" href="/web/20221215181001/https://resources.github.com/articles/">Articles</a></div><div class="border-top-dotted-fancy"><a class="Link--primary f1-mktg d-block py-2" href="/web/20221215181001/https://resources.github.com/videos/">Videos</a></div><div class="border-top-dotted-fancy"><a class="Link--primary f1-mktg d-block py-2" href="/web/20221215181001/https://resources.github.com/events/">Events</a></div><div class="border-top-dotted-fancy flex-column flex-1 d-flex d-md-none"><a class="btn-mktg font-weight-semibold mb-3 mt-auto" href="https://web.archive.org/web/20221215181001/https://github.com/enterprise/trial">Free trial</a><a class="btn-mktg btn-muted-mktg font-weight-semibold" data-analytics-click="Header,click on Header" href="https://web.archive.org/web/20221215181001/https://github.com/enterprise/contact">Contact sales</a></div></div></div></nav><nav class="position-absolute nav-dropdown color-bg-dark color-fg-white " data-color-mode="dark" data-dark-theme="dark"><div class="container-xl height-full"><div class="grid grid-cols-1 grid-cols-md-12 gap-12"><div class="col-span-md-6 col-span-1 d-flex flex-column"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start">Featured collections</h2><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured collections" href="/web/20221215181001/https://resources.github.com/collection/actions/">GitHub Actions</a></div><div class="col-span-1 col-span-md-3"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start capitalize">collections</h2><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav collections" href="/web/20221215181001/https://resources.github.com/collection/actions/">GitHub Actions</a></div><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav collections" href="/web/20221215181001/https://resources.github.com/collection/ghas/">GitHub Advanced Security</a></div><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav collections" href="/web/20221215181001/https://resources.github.com/collection/ghe/">GitHub Enterprise</a></div><a class="link-mktg font-weight-medium Link--primary color-fg-on-emphasis arrow-target-mktg text-semibold f3-mktg mt-4" data-analytics-click="Nav,click on View All collections" href="/web/20221215181001/https://resources.github.com/collections/">View all <!-- -->collections<!-- --> <svg xmlns="http://www.w3.org/2000/svg" class="octicon arrow-symbol-mktg" width="16" height="16" viewbox="0 0 16 16" fill="none"><path fill="currentColor" d="M7.28033 3.21967C6.98744 2.92678 6.51256 2.92678 6.21967 3.21967C5.92678 3.51256 5.92678 3.98744 6.21967 4.28033L7.28033 3.21967ZM11 8L11.5303 8.53033C11.8232 8.23744 11.8232 7.76256 11.5303 7.46967L11 8ZM6.21967 11.7197C5.92678 12.0126 5.92678 12.4874 6.21967 12.7803C6.51256 13.0732 6.98744 13.0732 7.28033 12.7803L6.21967 11.7197ZM6.21967 4.28033L10.4697 8.53033L11.5303 7.46967L7.28033 3.21967L6.21967 4.28033ZM10.4697 7.46967L6.21967 11.7197L7.28033 12.7803L11.5303 8.53033L10.4697 7.46967Z"></path><path stroke="currentColor" d="M1.75 8H11" stroke-width="1.5" stroke-linecap="round"></path></svg></a></div><div class="col-span-1 col-span-md-3"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start capitalize">Spotlight</h2><div><div class="resource-card animatable animate-fade-up"><a class="resource-card-overlay-link" aria-label="View collection: GitHub Actions" href="/web/20221215181001/https://resources.github.com/collection/actions/"></a><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:61.72839506172839%"></span><img alt="" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="responsive" class="resource-card-image" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="" sizes="100vw" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-1-thumbnail.svg?w=544&amp;q=75 544w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-1-thumbnail.svg?w=768&amp;q=75 768w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-1-thumbnail.svg?w=1012&amp;q=75 1012w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-1-thumbnail.svg?w=1280&amp;q=75 1280w" src="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-1-thumbnail.svg?w=1280&amp;q=75" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" class="resource-card-image" loading="lazy"/></noscript></span><h3 class="h4-mktg font-weight-semibold heading"><span>GitHub Actions</span></h3><p class="f3-mktg color-fg-muted">the DevOps platform </p><div class="text-mono f5 mt-4"></div></div></div></div></div></div></nav><nav class="position-absolute nav-dropdown color-bg-dark color-fg-white " data-color-mode="dark" data-dark-theme="dark"><div class="container-xl"><div class="grid grid-cols-1 grid-cols-md-12 gap-12"><div class="col-span-md-6 col-span-1 d-flex flex-column"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start">Featured topics</h2><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured topics" href="/web/20221215181001/https://resources.github.com/topics/devops/">DevOps</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured topics" href="/web/20221215181001/https://resources.github.com/topics/security/">Security</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured topics" href="/web/20221215181001/https://resources.github.com/topics/github-actions/">GitHub Actions</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured topics" href="/web/20221215181001/https://resources.github.com/topics/opensource/">Open Source</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured topics" href="/web/20221215181001/https://resources.github.com/topics/tools/">Tools</a></div><div class="col-span-1 col-span-md-3"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start capitalize">topics</h2><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav topics" href="/web/20221215181001/https://resources.github.com/topics/fundamentals/">Fundamentals</a></div><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav topics" href="/web/20221215181001/https://resources.github.com/topics/appsec/">AppSec</a></div><div class="border-bottom"><a class="d-block link-mktg Link--primary color-fg-on-emphasis f2-mktg py-2" data-analytics-click="Nav,click on secondary nav topics" href="/web/20221215181001/https://resources.github.com/topics/innersource/">Innersource</a></div><a class="link-mktg font-weight-medium Link--primary color-fg-on-emphasis arrow-target-mktg text-semibold f3-mktg mt-4" data-analytics-click="Nav,click on View All topics" href="/web/20221215181001/https://resources.github.com/topics/">View all <!-- -->topics<!-- --> <svg xmlns="http://www.w3.org/2000/svg" class="octicon arrow-symbol-mktg" width="16" height="16" viewbox="0 0 16 16" fill="none"><path fill="currentColor" d="M7.28033 3.21967C6.98744 2.92678 6.51256 2.92678 6.21967 3.21967C5.92678 3.51256 5.92678 3.98744 6.21967 4.28033L7.28033 3.21967ZM11 8L11.5303 8.53033C11.8232 8.23744 11.8232 7.76256 11.5303 7.46967L11 8ZM6.21967 11.7197C5.92678 12.0126 5.92678 12.4874 6.21967 12.7803C6.51256 13.0732 6.98744 13.0732 7.28033 12.7803L6.21967 11.7197ZM6.21967 4.28033L10.4697 8.53033L11.5303 7.46967L7.28033 3.21967L6.21967 4.28033ZM10.4697 7.46967L6.21967 11.7197L7.28033 12.7803L11.5303 8.53033L10.4697 7.46967Z"></path><path stroke="currentColor" d="M1.75 8H11" stroke-width="1.5" stroke-linecap="round"></path></svg></a></div><div class="col-span-1 col-span-md-3"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start capitalize">Spotlight</h2><div><div class="resource-card animatable animate-fade-up"><a class="resource-card-overlay-link" aria-label="View video: Demo Day: Getting Traction with GitHub Actions" href="/web/20221215181001/https://resources.github.com/devops/tools/automation/getting-traction-with-github-actions/"></a><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:61.72839506172839%"></span><img alt="" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="responsive" class="resource-card-image" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="" sizes="100vw" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-1-thumbnail.svg?w=544&amp;q=75 544w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-1-thumbnail.svg?w=768&amp;q=75 768w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-1-thumbnail.svg?w=1012&amp;q=75 1012w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-1-thumbnail.svg?w=1280&amp;q=75 1280w" src="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-1-thumbnail.svg?w=1280&amp;q=75" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" class="resource-card-image" loading="lazy"/></noscript></span><h3 class="h4-mktg font-weight-semibold heading"><span>Demo Day: Getting Traction with GitHub Actions</span></h3><time class="text-mono mb-3 color-fg-muted">March 16, 2021</time><p class="f3-mktg color-fg-muted">Get hands-on support for all things automation. Join us for a technical deep dive into GitHub Actions, starting with non-CI/CD examples to help your developers streamline every part of their workflow. From issue automation to performance monitoring, you’ll walk away with tricks on how to use Actions to build workflows your developers love.</p><div class="text-mono f5 mt-4"><a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/devops/">DevOps</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/pipeline/">Pipeline</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/automation/">Automation</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/continuous-integration-and-deployment/">CI/CD</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/github-actions/">GitHub Actions</a></div></div></div></div></div></div></nav><nav class="position-absolute nav-dropdown color-bg-dark color-fg-white " data-color-mode="dark" data-dark-theme="dark"><div class="container-xl"><div class="grid grid-cols-1 grid-cols-md-12 gap-12"><div class="col-span-md-3 col-span-1 d-flex flex-column"><h2 class="f4 font-weight-medium mb-4 text-mono gradient-fg-purple-red-light flex-self-start">Types</h2><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured types" href="/web/20221215181001/https://resources.github.com/articles/">Articles</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured types" href="/web/20221215181001/https://resources.github.com/videos/">Videos</a><a class="link-mktg h3-mktg font-weight-medium Link--primary color-fg-on-emphasis flex-self-start mb-2" data-analytics-click="Nav,click on featured types" href="/web/20221215181001/https://resources.github.com/events/">Events</a></div><div class="col-span-1 col-span-md-9 grid grid-cols-1 grid-cols-md-3 gap-8"><div><h2 class="f4 font-weight-medium text-mono gradient-fg-purple-red-light flex-self-start capitalize">Latest <!