DevSecOps

The Evolution
of Software
Development
 Overview- What we’ll cover
 Introduction to SDLC
 SDLC in Waterfall Model
DevSecOp  Transition to Agile
s  Introduction to DevOps
 Evolution to DevSecOps
 Benefits and Challenges of DevSecOps
ntroduction to SDLC:
SDLC is a framework that provides a systematic approach to developing software.
It defines the life cycle of a project from its initial stages to completion.

Stages of the Software Development Life

Cycle:

User stories UML Diagrams

Implementing/ Product is built right

Creating Software
code Right product is built
(Source Code)
Deploying Software
to the desired Monitoring the
Operational software
environment
SDLC in Waterfall Model

It is the fundamental model of the software development life cycle. This is a very simple model. The waterfall model is not in
practice anymore, but it is the basis for all other SDLC models. Because of its simple structure, the waterfall model is easier to
use and provides a tangible output. In the waterfall model, once a phase seems to be completed, it cannot be changed, and
due to this less flexible nature, the waterfall model is not in practice anymore.
Transition to Agile
Agile Software Development Life Cycle (SDLC) is a modern approach to software development that emphasizes flexibility,
collaboration, and continuous improvement. It's an iterative process that breaks down the SDLC into smaller cycles, called
sprints or iterations, to deliver value incrementally.

The agile model in SDLC was mainly designed to adapt to

changing requests quickly (change plans based on feedback
and new priorities).
The main goal of the Agile model is to facilitate quick project
completion. The agile model refers to a group of development
processes. These processes have some similar characteristics
but also possess certain subtle differences among
themselves.
Agile Software Development and Waterfall

Real
Optimal
Value
Delivery

faster feedback

Agile

Initial
Vision
Waterfall
 Changing software System needs to be
and delivering it Stable/Up

Developers Quality Operations

Clients
Result:
Stretching the release period for days,
weeks or even months
 A FEW NUMBERS

Amazon. Releases every 11.6 seconds

Netflix. Thousands of releases per day

Meta. 1 release per week. Only on Android, between 50,000 and 60,000 deploys per day.
Introduction to DevOps

A philosophy, aims at building up a Teams involved:

culture of collaboration between • Software Development Development
originally isolated teams. • Deployment Operations

Improving the efficiency by eliminating the boundaries between IT

Quality
these two phases of development. Operations

The core idea behind DevOps is to create a culture of shared responsibility, where both developers and operations staff
work together throughout the entire lifecycle of a project, from design and development to production support.
 Stagging/Pre-PRD ENV
Results Continuous
Delivery

Continuous
Integration BUILD TEST PRD

Manual

TEST TEST PRD

DEVS Repository CI Server
Auto

Continuous
Deployment
Results
PRD ENV
Continuous integration, where the coding, building, integration,
and testing processes are carried out.
Includes Continuous delivery, which includes continuous integration but mainly
focuses on product delivery.
Continuous deployment, which aims at automating project
deliveries.
Siloed Security Team: A separate security team can sometimes become another silo, undermining the cross-functional
collaboration goals of DevOps. This arrangement might lead to conflicts between the need for rapid deployment and the
need for secure deployment.

Development

Security

IT
Quality
Operations
Security as an Afterthought: If security is not integrated from the beginning, it might not be considered
until a problem arises or in the final stages before deployment. This approach often results in higher costs
and delays if significant vulnerabilities are uncovered late in the cycle.

Bugs Identified
by security team

Stagging/Pre-PRD PRD

Result: Delay in release cycle

What is DevSecOps?
DevSecOps is the practice of integrating security testing at every stage of the software development process. It includes tools
and processes that encourage collaboration between developers, security specialists, and operation teams to build software that
is both efficient and secure.

