The title of this chapter may sound a bit odd, but DevSecOps and DevOps aren't separate things. It should be one way of working: security should be integrated with the DevOps practice, instead of security principles being added on top of DevOps. This means that architects have to define one overarching governance model, integrate threat modeling into DevOps, and aim for an integrated toolset. Lastly, integrated monitoring needs to cover every aspect of the DevSecOps cycle. We will learn that integrated monitoring comes close to something that we discussed earlier in this book: AIOps. In this chapter, we will pull everything together.

After completing this chapter, you will have learned how to implement governance, understand threat modeling, and understand the importance of it in the secure software development life cycle (SDLC). You will have also learned how security is embedded into continuous integration and how this is monitored...

So far, we have drafted a DevSecOps architecture, identified processes, and then aligned these with the business goals of the enterprise. The next step is to manage all this, and that's the subject of governance. DevSecOps is not just a PowerPoint presentation and a Visio diagram showing the CI/CD pipelines. An enterprise needs skilled staff to work with it and a governance model that describes the secured digital operating model. In this section, we will discuss this by using the IT4IT framework by The Open Group as a best practice.

In Chapter 6, Defining Operations in Architecture, we introduced value streams for products and described how IT creates value. The model can be seen in the following diagram:

Figure 14.1 – IT4IT value streams

In IT4IT, Governance, Risk, and Compliance (GRC) is a supporting activity for the four value streams. This means that GRC is fully embedded in every value stream. What does...

In the previous section, we discussed the governance of security in the enterprise and how it's integrated as DevSecOps. In this section, we will learn how security issues can impact the SDLC. When it comes to integrating security in DevOps, you need to have a good understanding of threat modeling, which provides us with information on how security threats may affect how software code is developed and deployed. We'll start by explaining what threat modeling is by looking at the definition of The Open Web Application Security Project (OWASP). OWASP is an online community that provides insights into security threats, tools, and technology.

In essence, a threat model shows how security threats could impact the integrity of an application. The model assembles and analyzes security data and helps in making decisions on how to protect the application, thus improving the security of code and the hosting environment, by assessing...

Throughout this book, we've discussed the importance of testing a couple of times. DevOps advocates testing at every single stage in the life cycle, from development to deployment. This includes security testing. But how can we achieve this continuous integration? The goal is to have tests running at developer check-in, while they pull code from repositories, during the builds, and during the actual deployments, including staging.

Let's look at continuous integration (CI) first. Developers will frequently do check-ins on code; in some cases, this can be up to several builds per day. That's the aim of CI and the agile way of working in DevOps: developers don't work on huge programs anymore; instead, they apply small iterations of code builds, adding one feature at a time. This way, it's easier to track changes in the code and, importantly, roll back if the addition is causing failures.

CI is about integrating these changes...

A crucial element of security is ensuring that the necessary security policies are in place and that the environments are indeed protected. This may sound simple, but it requires proper configuration of monitoring. Developers need information to help them fix bugs in the first place but also to improve the code and with that, the application. This applies to customer experience and performance, but also to ensuring that the application remains protected. Hackers don't sit on their hands: they constantly find out new ways of attacking systems. Hence, we need to constantly monitor what happens to and inside an application.

Security monitoring is not only about detecting unexpected behavior. It's about analyzing all behavior. This provides insights to developers to help them improve their code. For that, monitoring needs to facilitate three main services:

• Collect
• Analyze
• Alert

Sometimes, storage and visualization are added to...

DevOps and DevSecOps are not separate things: security must be fully integrated with DevOps. In this chapter, we discussed how we integrate security in DevOps, not only focusing on scanning tools but mainly on governance, applying threat modeling, and monitoring our DevOps environments. For governance, we looked at the principles of GRC that allow enterprises to manage uncertainties – such as security risks – while defining strategies to achieve their business goals. This is the foundational step to integrating security into all the layers of the enterprise and with that, the development of products and services.

To detect, recognize, and counterfeit attacks, we need to work with threat modeling. In this chapter, we discussed OWASP, which provides insights into how security events can impact businesses. Next, we look at security scanning in a more detailed way. SAST and DAST are necessities in DevSecOps.

In the last section, we learned about the various...

1. True or False: In OWASP, threat agents can be both internal and external.
2. Name the two types of SAST tooling.
3. What are the three main functions of monitoring?

• IT4IT for managing the business of IT, Rob Akershoek et al., The Open Group.
• Blogpost on DevOps.com by Mike Vizard on the introduction of private orbs, 2021: https://devops.com/circleci-adds-private-orbs-to-devops-toolchain/#:~:text=Constructing%20an%20orb%20gives%20DevOps%20teams%20a%20relatively,of%20the%20DevOps%20team%20can%20more%20easily%20consume.
• Article on ITSecuroty.org with in-depth insights into security testing and integration, by Adrian Lane, 2019: https://itsecurity.org/enterprise-devsecops-security-test-integration-and-tooling/.
• An overview of popular security tools in DevOps: https://dzone.com/articles/an-overview-of-security-testing-tools-in-devops.
• Hands-On Security in DevOps, by Tony Hsiang-Chih Hsu, Packt Publishing, 2018.