-- -->article</h2><div class="resource-card animatable animate-fade-up"><a class="resource-card-overlay-link" aria-label="View article: GitHub Advanced Security &amp; Azure DevOps" href="/web/20221215181001/https://resources.github.com/ghazdo/"></a><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:61.72839506172839%"></span><img alt="" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="responsive" class="resource-card-image" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="" sizes="100vw" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/aqua-1-thumbnail.svg?w=544&amp;q=75 544w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/aqua-1-thumbnail.svg?w=768&amp;q=75 768w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/aqua-1-thumbnail.svg?w=1012&amp;q=75 1012w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/aqua-1-thumbnail.svg?w=1280&amp;q=75 1280w" src="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/aqua-1-thumbnail.svg?w=1280&amp;q=75" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" class="resource-card-image" loading="lazy"/></noscript></span><h3 class="h4-mktg font-weight-semibold heading"><span>GitHub Advanced Security &amp; Azure DevOps</span></h3><time class="text-mono mb-3 color-fg-muted">December 9, 2022</time><p class="f3-mktg color-fg-muted">Take advantage of GitHub Advanced Security’s powerful features, all within Azure DevOps</p><div class="text-mono f5 mt-4"><a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/devops/">DevOps</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/security/">Security</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/fundamentals/">Fundamentals</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/methodology/">Methodology</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/appsec/">AppSec</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/devsecops/">DevSecOps</a></div></div></div><div><h2 class="f4 font-weight-medium text-mono gradient-fg-purple-red-light flex-self-start capitalize">Latest <!-- -->video</h2><div class="resource-card animatable animate-fade-up"><a class="resource-card-overlay-link" aria-label="View video: Shifting left vs developer-first security" href="/web/20221215181001/https://resources.github.com/universe-2022-shifting-left-vs-developer-first-security/"></a><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:61.72839506172839%"></span><img alt="" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="responsive" class="resource-card-image" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="" sizes="100vw" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-2-thumbnail.svg?w=544&amp;q=75 544w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-2-thumbnail.svg?w=768&amp;q=75 768w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-2-thumbnail.svg?w=1012&amp;q=75 1012w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-2-thumbnail.svg?w=1280&amp;q=75 1280w" src="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/blue-2-thumbnail.svg?w=1280&amp;q=75" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" class="resource-card-image" loading="lazy"/></noscript></span><h3 class="h4-mktg font-weight-semibold heading"><span>Shifting left vs developer-first security</span></h3><time class="text-mono mb-3 color-fg-muted">December 2, 2022</time><p class="f3-mktg color-fg-muted">Let’s discuss why modern software needs processes and tooling to be developer-first. Nick will explain why security is becoming essential and why just shifting your security tooling left won’t cut it for your developers.</p><div class="text-mono f5 mt-4"><a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/universe/">Universe</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/security/">Security</a>, <a class="Link--primary no-underline resource-card-tag" href="/web/20221215181001/https://resources.github.com/topics/appsec/">AppSec</a></div></div></div><div><h2 class="f4 font-weight-medium text-mono gradient-fg-purple-red-light flex-self-start capitalize">Latest <!-- -->event</h2><div class="resource-card animatable animate-fade-up"><a class="resource-card-overlay-link" aria-label="View event: What's new with AppSec" href="/web/20221215181001/https://resources.github.com/whats-new-with-appsec/"></a><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:61.72839506172839%"></span><img alt="" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="responsive" class="resource-card-image" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="" sizes="100vw" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-3-thumbnail.svg?w=544&amp;q=75 544w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-3-thumbnail.svg?w=768&amp;q=75 768w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-3-thumbnail.svg?w=1012&amp;q=75 1012w, /web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-3-thumbnail.svg?w=1280&amp;q=75 1280w" src="/web/20221215181001im_/https://resources.github.com/assets/images/patterns/purple-3-thumbnail.svg?w=1280&amp;q=75" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" class="resource-card-image" loading="lazy"/></noscript></span><h3 class="h4-mktg font-weight-semibold heading"><span>What&#x27;s new with AppSec</span></h3><time class="text-mono mb-3 color-fg-muted">April 18, 2023</time><p class="f3-mktg color-fg-muted">These days, you’re trying to ship software faster—but what’s your plan for keeping it secure?</p><div class="text-mono f5 mt-4"></div></div></div></div></div></div></nav><nav class="position-absolute nav-dropdown color-bg-white " data-color-mode="light" data-light-theme="light"><div class="container-xl"><form class="d-flex flex-column"><button class="btn-link flex-self-end Link--muted" type="button" aria-label="Close dropdown" data-analytics-click="Search,search pane closed, query: "><svg aria-hidden="true" role="img" class="octicon octicon-x" viewbox="0 0 24 24" width="36" height="36" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M5.72 5.72a.75.75 0 011.06 0L12 10.94l5.22-5.22a.75.75 0 111.06 1.06L13.06 12l5.22 5.22a.75.75 0 11-1.06 1.06L12 13.06l-5.22 5.22a.75.75 0 01-1.06-1.06L10.94 12 5.72 6.78a.75.75 0 010-1.06z"></path></svg></button><div class="d-flex flex-column flex-md-row flex-items-center"><input type="text" class="search-input form-control input-lg color-bg-transparent color-fg-muted flex-1 width-full mb-3 mb-md-0" placeholder="What are you looking for?" value="" autofocus=""/><button class="btn-mktg arrow-target-mktg flex-shrink-0 width-full width-md-auto">Search</button></div></form></div></nav></div><main class="flex-1 position-relative"><header class="color-bg-dark color-fg-white text-center pb-10 pt-16 px-3 article-header" data-nav="blur-mode dark-mode"><div class="container-lg"><h1 class="h2-mktg mb-3">DevSecOps explained</h1><div class="d-flex flex-justify-center"><p>May 23, 2022<!-- --> <!-- -->//<!-- --> <!-- -->11<!-- --> min read</p></div></div><div class="bg-image"><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:absolute;top:0;left:0;bottom:0;right:0"><img alt="image" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="fill" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/><noscript><img alt="image" sizes="100vw" srcset="https://web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png?w=544&amp;q=75 544w, https://web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png?w=768&amp;q=75 768w, https://web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png?w=1012&amp;q=75 1012w, https://web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png?w=1280&amp;q=75 1280w" src="https://web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png?w=1280&amp;q=75" decoding="async" data-nimg="fill" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover" loading="lazy"/></noscript></span></div></header><section class="section bg-pixel-light bg-contain bg-top" data-nav="light-mode"><div class="container-md" data-nav="light-mode"><p class="f1-mktg font-weight-medium mb-8">DevSecOps builds on the ideas of DevOps by applying security practices throughout the software development lifecycle to ship more secure code faster.</p><span class="border-top-dotted-fancy"></span><div class="markdown-body my-8"><p><em>Through collaboration, automation, and continuous improvement, DevSecOps offers a set of practices that help companies embed security into their work to build more secure, high-quality software at scale.</em></p> <p>DevOps has transformed how many organizations build and ship software. But until recently one aspect of the software development lifecycle (SDLC) has remained outside DevOps: security. DevSecOps seeks to correct that by baking security into the software development lifecycle (SDLC) in the same way that DevOps prioritizes quality, speed, and deep collaboration throughout all stages of software development. For modern organizations, DevSecOps becomes just “DevOps”: security is baked into the SDLC experience.</p> <p>Organizations that adopt DevSecOps typically see advantages that include:</p> <ul> <li><p><strong>Reduced risk of data breaches:</strong> DevSecOps seeks to make code secure by design. A combination of secure coding cultural practices, secure developer environments, and automated security tests throughout the SDLC help reduce the chances of security vulnerabilities or flaws making it into production software.</p> </li> <li><p><strong>Improved compliance:</strong> DevSecOps practitioners often use automation to enforce code compliance and integrate policy enforcement tooling directly into the CI/CD pipeline.</p> </li> <li><p><strong>Greater confidence in dependencies:</strong> The modern technology stack depends heavily on third-party code, often from public package repositories. DevSecOps practitioners frequently leverage tooling and automated tests to identify potential issues before a software release.</p> </li> <li><p><strong>Value gets to end users faster:</strong> By creating a security-first culture and applying automated checks, DevSecOps reduces the need for distinct security reviews that slow down code deployments.</p> </li> </ul> <h2>What is the main benefit of DevSecOps?</h2> <p>DevSecOps seeks to build security into every step of the SDLC. This ideally means that security related tests (automated and not) take place at each stage from coding to merging branches to builds, deployments, and on into operation of production software. Moreover, DevSecOps advances the idea that everyone working on a product is accountable for its security. This helps teams catch vulnerabilities before they make it to production and reduces the need for late-stage, manual security reviews, which can slow down software releases.</p> <h2>DevSecOps best practices</h2> <p>Push buggy code into production and the result might be a bad customer experience and potential lost business due to downtime. But if you deploy insecure code, the fallout can be far more severe.