DevSecOps: Automating security in the development lifecycle

Learn how security teams are using DevOps principles and CI/CD pipelines to automate application security.

Automate application security with OpenShift Pipelines

In this self-paced tutorial, learn how to use OpenShift Pipelines to automate the deployment of your applications.

OpenShift Pipelines is a cloud-native, continuous integration and delivery (CI/CD) solution for building pipelines using Tekton. Tekton is a flexible, Kubernetes-native, open-source CI/CD framework that enables automating deployments across multiple platforms (e.g. Kubernetes, serverless, VMs, and so forth) by abstracting away the underlying details.

Automate deployment

What is DevSecOps?

DevSecOps automates and modernizes application security using familiar DevOps principles:

Traceable, transparent specifications
Version control for document management
Automated tools and testing through CI/CD pipelines

In traditional security, developers run tests for code security, while operators ensure that firewalls and other protections work in the production environment. Access control and other tasks are handled by security experts and managers. DevSecOps uses version control and CI/CD pipelines to configure and manage security tasks automatically, across all teams, before deployment.

Who should learn DevSecOps?

DevSecOps brings together developers, systems architects, operators, security experts, and managers. Anyone with a role in security can define specifications and review system behavior:

For developers, DevSecOps is a way to scan their code at every check-in for coding flaws and vulnerabilities in package dependencies.
For system architects and operators, DevSecOps ensures that the intrusion detectors, firewall rules, and access control lists they've prepared are consistently applied.
For security experts and managers, DevSecOps allows formal requirements and reviews of their implementation.

Why is DevSecOps important?

The cyber landscape offers attackers many opportunities for targeting your organization, so security must be a top priority. DevSecOps automates security best practices across all of your applications and networks.

DevSecOps spans the application lifecycle

You can integrate virtually any security tool you use in production–such as intrusion detection, monitoring, and access control–with version control and CI/CD to create a comprehensive DevSecOps pipeline.

Automated processes are more secure

DevSecOps removes the overhead of remembering to run your security tools and processes. You can set up tests and scans to run at check-ins or other key points during deployment, eliminating the risk of skipping a step.

Transparent implementation reviews

DevSecOps removes the gap between security policies and how they’re implemented. Organizations can use DevSecOps to specify security goals–such as how often to run a scanner–and verify they've been implemented.

DevSecOps fosters a security mindset

At a technical level, DevSecOps is just DevOps with an added security layer. But done right, it can transform how your team thinks about security. Adopting DevSecOps requires conversations that improve how teams understand security. For developers, DevSecOps is a natural pathway to a security mindset.

Learn DevSecOps

How DevSecOps brings security into the development process

Four reasons developers should use Ansible

Kubernetes admission control with validating webhooks

More DevSecOps resources

DevSecOps is the way | Red Hat Livestreaming

In this monthly livestream series, learn how Red Hat weaves together DevOps and security automation to master DevSecOps. This show introduces you to Red Hat products used for DevSecOps and our security ecosystem partners to aid in your journey.

What developers need to know about security compliance

A developer's guide to security standards. Sharpen your understanding of key security standards and how they work together, then get tips for establishing responsibility for different aspects of your security infrastructure and incorporating security into your daily workflow—even when the requirements change from project to project.