Basic Terms and tools used in DevSecOps

Static Application Security Testing (SAST): Analyzes source code for vulnerabilities without executing programs.
Tools : SonarQube, Fortify

Dynamic Application Security Testing (DAST): Tests applications in runtime to find vulnerabilities.
Tools: Synk, OWASP ZAP

Software Composition Analysis (SCA): Identifies and manages open-source components and their vulnerabilitiel.
Tools: Snyk
Infrastructure as code
Terraform:
Terraform is a tool for building changing and versioning infrastructure safely and efficiently, think of it like a blueprint for
constructing and managing your entire city of servers databases and other technical resources – all of which live in the cloud.

Key Features:

Consistency: Ensures that all environments are configured

consistently by using the same codebase with different
variables.

Reproducibility: Easily recreate environments, reducing

manual configuration errors.

Version Control: Infrastructure configurations can be

versioned alongside application code, allowing for rollbacks
and systematic updates.

Automation: Automates the provisioning and management

of infrastructure, minimizing manual interventions.
Docker: (Use: Application packaging and deployment)

Docker is an open platform for developing, shipping, and running applications. Docker enables you to separate
your applications from your infrastructure so you can deliver software quickly. With Docker, you can manage
your infrastructure in the same ways you manage your applications.
KS8: (Use: Orchestrates containerized applications at scale) Kubernetes is an open-source system that automates the
management, scaling, and deployment of containerized applications. It's also known as "k8s" or "k-eights", where the 8 refers
to the number of letters between the "K" and the "s"

Master Node: Controls the cluster. It

includes:

 Kube API Server: Central control point for

managing nodes.
 etcd: Key-value store for cluster state.
 Controller Managers: Maintain cluster
state.
 Kube Scheduler: Distributes workloads.

Worker Nodes: Execute application

workloads. They house:

 Container Runtime: Runs containers (e.g.,

Docker).
 Kubelet: Manages node containers based
on master instructions.
 Kube Proxy: Manages networking and
communication.
Infrastructure Scanning Tools
Chef InSpec: Automates the testing and compliance of infrastructure configurations. It checks whether servers,
applications, and networking configurations adhere to security and operational guidelines.

Container Registry Scanning Tools

Aqua: Scans container images for vulnerabilities before deployment. It checks for outdated packages, known CVEs
(Common Vulnerabilities and Exposures), and compliance with organizational policies, ensuring containers are
secure.
Continuous Feedback:

Monitoring and Logging: Provides real-time insights into application performance and user behavior.
Monitoring and Logging:

Prometheus: Monitoring system and alerting toolkit.

ELK Stack (Elasticsearch, Logstash, Kibana): Centralizes and visualizes logs.
Grafana: Visualizes metrics and logs from multiple sources.
IaaS (Infrastructure as a Service):
logs are generated (servers, virtual machines, or other cloud resources)

Log Aggregation:
Collects logs from various sources in the IaaS environment. It's crucial for centralizing data to monitor, analyze, and secure
systems effectively.

Storage Systems:
Short Term Storage: Holds recent logs for quick access and analysis.
Long Term Storage: Archives older logs for compliance and historical analysis.

Query Interface:
A tool that allows users to query the log data stored in short-term storage to gather insights or troubleshoot issues.
Anomaly Detection:
Identifies unusual patterns or activities in log data that could
indicate security threats or operational issues. These anomalies
trigger alerts.

Alerting System:
Sends notifications or alerts when anomalies are detected. This
enables rapid response to potential issues.
Leveraging tools like Splunk for log aggregation and query
interfaces, DevSecOps can analyze data to improve security
measures continuously.
Challenges:

Cultural Change: Teams must shift their mindset to prioritize security alongside development and operations. This
requires collaboration and new ways of working together.

Integration Complexity: Incorporating security into existing DevOps pipelines can be complex.

Benefits:

Enhanced Security: Proactive security measures reduce vulnerabilities.

Faster Releases: Security integrated early allows for smooth and rapid deployments.

Improved Compliance: Continuous adherence to security standards and regulations.

Collaboration: Fosters a culture of shared responsibility and teamwork.