</p> <p>DevSecOps is a natural evolution of DevOps and seeks to make security a core part of the SDLC instead of a siloed process that takes place right before a release. Just like how testing and operations teams were often siloed from development in the pre-DevOps world, security today is often the job of specialized teams whose work take place outside the DevOps lifecycle. </p> <p>DevSecOps argues that security needs to be embedded across the SDLC. Whether your organization already practices DevOps or you’re looking at how to adopt a DevOps culture, here are the foundational best practices you need to establish a DevSecOps practice:</p> <ul> <li><p><strong>Create a DevSecOps culture:</strong> Success in DevSecOps relies on <em>everyone</em> taking responsibility for security. That means each person in the SDLC codes, builds, tests, and configures application and infrastructure settings defensively. Just like DevOps, DevSecOps thrives in an open culture where each individual works together to build the best and most secure product possible.</p> </li> <li><p><strong>Design security into the product:</strong> DevSecOps seeks to design security into products from the initial planning stages to deployed production-level code. This means security work is planned alongside feature work, and practitioners are provided security knowledge and testing throughout each stage of their development work. The goal is to make security an everyday part of your team’s work.</p> </li> <li><p><strong>Build a threat modeling practice:</strong> The seeds of security vulnerabilities are often sown before a line of code is written. Model potential threats during the planning phase and design your infrastructure and the application’s architecture to mitigate those issues. And periodic penetration testing, where a trusted person attempts to break into your system, can help unveil weaknesses you may miss in your threat models.</p> </li> <li><p><strong>Automate for speed and security:</strong> Automated testing is used throughout the SDLC to ensure the right security checks happen at the right time. That gives people more time to focus on building the core product while ensuring security requirements are met.</p> </li> <li><p><strong>Plan security checkpoints in your product development:</strong> Identify transition points in your SDLC where the risk profile changes. That could be the point at which a developer merges their code into the main branch, which might increase the potential for that code to be run on the machines of colleagues and eventually reach production. In that case, opening a pull request might be a good trigger event for automated security checks, along with the appropriate manual escalations.</p> </li> <li><p><strong>Approach security failures as learning opportunities:</strong> Building on DevOps’ culture of continuous improvement, a successful DevSecOps practice strives to turn security incidents into learning opportunities. This can be accomplished by leveraging audit logs, building incident reports, and modeling malicious behavior to improve tooling, testing, and processes to further secure your applications and systems. </p> </li> <li><p><strong>Stay on top of dependencies:</strong> Understanding and mitigating the potential threats from dependencies is critical to your product’s security. Apply the same threat modeling and automated testing to your dependencies as to your in-house code. At GitHub we’ve <a href="https://web.archive.org/web/20221215181001/https://securitylab.github.com/">identified and shared details of tens of millions of threats in open source software</a>, helping organizations and developers be more aware of and avoid vulnerabilities. </p> </li> <li><p><strong>Build your analytics and reporting capabilities:</strong> Continuous monitoring is a critical part of a DevSecOps practice—and that includes real-time alerts, system analytics, and proactive threat monitoring. By measuring every aspect of your application and your DevSecOps pipeline you can create a common point for understanding application health. Reporting dashboards and alerts highlight problems early. When a problem does occur, the telemetry you’ve set up—such as application-level logging—provides insight for incident resolution and root cause analysis.</p> </li> </ul> <h2>DevSecOps culture</h2> <p>Creating a DevSecOps culture begins by making security everyone’s responsibility. This can be a big change for many organizations. Traditionally, security was something developers left in the hands of specialist security professionals. It could also become a point of friction as well. Engineering teams often looked at security practices as an impediment to shipping software fast.</p> <p>DevSecOps fundamentally seeks to change this perception by making security as core to the SDLC as writing code, running tests, configuring services. Each new feature or fix begins with considering its security implications. Security and compliance policies are enforced through tests. When something goes wrong, it’s an opportunity to learn and to do it better next time.</p> <p>And instead of something that slows down software releases, security in a DevSecOps practice becomes a part of the release itself leading to faster and more secure deployments.</p> <p>But building a successful DevSecOps practice requires building security into every stage of the SDLC. This varies from one organization to another. Even so, there are core pillars that define a DevSecOps culture. These include: </p> <ul> <li><p><strong>People:</strong> A DevSecOps practice seeks to remove the barriers between different disciplines and build a naturally collaborative environment where each person shares responsibility for a product’s security and quality.</p> </li> <li><p><strong>Process:</strong> DevSecOps moves security from being a distinct stage that often comes at the end of the SDLC to an integral part of each person’s work. Automated security evaluations, security-focused unit testing, widespread monitoring, and defensive coding create rapid feedback loops where vulnerabilities are surfaced earlier in the product life cycle and can be fixed faster.</p> </li> <li><p><strong>Products:</strong> DevSecOps builds on the DevOps toolchain by using technologies such as CI/CD to automate the identification of security issues. Dependency scanning, static and dynamic application security testing, and automated policy enforcement tools are often used to help build security into every stage of the SDLC. A wide range of best-in-breed solutions can be integrated with one another to create an “open” toolchain. Other organizations, however, may find that more integrated and security-focused product suites can often provide a more holistic experience.</p> </li> <li><p><strong>Governance:</strong> Continuous improvement is central to DevSecOps and it requires creating a culture of measurement that enables practitioners to identify opportunities to refine processes and tooling.</p> </li> </ul> <h2>DevSecOps pipeline</h2> <p>A DevSecOps culture seeks to establish security as a fundamental part of creating software—but that’s only one part of what it takes to successfully adopt a DevSecOps practice. The next step is to integrate security into each stage of a <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/pipeline">DevOps pipeline</a>.</p> <p>With security specific tooling and processes throughout the SDLC, a DevSecOps pipeline helps practitioners design more secure products and catch security issues early in the product life cycle. </p> <p><img src="//web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/2yycTRb93twEoCbO5n75dW/a5026e233832255d6cc73904bb6a7139/infinity.png" alt="DevOps Pipeline Infinity"/></p> <h3>Common DevSecOps pipeline stages</h3> <p>DevSecOps builds on DevOps, and a DevSecOps pipeline builds on a DevOps pipeline. Just as DevOps integrated quality and speed into each step, the best DevSecOps pipelines are designed to anticipate key points in the SDLC where security issues are likely to arise.</p> <p>This breaks down into the following common DevSecOps pipeline stages: </p> <ul> <li><p><strong>Plan:</strong> In a DevSecOps practice, security starts at the planning stage in the SDLC pipeline. This can include analyzing potential security threats and determining how to combat them with threat modeling. It can also involve designing security into your products proactively to ensure it’s baked into the work from the beginning with key data hygiene and other security decisions taken up front. </p> </li> <li><p><strong>Code:</strong> At the coding stage in a DevSecOps pipeline, it’s important to create a culture of defensive programming with policies that help practitioners proactively navigate security and compliance issues. This could be as simple as specifying rules for how to handle particularly risky aspects of code, such as NULLs, or involve broader guidelines on areas such as input validation. </p> </li> <li><p><strong>Build:</strong> In the build stage, a typical DevSecOps pipeline will include automated security checks to catch vulnerabilities in source code before they hit the main branch. This can involve using pre-commit hooks to run static application security testing (SAST) tools where any potential issues in code will stop the build, much like a failed test, and provide time to fix any potential vulnerabilities in proprietary source code before work can progress. It should also include software composition analysis (SCA) tools to track open source components in the codebase and detect any vulnerabilities in dependencies. </p> </li> <li><p><strong>Test:</strong> The test stage of a DevSecOps pipeline is a key point where practitioners will develop a testing strategy and automated testing suite to catch any potential security vulnerabilities or issues. This commonly includes using unit tests at a base level to look for security issues such as the way in which the application deals with unexpected or malformed input. It can also include dynamic application security tests to find vulnerabilities in the application when run. This way, the test phase becomes as much as security as it does functionality. A good tip at this stage is to integrate dynamic application security testing (DAST) into the DevSecOps pipeline.</p> </li> <li><p><strong>Release:</strong> In the release stage, a DevSecOps pipeline will often include additional automated security testing and vulnerability scanning to catch issues that might not have been apparent in earlier stages. Some organizations will also deploy the principle of least privilege where each person and tool has access only to precisely what they need. </p> </li> <li><p><strong>Deploy:</strong> At the deployment stage, a DevSecOps practitioner will work to ensure that code makes it to production only if it has passed security checks at each previous stage. This can involve applying automated tests to application code and the underlying infrastructure used to run the software in production to catch any run-time security concerns.</p> </li> <li><p><strong>Operate and monitor:</strong> In the operations and <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/tools/monitoring">monitoring</a> stages of a DevSecOps pipeline, organizations will often use application-level and infrastructure metrics to identify unusual activity that could indicate a security breach. When an incident occurs, use logging and other instrumentation can be used to pinpoint the issue and understand its impact.</p> </li> </ul> <h2>DevSecOps automation principles</h2> <p>When it’s correctly implemented, automation accelerates the SDLC by enabling people to use technology to accomplish repetitive, manual tasks and deliver higher-quality software faster. DevSecOps takes automation further by integrating security tests across all stages of the SDLC to improve speed, consistency, and mitigate against potential risks. </p> <p>If DevSecOps makes security everyone’s responsibility, DevSecOps automation strives to give everyone the tools they need to ensure code and configurations are secure without requiring them to become security specialists.</p> <p>When considering where to apply automation in your own DevSecOps pipeline, consider the following principles:</p> <ul> <li><p><strong>Automation should be strategic:</strong> A DevOps practice often seeks to use automation to facilitate speed and quality across the SDLC. But just as being strategic is important in a DevOps practice, it’s equally—if not more—important to be strategic about how and when automation is applied in a DevSecOps environment. </p> </li> <li><p><strong>Let people focus on being creative:</strong> Automate repetitive tasks wherever possible. That way, people can save their time and mental energy for more involved work while checks are applied more consistently and at scale.</p> </li> <li><p><strong>Systematize code review:</strong> Use <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/tools/">tools</a> such as static application security testing to automate elements of your code review. Human-led code review is still important though and it’s critical to ensure your code review checklist covers security issues specific to your technology stack. Create a feedback cycle so each time a new information becomes available you build it into the checklist. For example, when an incident occurs consider how you could have caught the problem earlier with a code review or automated test.</p> </li> </ul> <p> <em><a href="https://web.archive.org/web/20221215181001/https://github.com/features/security">Learn how GitHub Advanced Security offers leading-edge security tooling for DevSecOps organizations &gt; </a></em></p> <br/> <p><img src="//web.archive.org/web/20221215181001im_/https://images.ctfassets.net/wfutmusr1t3h/TdLPy6OEyYXySYKKOdZqo/0a68a08304481769fa853fe55f60d468/Reflect_tools.png" alt="Reflect tools"/></p> <br/> <h2>DevSecOps toolchain</h2> <p>Adopting DevSecOps starts with a cultural shift that involves making security a core concern of everyone involved in the SDLC. To accomplish this, organizations will often adopt new processes and build a DevSecOps toolchain that applies automated security tests and security tooling to the SDLC.</p> <p>DevSecOps tooling often builds on common DevOps tools such as CI/CD, automated tests, configuration management, and monitoring. The goal is to integrate security-focused tooling into each stage of the product life cycle. </p> <h3>Key components of the DevSecOps toolchain</h3> <ul> <li><p><strong>Automated security tests on commits and merges:</strong> A basic goal of any DevSecOps practice is to catch issues in code before they can do harm by triggering automatic scans using pre-commit and merge triggers. Some of the scans organizations might implement include:</p> <ul> <li><p><strong>Code scanning:</strong> Often called static application security testing, this evaluates code at rest—in other words, without having to run it—to discover code that could lead to a vulnerability.</p> </li> <li><p><strong>Vulnerability scanning:</strong> Dynamic application scanning tools build and deploy the application to a sandboxed environment and then observe how it responds to known security threats.</p> </li> <li><p><strong>Secret scanning:</strong> Even with the most stringent policies, secrets occasionally make it into a commit. Secret scanning tools are used to catch them before the commit is made. These also pair with SCA tools, which are used to detect any vulnerabilities in open source dependencies within a given codebase.</p> </li> </ul> </li> </ul> <p><em><a href="https://web.archive.org/web/20221215181001/https://github.com/features/security">Explore how GitHub enables DevSecOps organizations to apply in-depth automated security tests at all stages of the SDLC &gt;</a></em></p> <ul> <li><strong>Configuration management:</strong> In DevSecOps, a general rule is it’s best to remove the uncertainty from systems configuration—and this is often accomplished by adopting infrastructure as code. Tools such as Docker, Terraform, and Ansible use YAML and similar configuration files that can be automatically scanned for issues, committed to version control, and rolled out automatically to multiple instances of a service.</li> </ul> <p><em><a href="https://web.archive.org/web/20221215181001/https://github.com/features/actions">Find out how GitHub helps DevSecOps organizations manage application and system configurations through automation &gt; </a></em></p> <ul> <li><p><strong>Container orchestration:</strong> In some environments, organizations may adopt a microservices architecture to better support complex, cloud-native applications. This requires maintaining multiple <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/fundamentals/containerization">containers</a> and scaling them as needed and securely—and that involves container orchestration tools. Just like configuration management tools, container orchestration tooling will often use YAML configuration files to dictate interactions between containers. </p> </li> <li><p><strong>Runtime verification:</strong> Also known as runtime application self-protection tools, these tools will actively monitor and/or direct threats towards your application as it runs with reports highlighting any vulnerabilities.</p> </li> <li><p><strong>Continuous monitoring and reporting:</strong> One of the simplest yet highly effective aspects of DevSecOps tooling is measurement—and that involves logging everything at the application and infrastructure level. The best tools will provide real-time intelligence when something goes wrong and include a reporting system so you can catch issues early. Outbound data from an unexpected port, for example, could indicate a compromise but without monitoring and reporting it might go undetected.</p> </li> </ul> <h2>The bottom line</h2> <p>Security is a defining issue in software development organizations today. Getting it wrong has far-reaching implications—both for the organizations and even the individuals involved. DevSecOps offers a framework for creating software securely from the very first step. And building on the well understood culture and processes of <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/">DevOps means</a> that, for most businesses, a shift left to DevSecOps is a natural evolution.</p> <h2>Build your DevSecOps practice on GitHub</h2> <p>GitHub is an integrated platform that takes companies from idea to planning to building to production, combining a focused developer experience with powerful, fully managed development, automation, and test infrastructure. </p> <p><a href="https://web.archive.org/web/20221215181001/https://github.com/pricing">Compare pricing plans</a> &gt; </p> <p><br/><br/></p> <blockquote> <p>Our philosophy is to build automation and great <a href="https://web.archive.org/web/20221215181001/https://resources.github.com/devops/fundamentals/">DevOps</a> for the company you will be tomorrow.</p> </blockquote> <p>Senior SCM Engineer Todd O'Connor at <a href="https://web.archive.org/web/20221215181001/https://github.com/customer-stories/adobe">Adobe</a></p> <p><br/><br/></p> <table> <thead> <tr> <th>Go from planning to building</th> <th>Increase developer velocity</th> </tr> </thead> <tbody><tr> <td>Build roadmap plans right next to your codebase and quickly assign tasks to team members with powerful project boards and tables that are fully integrated into your project.<br/><br/> <a href="https://web.archive.org/web/20221215181001/https://github.com/features/issues">Learn about GitHub Issues &gt;</a></td> <td>Reduce the time to commit. Eliminate environment management and context switching for your developers. Simplify IT procurement and maintenance with a secure, managed space in the cloud. <br/><br/> <a href="https://web.archive.org/web/20221215181001/https://github.com/features/codespaces">Explore Codespaces &gt;</a></td> </tr> <tr> <td><br/><br/></td> <td></td> </tr> <tr> <td>Automate everything</td> <td>Secure your code as you write it</td> </tr> <tr> <td>----------</td> <td>----------</td> </tr> <tr> <td>Automate all your software development workflows with GitHub Actions. Scale reliably and securely with powerful development, test, and automation infrastructure, fully managed by GitHub.<br/><br/> <a href="https://web.archive.org/web/20221215181001/https://github.com/features/actions">Learn more about GitHub Actions &gt;</a></td> <td>Secure your code, dependencies, tokens, and sensitive data through the entire software development lifecycle and automatically resolve vulnerabilities.<br/><br/><br/> <a href="https://web.archive.org/web/20221215181001/https://github.com/features/security/">See how we help you stay secure &gt;</a></td> </tr> </tbody></table> </div><p class="text-mono gradient-fg-purple-red f4-mktg mb-0 mr-4 float-left">Tags</p><nav class="d-flex flex-items-center flex-wrap"><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/devops/">DevOps</a><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/security/">Security</a><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/fundamentals/">Fundamentals</a><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/methodology/">Methodology</a><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/appsec/">AppSec</a><a class="color-bg-dark color-fg-white text-mono px-3 py-2 rounded-full mr-2 f5 btn-mktg btn-small-mktg font-weight-normal mb-2" href="/web/20221215181001/https://resources.github.com/topics/devsecops/">DevSecOps</a></nav></div><div class="container-md" data-nav="light-mode"><section id="form" class="section"><form action="https://web.archive.org/web/20221215181001/https://s88570519.t.eloqua.com/e/f2" style="max-width:384px" class="mx-auto d-flex flex-column flex-items-stretch" data-nav="light-mode"><h2 class="h4-mktg font-weight-bold mb-2 text-center"><span>Wondering how GitHub can help your business?</span></h2><p class="f3-mktg color-fg-secondary text-center mb-6"><span>Tell us more about your needs</span></p><input type="hidden" name="elqSiteId" value="88570519"/><input type="hidden" name="elqFormName" value="ContactUs_TemplateForm"/><input type="hidden" name="sfcampaignid" id="sfcampaignid"/><input type="hidden" name="source" id="source" value="Resources_Contact_Us"/><input type="hidden" id="redirect_url" name="redirect_url" value=""/><input type="hidden" name="country" id="country"/><input type="hidden" name="subdivision" id="subdivision"/><input type="hidden" name="city" id="city"/><input type="hidden" name="elqCampaignId" id="elqCampaignId"/><div class="flex-1 flex-self-stretch d-flex flex-column flex-items-stretch mt-4"><div class="form-group-header mb-2"><label class="font-weight-light" for="gated-full-name-1">Full Name</label></div><div class="form-group-body"><input type="text" class="form-control input-block py-3 px-3 color-bg-white input-lg" autocomplete="" id="gated-full-name-1" placeholder="First and last name" required="" name="fullName1"/></div></div><div class="flex-1 flex-self-stretch d-flex flex-column flex-items-stretch mt-4"><div class="form-group-header mb-2"><label class="font-weight-light" for="gated-email-address">Work Email</label></div><div class="form-group-body"><input type="email" class="form-control input-block py-3 px-3 color-bg-white input-lg" autocomplete="email" id="gated-email-address" placeholder="you@company.com" required="" name="emailAddress"/></div></div><div class="flex-1 flex-self-stretch d-flex flex-column flex-items-stretch mt-4"><div class="form-group-header mb-2"><label class="font-weight-light" for="gated-company">Company</label></div><div class="form-group-body"><input type="text" class="form-control input-block py-3 px-3 color-bg-white input-lg" autocomplete="" id="gated-company" placeholder="Acme, Inc" required="" name="company"/></div></div><div class="flex-1 flex-self-stretch d-flex flex-column flex-items-stretch mt-4"><div class="form-group-header mb-2"><label class="font-weight-light" for="gated-contact-comments">What can we help you with?</label><p></p></div><div class="form-group-body"><textarea class="form-control input-block py-3 px-3 color-bg-white input-lg" id="gated-contact-comments" placeholder="Tell us how we can help. For support questions, head to github.com/contact " name="contactComments"></textarea></div></div><input type="hidden" value="0" name="elqCookieWrite"/><div class="d-flex mt-4"><input type="checkbox" class="flex-shrink-0 mr-3 mt-2" id="gated-agree-marketingEmailOptin1" name="marketingEmailOptin1" value="False"/><label for="gated-agree-marketingEmailOptin1" class="font-weight-light">Yes, I would like to be emailed with the latest news and happenings, products, and special offers from GitHub. If you change your mind, you can unsubscribe at any time. <a href="https://web.archive.org/web/20221215181001/https://docs.github.com/en/github/site-policy/github-privacy-statement">GitHub Privacy Statement</a></label></div><button type="submit" class="btn-mktg arrow-target-mktg flex-self-center mt-3">Contact GitHub<svg xmlns="http://www.w3.org/2000/svg" class="octicon arrow-symbol-mktg" width="16" height="16" viewbox="0 0 16 16" fill="none"><path fill="currentColor" d="M7.28033 3.21967C6.98744 2.92678 6.51256 2.92678 6.21967 3.21967C5.92678 3.51256 5.92678 3.98744 6.21967 4.28033L7.28033 3.21967ZM11 8L11.5303 8.53033C11.8232 8.23744 11.8232 7.76256 11.5303 7.46967L11 8ZM6.21967 11.7197C5.92678 12.0126 5.92678 12.4874 6.21967 12.7803C6.51256 13.0732 6.98744 13.0732 7.28033 12.7803L6.21967 11.7197ZM6.21967 4.28033L10.4697 8.53033L11.5303 7.46967L7.28033 3.21967L6.21967 4.28033ZM10.4697 7.46967L6.21967 11.7197L7.28033 12.7803L11.5303 8.53033L10.4697 7.46967Z"></path><path stroke="currentColor" d="M1.75 8H11" stroke-width="1.5" stroke-linecap="round"></path></svg></button></form></section></div></section></main><footer class="color-fg-white" data-nav="dark-mode" data-color-mode="dark" data-dark-theme="dark"><nav class="container-xl d-flex flex-column flex-items-start flex-lg-row py-10 px-4"><a class="Header-link p-3 mr-auto f2" aria-label="GitHub" href="https://web.archive.org/web/20221215181001/https://github.com/home"><span style="box-sizing:border-box;display:inline-block;overflow:hidden;width:85px;height:30px;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><img alt="GitHub logo" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%"/><noscript><img alt="GitHub logo" srcset="/web/20221215181001im_/https://resources.github.com/assets/images/github-logo-text.svg?w=96&amp;q=75 1x, /web/20221215181001im_/https://resources.github.com/assets/images/github-logo-text.svg?w=256&amp;q=75 2x" src="/web/20221215181001im_/https://resources.github.com/assets/images/github-logo-text.svg?w=256&amp;q=75" decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%" loading="lazy"/></noscript></span></a><div class="d-flex flex-items-start flex-wrap"><div class="d-flex flex-column col-6 col-lg-3 px-4 mb-8"><h3 class="text-mono f4-mktg mb-4">Product</h3><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/features">Features</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/security">Security</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/team">Team</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/enterprise">Enterprise</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/customer-stories?type=enterprise">Customer stories</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/readme">The ReadME Project</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/pricing">Pricing</a><a class="py-2 color-fg-secondary" target="" href="/web/20221215181001/https://resources.github.com/">Resources</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/github/roadmap">Roadmap</a></div><div class="d-flex flex-column col-6 col-lg-3 px-4 mb-8"><h3 class="text-mono f4-mktg mb-4">Platform</h3><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://docs.github.com/">Developer API</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://partner.github.com/">Partners</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://atom.io/">Atom</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://www.electronjs.org/">Electron</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://desktop.github.com/">GitHub Desktop</a></div><div class="d-flex flex-column col-6 col-lg-3 px-4 mb-8"><h3 class="text-mono f4-mktg mb-4">Support</h3><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://docs.github.com/">Docs</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.community/">Community Forum</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://services.github.com/">Professional Services</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://lab.github.com/">Learning Lab</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://www.githubstatus.com/">Status</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://support.github.com/?tags=dotcom-footer">Contact GitHub</a></div><div class="d-flex flex-column col-6 col-lg-3 px-4 mb-8"><h3 class="text-mono f4-mktg mb-4">Company</h3><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/about">About</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.blog/">Blog</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/about/careers">Careers</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/about/press">Press</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://github.com/about/diversity">Inclusion</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://socialimpact.github.com/">Social Impact</a><a class="py-2 color-fg-secondary" target="_blank" href="https://web.archive.org/web/20221215181001/https://shop.github.com/">Shop</a></div></div></nav><div class="color-bg-dark color-fg-secondary"><div class="container-xl d-flex flex-column flex-md-row flex-items-start flex-md-items-center p-4 f5"><div class="d-flex flex-items-center flex-order-2 flex-md-order-1 color-fg-primary"><p class="mb-0 mr-4">GitHub Inc. © 2022</p><a class="p-2 color-fg-secondary" href="https://web.archive.org/web/20221215181001/https://docs.github.com/en/github/site-policy/github-terms-of-service">Terms</a><a class="p-2 color-fg-secondary" href="https://web.archive.org/web/20221215181001/https://docs.github.com/en/github/site-policy/github-privacy-statement">Privacy</a><a class="p-2 color-fg-secondary d-none d-md-inline-block" href="https://web.archive.org/web/20221215181001/https://github.com/site-map">Site Map</a><a class="p-2 color-fg-secondary d-none d-md-inline-block" href="https://web.archive.org/web/20221215181001/https://github.com/git-guides">What is Git?</a><button class="p-2 btn-link color-fg-secondary d-inline-block">Manage Cookies</button></div><div class="d-flex flex-items-center ml-md-auto flex-order-1 flex-md-order-2"><a class="px-2 d-none d-xl-block color-fg-muted" target="_blank" rel="noopener" style="width:36px" title="Twitter" data-analytics-click="Footer,go to Twitter,text:Twitter" href="https://web.archive.org/web/20221215181001/https://twitter.com/github"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 273.5 222.3"><path d="M273.5 26.3a109.77 109.77 0 0 1-32.2 8.8 56.07 56.07 0 0 0 24.7-31 113.39 113.39 0 0 1-35.7 13.6 56.1 56.1 0 0 0-97 38.4 54 54 0 0 0 1.5 12.8A159.68 159.68 0 0 1 19.1 10.3a56.12 56.12 0 0 0 17.4 74.9 56.06 56.06 0 0 1-25.4-7v.7a56.11 56.11 0 0 0 45 55 55.65 55.65 0 0 1-14.8 2 62.39 62.39 0 0 1-10.6-1 56.24 56.24 0 0 0 52.4 39 112.87 112.87 0 0 1-69.7 24 119 119 0 0 1-13.4-.8 158.83 158.83 0 0 0 86 25.2c103.2 0 159.6-85.5 159.6-159.6 0-2.4-.1-4.9-.2-7.3a114.25 114.25 0 0 0 28.1-29.1" fill="rgb(149, 157, 165)"></path></svg></a><a class="px-2 d-none d-xl-block color-fg-muted" target="_blank" rel="noopener" style="width:36px" title="Facebook" data-analytics-click="Footer,go to Facebook,text:Facebook" href="https://web.archive.org/web/20221215181001/https://www.facebook.com/GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 15.3 15.4"><path d="M14.5 0H.8a.88.88 0 0 0-.8.9v13.6a.88.88 0 0 0 .8.9h7.3v-6h-2V7.1h2V5.4a2.87 2.87 0 0 1 2.5-3.1h.5a10.87 10.87 0 0 1 1.8.1v2.1h-1.3c-1 0-1.1.5-1.1 1.1v1.5h2.3l-.3 2.3h-2v5.9h3.9a.88.88 0 0 0 .9-.8V.8a.86.86 0 0 0-.8-.8z" fill="rgb(149, 157, 165)"></path></svg></a><a class="px-2 d-none d-xl-block color-fg-muted" target="_blank" rel="noopener" style="width:36px" title="YouTube" data-analytics-click="Footer,go to YouTube,text:YouTube" href="https://web.archive.org/web/20221215181001/https://www.youtube.com/github"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 19.17 13.6"><path d="M18.77 2.13A2.4 2.4 0 0 0 17.09.42C15.59 0 9.58 0 9.58 0a57.55 57.55 0 0 0-7.5.4A2.49 2.49 0 0 0 .39 2.13 26.27 26.27 0 0 0 0 6.8a26.15 26.15 0 0 0 .39 4.67 2.43 2.43 0 0 0 1.69 1.71c1.52.42 7.5.42 7.5.42a57.69 57.69 0 0 0 7.51-.4 2.4 2.4 0 0 0 1.68-1.71 25.63 25.63 0 0 0 .4-4.67 24 24 0 0 0-.4-4.69zM7.67 9.71V3.89l5 2.91z" fill="rgb(149, 157, 165)"></path></svg></a><a class="px-2 d-none d-xl-block color-fg-muted" target="_blank" rel="noopener" style="width:36px" title="LinkedIn" data-analytics-click="Footer,go to LinkedIn,text:LinkedIn" href="https://web.archive.org/web/20221215181001/https://www.linkedin.com/company/github"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 19 18"><path d="M3.94 2A2 2 0 1 1 2 0a2 2 0 0 1 1.94 2zM4 5.48H0V18h4zm6.32 0H6.34V18h3.94v-6.57c0-3.66 4.77-4 4.77 0V18H19v-7.93c0-6.17-7.06-5.94-8.72-2.91z" fill="rgb(149, 157, 165)"></path></svg></a><a class="px-2 d-none d-xl-block color-fg-muted" target="_blank" rel="noopener" style="width:36px" title="GitHub" data-analytics-click="Footer,go to GitHub,text:GitHub" href="https://web.archive.org/web/20221215181001/https://github.com/github"><svg aria-hidden="true" role="img" class="octicon octicon-mark-github" viewbox="0 0 16 16" width="24" height="24" fill="currentColor" style="display:inline-block;user-select:none;vertical-align:text-bottom;overflow:visible"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg></a></div></div></div></footer></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"resource":{"path":"/devops/fundamentals/devsecops","title":"DevSecOps explained","description":"DevSecOps builds on the ideas of DevOps by applying security practices throughout the software development lifecycle to ship more secure code faster.","body":"\u003cp\u003e\u003cem\u003eThrough collaboration, automation, and continuous improvement, DevSecOps offers a set of practices that help companies embed security into their work to build more secure, high-quality software at scale.\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eDevOps has transformed how many organizations build and ship software. But until recently one aspect of the software development lifecycle (SDLC) has remained outside DevOps: security. DevSecOps seeks to correct that by baking security into the software development lifecycle (SDLC) in the same way that DevOps prioritizes quality, speed, and deep collaboration throughout all stages of software development. For modern organizations, DevSecOps becomes just “DevOps”: security is baked into the SDLC experience.\u003c/p\u003e\n\u003cp\u003eOrganizations that adopt DevSecOps typically see advantages that include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eReduced risk of data breaches:\u003c/strong\u003e \nDevSecOps seeks to make code secure by design. A combination of secure coding cultural practices, secure developer environments, and automated security tests throughout the SDLC help reduce the chances of security vulnerabilities or flaws making it into production software.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eImproved compliance:\u003c/strong\u003e \nDevSecOps practitioners often use automation to enforce code compliance and integrate policy enforcement tooling directly into the CI/CD pipeline.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eGreater confidence in dependencies:\u003c/strong\u003e \nThe modern technology stack depends heavily on third-party code, often from public package repositories. DevSecOps practitioners frequently leverage tooling and automated tests to identify potential issues before a software release.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eValue gets to end users faster:\u003c/strong\u003e \nBy creating a security-first culture and applying automated checks, DevSecOps reduces the need for distinct security reviews that slow down code deployments.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eWhat is the main benefit of DevSecOps?\u003c/h2\u003e\n\u003cp\u003eDevSecOps seeks to build security into every step of the SDLC. This ideally means that security related tests (automated and not) take place at each stage from coding to merging branches to builds, deployments, and on into operation of production software. Moreover, DevSecOps advances the idea that everyone working on a product is accountable for its security. This helps teams catch vulnerabilities before they make it to production and reduces the need for late-stage, manual security reviews, which can slow down software releases.\u003c/p\u003e\n\u003ch2\u003eDevSecOps best practices\u003c/h2\u003e\n\u003cp\u003ePush buggy code into production and the result might be a bad customer experience and potential lost business due to downtime. But if you deploy insecure code, the fallout can be far more severe.\u003c/p\u003e\n\u003cp\u003eDevSecOps is a natural evolution of DevOps and seeks to make security a core part of the SDLC instead of a siloed process that takes place right before a release. Just like how testing and operations teams were often siloed from development in the pre-DevOps world, security today is often the job of specialized teams whose work take place outside the DevOps lifecycle. \u003c/p\u003e\n\u003cp\u003eDevSecOps argues that security needs to be embedded across the SDLC. Whether your organization already practices DevOps or you’re looking at how to adopt a DevOps culture, here are the foundational best practices you need to establish a DevSecOps practice:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eCreate a DevSecOps culture:\u003c/strong\u003e Success in DevSecOps relies on \u003cem\u003eeveryone\u003c/em\u003e taking responsibility for security. That means each person in the SDLC codes, builds, tests, and configures application and infrastructure settings defensively. Just like DevOps, DevSecOps thrives in an open culture where each individual works together to build the best and most secure product possible.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eDesign security into the product:\u003c/strong\u003e DevSecOps seeks to design security into products from the initial planning stages to deployed production-level code. This means security work is planned alongside feature work, and practitioners are provided security knowledge and testing throughout each stage of their development work. The goal is to make security an everyday part of your team’s work.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eBuild a threat modeling practice:\u003c/strong\u003e The seeds of security vulnerabilities are often sown before a line of code is written. Model potential threats during the planning phase and design your infrastructure and the application’s architecture to mitigate those issues. And periodic penetration testing, where a trusted person attempts to break into your system, can help unveil weaknesses you may miss in your threat models.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eAutomate for speed and security:\u003c/strong\u003e Automated testing is used throughout the SDLC to ensure the right security checks happen at the right time. That gives people more time to focus on building the core product while ensuring security requirements are met.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003ePlan security checkpoints in your product development:\u003c/strong\u003e \nIdentify transition points in your SDLC where the risk profile changes. That could be the point at which a developer merges their code into the main branch, which might increase the potential for that code to be run on the machines of colleagues and eventually reach production. In that case, opening a pull request might be a good trigger event for automated security checks, along with the appropriate manual escalations.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eApproach security failures as learning opportunities:\u003c/strong\u003e \nBuilding on DevOps’ culture of continuous improvement, a successful DevSecOps practice strives to turn security incidents into learning opportunities. This can be accomplished by leveraging audit logs, building incident reports, and modeling malicious behavior to improve tooling, testing, and processes to further secure your applications and systems. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eStay on top of dependencies:\u003c/strong\u003e \nUnderstanding and mitigating the potential threats from dependencies is critical to your product’s security. Apply the same threat modeling and automated testing to your dependencies as to your in-house code. At GitHub we’ve \u003ca href=\"https://securitylab.github.com/\"\u003eidentified and shared details of tens of millions of threats in open source software\u003c/a\u003e, helping organizations and developers be more aware of and avoid vulnerabilities. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eBuild your analytics and reporting capabilities:\u003c/strong\u003e \nContinuous monitoring is a critical part of a DevSecOps practice—and that includes real-time alerts, system analytics, and proactive threat monitoring. By measuring every aspect of your application and your DevSecOps pipeline you can create a common point for understanding application health. Reporting dashboards and alerts highlight problems early. When a problem does occur, the telemetry you’ve set up—such as application-level logging—provides insight for incident resolution and root cause analysis.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eDevSecOps culture\u003c/h2\u003e\n\u003cp\u003eCreating a DevSecOps culture begins by making security everyone’s responsibility. This can be a big change for many organizations. Traditionally, security was something developers left in the hands of specialist security professionals. It could also become a point of friction as well. Engineering teams often looked at security practices as an impediment to shipping software fast.\u003c/p\u003e\n\u003cp\u003eDevSecOps fundamentally seeks to change this perception by making security as core to the SDLC as writing code, running tests, configuring services. Each new feature or fix begins with considering its security implications. Security and compliance policies are enforced through tests. When something goes wrong, it’s an opportunity to learn and to do it better next time.\u003c/p\u003e\n\u003cp\u003eAnd instead of something that slows down software releases, security in a DevSecOps practice becomes a part of the release itself leading to faster and more secure deployments.\u003c/p\u003e\n\u003cp\u003eBut building a successful DevSecOps practice requires building security into every stage of the SDLC. This varies from one organization to another. Even so, there are core pillars that define a DevSecOps culture. These include: \u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003ePeople:\u003c/strong\u003e \nA DevSecOps practice seeks to remove the barriers between different disciplines and build a naturally collaborative environment where each person shares responsibility for a product’s security and quality.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eProcess:\u003c/strong\u003e \nDevSecOps moves security from being a distinct stage that often comes at the end of the SDLC to an integral part of each person’s work. Automated security evaluations, security-focused unit testing, widespread monitoring, and defensive coding create rapid feedback loops where vulnerabilities are surfaced earlier in the product life cycle and can be fixed faster.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eProducts:\u003c/strong\u003e \nDevSecOps builds on the DevOps toolchain by using technologies such as CI/CD to automate the identification of security issues. Dependency scanning, static and dynamic application security testing, and automated policy enforcement tools are often used to help build security into every stage of the SDLC. A wide range of best-in-breed solutions can be integrated with one another to create an “open” toolchain. Other organizations, however, may find that more integrated and security-focused product suites can often provide a more holistic experience.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eGovernance:\u003c/strong\u003e \nContinuous improvement is central to DevSecOps and it requires creating a culture of measurement that enables practitioners to identify opportunities to refine processes and tooling.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eDevSecOps pipeline\u003c/h2\u003e\n\u003cp\u003eA DevSecOps culture seeks to establish security as a fundamental part of creating software—but that’s only one part of what it takes to successfully adopt a DevSecOps practice. The next step is to integrate security into each stage of a \u003ca href=\"https://resources.github.com/devops/pipeline\"\u003eDevOps pipeline\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eWith security specific tooling and processes throughout the SDLC, a DevSecOps pipeline helps practitioners design more secure products and catch security issues early in the product life cycle. \u003c/p\u003e\n\u003cp\u003e\u003cimg src=\"//images.ctfassets.net/wfutmusr1t3h/2yycTRb93twEoCbO5n75dW/a5026e233832255d6cc73904bb6a7139/infinity.png\" alt=\"DevOps Pipeline Infinity\" /\u003e\u003c/p\u003e\n\u003ch3\u003eCommon DevSecOps pipeline stages\u003c/h3\u003e\n\u003cp\u003eDevSecOps builds on DevOps, and a DevSecOps pipeline builds on a DevOps pipeline. Just as DevOps integrated quality and speed into each step, the best DevSecOps pipelines are designed to anticipate key points in the SDLC where security issues are likely to arise.\u003c/p\u003e\n\u003cp\u003eThis breaks down into the following common DevSecOps pipeline stages: \u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003ePlan:\u003c/strong\u003e \nIn a DevSecOps practice, security starts at the planning stage in the SDLC pipeline. This can include analyzing potential security threats and determining how to combat them with threat modeling. It can also involve designing security into your products proactively to ensure it’s baked into the work from the beginning with key data hygiene and other security decisions taken up front. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eCode:\u003c/strong\u003e \nAt the coding stage in a DevSecOps pipeline, it’s important to create a culture of defensive programming with policies that help practitioners proactively navigate security and compliance issues. This could be as simple as specifying rules for how to handle particularly risky aspects of code, such as NULLs, or involve broader guidelines on areas such as input validation. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eBuild:\u003c/strong\u003e \nIn the build stage, a typical DevSecOps pipeline will include automated security checks to catch vulnerabilities in source code before they hit the main branch. This can involve using pre-commit hooks to run static application security testing (SAST) tools where any potential issues in code will stop the build, much like a failed test, and provide time to fix any potential vulnerabilities in proprietary source code before work can progress. It should also include software composition analysis (SCA) tools to track open source components in the codebase and detect any vulnerabilities in dependencies. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eTest:\u003c/strong\u003e \nThe test stage of a DevSecOps pipeline is a key point where practitioners will develop a testing strategy and automated testing suite to catch any potential security vulnerabilities or issues. This commonly includes using unit tests at a base level to look for security issues such as the way in which the application deals with unexpected or malformed input. It can also include dynamic application security tests to find vulnerabilities in the application when run. This way, the test phase becomes as much as security as it does functionality. A good tip at this stage is to integrate dynamic application security testing (DAST) into the DevSecOps pipeline.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eRelease:\u003c/strong\u003e \nIn the release stage, a DevSecOps pipeline will often include additional automated security testing and vulnerability scanning to catch issues that might not have been apparent in earlier stages. Some organizations will also deploy the principle of least privilege where each person and tool has access only to precisely what they need. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eDeploy:\u003c/strong\u003e \nAt the deployment stage, a DevSecOps practitioner will work to ensure that code makes it to production only if it has passed security checks at each previous stage. This can involve applying automated tests to application code and the underlying infrastructure used to run the software in production to catch any run-time security concerns.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eOperate and monitor:\u003c/strong\u003e \nIn the operations and \u003ca href=\"https://resources.github.com/devops/tools/monitoring\"\u003emonitoring\u003c/a\u003e stages of a DevSecOps pipeline, organizations will often use application-level and infrastructure metrics to identify unusual activity that could indicate a security breach. When an incident occurs, use logging and other instrumentation can be used to pinpoint the issue and understand its impact.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eDevSecOps automation principles\u003c/h2\u003e\n\u003cp\u003eWhen it’s correctly implemented, automation accelerates the SDLC by enabling people to use technology to accomplish repetitive, manual tasks and deliver higher-quality software faster. DevSecOps takes automation further by integrating security tests across all stages of the SDLC to improve speed, consistency, and mitigate against potential risks. \u003c/p\u003e\n\u003cp\u003eIf DevSecOps makes security everyone’s responsibility, DevSecOps automation strives to give everyone the tools they need to ensure code and configurations are secure without requiring them to become security specialists.\u003c/p\u003e\n\u003cp\u003eWhen considering where to apply automation in your own DevSecOps pipeline, consider the following principles:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eAutomation should be strategic:\u003c/strong\u003e \nA DevOps practice often seeks to use automation to facilitate speed and quality across the SDLC. But just as being strategic is important in a DevOps practice, it’s equally—if not more—important to be strategic about how and when automation is applied in a DevSecOps environment. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eLet people focus on being creative:\u003c/strong\u003e \nAutomate repetitive tasks wherever possible. That way, people can save their time and mental energy for more involved work while checks are applied more consistently and at scale.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eSystematize code review:\u003c/strong\u003e \nUse \u003ca href=\"https://resources.github.com/devops/tools/\"\u003etools\u003c/a\u003e such as static application security testing to automate elements of your code review. Human-led code review is still important though and it’s critical to ensure your code review checklist covers security issues specific to your technology stack. Create a feedback cycle so each time a new information becomes available you build it into the checklist. For example, when an incident occurs consider how you could have caught the problem earlier with a code review or automated test.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e \u003cem\u003e\u003ca href=\"https://github.com/features/security\"\u003eLearn how GitHub Advanced Security offers leading-edge security tooling for DevSecOps organizations \u0026gt; \u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cbr /\u003e\n\n\u003cp\u003e\u003cimg src=\"//images.ctfassets.net/wfutmusr1t3h/TdLPy6OEyYXySYKKOdZqo/0a68a08304481769fa853fe55f60d468/Reflect_tools.png\" alt=\"Reflect tools\" /\u003e\u003c/p\u003e\n\u003cbr /\u003e\n\n\u003ch2\u003eDevSecOps toolchain\u003c/h2\u003e\n\u003cp\u003eAdopting DevSecOps starts with a cultural shift that involves making security a core concern of everyone involved in the SDLC. To accomplish this, organizations will often adopt new processes and build a DevSecOps toolchain that applies automated security tests and security tooling to the SDLC.\u003c/p\u003e\n\u003cp\u003eDevSecOps tooling often builds on common DevOps tools such as CI/CD, automated tests, configuration management, and monitoring. The goal is to integrate security-focused tooling into each stage of the product life cycle. \u003c/p\u003e\n\u003ch3\u003eKey components of the DevSecOps toolchain\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eAutomated security tests on commits and merges:\u003c/strong\u003e \nA basic goal of any DevSecOps practice is to catch issues in code before they can do harm by triggering automatic scans using pre-commit and merge triggers. Some of the scans organizations might implement include:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eCode scanning:\u003c/strong\u003e Often called static application security testing, this evaluates code at rest—in other words, without having to run it—to discover code that could lead to a vulnerability.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eVulnerability scanning:\u003c/strong\u003e Dynamic application scanning tools build and deploy the application to a sandboxed environment and then observe how it responds to known security threats.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eSecret scanning:\u003c/strong\u003e Even with the most stringent policies, secrets occasionally make it into a commit. Secret scanning tools are used to catch them before the commit is made. These also pair with SCA tools, which are used to detect any vulnerabilities in open source dependencies within a given codebase.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003e\u003ca href=\"https://github.com/features/security\"\u003eExplore how GitHub enables DevSecOps organizations to apply in-depth automated security tests at all stages of the SDLC \u0026gt;\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration management:\u003c/strong\u003e In DevSecOps, a general rule is it’s best to remove the uncertainty from systems configuration—and this is often accomplished by adopting infrastructure as code. Tools such as Docker, Terraform, and Ansible use YAML and similar configuration files that can be automatically scanned for issues, committed to version control, and rolled out automatically to multiple instances of a service.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003e\u003ca href=\"https://github.com/features/actions\"\u003eFind out how GitHub helps DevSecOps organizations manage application and system configurations through automation \u0026gt; \u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eContainer orchestration:\u003c/strong\u003e In some environments, organizations may adopt a microservices architecture to better support complex, cloud-native applications. This requires maintaining multiple \u003ca href=\"https://resources.github.com/devops/fundamentals/containerization\"\u003econtainers\u003c/a\u003e and scaling them as needed and securely—and that involves container orchestration tools. Just like configuration management tools, container orchestration tooling will often use YAML configuration files to dictate interactions between containers. \u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eRuntime verification:\u003c/strong\u003e Also known as runtime application self-protection tools, these tools will actively monitor and/or direct threats towards your application as it runs with reports highlighting any vulnerabilities.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cp\u003e\u003cstrong\u003eContinuous monitoring and reporting:\u003c/strong\u003e One of the simplest yet highly effective aspects of DevSecOps tooling is measurement—and that involves logging everything at the application and infrastructure level. The best tools will provide real-time intelligence when something goes wrong and include a reporting system so you can catch issues early. Outbound data from an unexpected port, for example, could indicate a compromise but without monitoring and reporting it might go undetected.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eThe bottom line\u003c/h2\u003e\n\u003cp\u003eSecurity is a defining issue in software development organizations today. Getting it wrong has far-reaching implications—both for the organizations and even the individuals involved. DevSecOps offers a framework for creating software securely from the very first step. And building on the well understood culture and processes of \u003ca href=\"https://resources.github.com/devops/\"\u003eDevOps means\u003c/a\u003e that, for most businesses, a shift left to DevSecOps is a natural evolution.\u003c/p\u003e\n\u003ch2\u003eBuild your DevSecOps practice on GitHub\u003c/h2\u003e\n\u003cp\u003eGitHub is an integrated platform that takes companies from idea to planning to building to production, combining a focused developer experience with powerful, fully managed development, automation, and test infrastructure. \u003c/p\u003e\n\u003cp\u003e\u003ca href=\"https://github.com/pricing\"\u003eCompare pricing plans\u003c/a\u003e \u0026gt; \u003c/p\u003e\n\u003cp\u003e\u003cbr /\u003e\u003cbr /\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp\u003eOur philosophy is to build automation and great \u003ca href=\"https://resources.github.com/devops/fundamentals/\"\u003eDevOps\u003c/a\u003e for the company you will be tomorrow.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eSenior SCM Engineer Todd O'Connor at \u003ca href=\"https://github.com/customer-stories/adobe\"\u003eAdobe\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003cbr /\u003e\u003cbr /\u003e\u003c/p\u003e\n\u003ctable\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth\u003eGo from planning to building\u003c/th\u003e\n\u003cth\u003eIncrease developer velocity\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\u003ctr\u003e\n\u003ctd\u003eBuild roadmap plans right next to your codebase and quickly assign tasks to team members with powerful project boards and tables that are fully integrated into your project.\u003cbr /\u003e\u003cbr /\u003e \u003ca href=\"https://github.com/features/issues\"\u003eLearn about GitHub Issues \u0026gt;\u003c/a\u003e\u003c/td\u003e\n\u003ctd\u003eReduce the time to commit. Eliminate environment management and context switching for your developers. Simplify IT procurement and maintenance with a secure, managed space in the cloud. \u003cbr /\u003e\u003cbr /\u003e \u003ca href=\"https://github.com/features/codespaces\"\u003eExplore Codespaces \u0026gt;\u003c/a\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cbr /\u003e\u003cbr /\u003e\u003c/td\u003e\n\u003ctd\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAutomate everything\u003c/td\u003e\n\u003ctd\u003eSecure your code as you write it\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e----------\u003c/td\u003e\n\u003ctd\u003e----------\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003eAutomate all your software development workflows with GitHub Actions. Scale reliably and securely with powerful development, test, and automation infrastructure, fully managed by GitHub.\u003cbr /\u003e\u003cbr /\u003e \u003ca href=\"https://github.com/features/actions\"\u003eLearn more about GitHub Actions \u0026gt;\u003c/a\u003e\u003c/td\u003e\n\u003ctd\u003eSecure your code, dependencies, tokens, and sensitive data through the entire software development lifecycle and automatically resolve vulnerabilities.\u003cbr /\u003e\u003cbr /\u003e\u003cbr /\u003e \u003ca href=\"https://github.com/features/security/\"\u003eSee how we help you stay secure \u0026gt;\u003c/a\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\u003c/table\u003e\n","lang":"en","resource":{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5l3bCxrGU8PKu1Eh2TGlP3","type":"Entry","createdAt":"2022-05-27T02:06:39.010Z","updatedAt":"2022-05-27T02:06:39.010Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"article"}},"locale":"en-US"},"fields":{}},"gated":false,"sfCampaignID":"7015c000001SNN7AAO","campaign":"Resources_Contact_Us","contentForm":{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"3qHQ6eSp20iGQrFIfaBJnn","type":"Entry","createdAt":"2022-09-29T19:33:25.277Z","updatedAt":"2022-09-29T19:33:25.277Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"form"}},"locale":"en-US"},"fields":{"name":"Form_Ungated_Contact","eloquaFormName":"ContactUs_TemplateForm","formCTA":"Contact GitHub","formElements":[{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"6ELk7gaWb9F8TEB6rUpQQS","type":"Entry","createdAt":"2022-09-29T18:55:49.235Z","updatedAt":"2022-09-29T18:55:49.235Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"label":"Full Name","htmlName":"fullName1","type":"text","placeholder":"First and last name","required":true,"description":""}},{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"6s0zB2lwQZz6ZhWkZQd5r0","type":"Entry","createdAt":"2022-09-29T18:54:51.900Z","updatedAt":"2022-09-29T18:54:51.900Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"label":"Work Email","htmlName":"emailAddress","type":"email","placeholder":"you@company.com","required":true,"description":""}},{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5HOQnFx9120Wj4hlsjXaJn","type":"Entry","createdAt":"2022-03-12T20:19:03.843Z","updatedAt":"2022-03-12T20:38:04.798Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":3,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"label":"Company","htmlName":"company","type":"text","placeholder":"Acme, Inc","required":true,"description":""}},{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"1MS9X9RNVd6BmPN91fMsVg","type":"Entry","createdAt":"2022-09-29T19:31:39.832Z","updatedAt":"2022-09-29T19:31:39.832Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"label":"What can we help you with?","htmlName":"contactComments","type":"textarea","placeholder":"Tell us how we can help. For support questions, head to github.com/contact ","required":false,"description":""}},{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"5zNCZ4hVsez1AWpp6Fga7h","type":"Entry","createdAt":"2022-03-12T20:23:32.191Z","updatedAt":"2022-08-08T22:33:47.191Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":4,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"htmlName":"elqCustomerGUID","type":"hidden","required":false,"description":""}},{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"7a3HDjJcLkWmsPKHATLvna","type":"Entry","createdAt":"2022-03-12T20:24:00.556Z","updatedAt":"2022-08-08T22:33:47.210Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":4,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"formElement"}},"locale":"en-US"},"fields":{"htmlName":"elqCookieWrite","type":"hidden","required":false,"defaultValue":"0","description":""}}]}},"seo":{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"45645kbxQEmwC1v5sSVHWd","type":"Entry","createdAt":"2022-05-27T02:08:34.923Z","updatedAt":"2022-05-27T02:08:34.923Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":1,"contentType":{"sys":{"type":"Link","linkType":"ContentType","id":"seo"}},"locale":"en-US"},"fields":{"metaTitle":"The Fundamentals of DevSecOps in DevOps","metaDescription":"The meaning of DevSecOps is a combination of development, security, and operations automating the integration of security into every phase of the software development lifecycle."}},"headerImage":{"metadata":{"tags":[]},"sys":{"space":{"sys":{"type":"Link","linkType":"Space","id":"wfutmusr1t3h"}},"id":"4h4pRGrs2KDTg0fBoUPTc3","type":"Asset","createdAt":"2022-09-12T11:46:53.740Z","updatedAt":"2022-09-26T13:01:46.337Z","environment":{"sys":{"id":"master","type":"Link","linkType":"Environment"}},"revision":2,"locale":"en-US"},"fields":{"title":"DevOps banner 9","description":"","file":{"url":"//web.archive.org/web/20221215181001/https://images.ctfassets.net/wfutmusr1t3h/4h4pRGrs2KDTg0fBoUPTc3/923a793aa9c09f6ad14dd5b37d14f510/DevOps_Social_Main_Component__12_.png","details":{"size":1800543,"image":{"width":1200,"height":656}},"fileName":"DevOps Social Main Component (12).png","contentType":"image/png"}}},"buttonCTA":"Contact GitHub","publicationDate":"2022-05-23T12:00+00:00","hidden":false,"rendersRichText":false,"tags":[{"slug":"devops","label":"DevOps","type":"Topic"},{"slug":"security","label":"Security","type":"Topic"},{"slug":"fundamentals","label":"Fundamentals","type":"Topic"},{"slug":"methodology","label":"Methodology","type":"Topic"},{"slug":"appsec","label":"AppSec","type":"Topic"},{"slug":"devsecops","label":"DevSecOps","type":"Topic"}],"gatedContent":null,"data":{"readTime":11}},"type":"resource"},"__N_SSG":true},"page":"/[...path]","query":{"path":["devops","fundamentals","devsecops"]},"buildId":"C8OG16dqN1YRAAs9VS1ix","isFallback":false,"gsp":true,"scriptLoader":[]}</script></body></html><!-- FILE ARCHIVED ON 18:10:01 Dec 15, 2022 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 11:54:40 Nov 29, 2024. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 0.547 exclusion.robots: 0.024 exclusion.robots.policy: 0.015 esindex: 0.01 cdx.remote: 29.202 LoadShardBlock: 877.616 (6) PetaboxLoader3.datanode: 822.56 (7) PetaboxLoader3.resolve: 107.226 (2) load_resource: 110.642 -->