In recent years, DevSecOps has emerged as an important approach to software development that focuses on security throughout the software development lifecycle. DevSecOps combines development, security and operations into a unified and collaborative approach that helps teams develop secure software faster and more efficiently. As with many other areas, DevSecOps has its own terminology and set of acronyms that can be difficult for newcomers to navigate. In this article, we provide a comprehensive glossary of DevSecOps terms and definitions to help developers, security professionals and operations teams understand and communicate effectively in this rapidly evolving field.
Find out what DevSecOps is all about and why this approach is being used more and more here: The essential role of security in DevOps
About the glossary
In this glossary, we've compiled a list of common terms and concepts used in the context of DevSecOps, including Agile, continuous integration, continuous delivery, DevOps, security, vulnerabilities, penetration testing, and more. Understanding these terms is essential for anyone working in DevSecOps or wanting to learn more about this important area of software development and security.
A set of principles and practices for software development that emphasize flexibility, adaptability, and continuous improvement. Agile practices are often used in DevSecOps to enable rapid deployment of software updates and facilitate collaboration between development and security teams.
The practice of securing application programming interfaces (APIs). APIs enable different systems and applications to communicate with each other. API security is a major DevSecOps concern because APIs often expose sensitive data and functionality to external systems. If APIs are not adequately secured, sensitive data can leak out. APIs can be secured using OAuth tokens and TLS encryption, for example.
A defect or error in a system or application that results in unexpected or undesirable behavior. Bugs can range from small problems that do not significantly affect the functionality of a system to large security holes that can be exploited by attackers. DevSecOps fixes security vulnerabilities (critical issues) before new features are finalized.
A network of servers, storage space and other resources is made available over the Internet so that users can access and use them on demand. Clouds can be public, meaning they are operated by a third-party provider and are accessible to a range of potential customers, or private, meaning they are operated by a company and are accessible only to that company.
The practice of securing systems, applications, and data in cloud computing environments. Cloud security is central to DevSecOps and involves the use of tools and practices such as encryption, access control, and network segmentation to secure cloud environments.
A process in which one or more team members review code changes before they are incorporated into the main branch. Code reviews, regression testing, and test coverage help ensure that code changes are of high quality, meet coding standards, and are readable.
Compliance with regulatory standards and policies related to security, privacy, and other areas. In DevSecOps, regulatory compliance is often a key concern, and practices and tools are put in place to ensure that systems and applications comply with the appropriate regulations.
Manage, organize, and control system, application, and infrastructure configuration. Configuration management is commonly used in DevSecOps to ensure that systems are configured consistently and deployed in a repeatable and reliable manner. This also relates to Infrastructure as Code and the use of tools such as Terraform, Ansible, Puppet and Chef
The practice of securing containerized applications and environments. Container security is a major DevSecOps concern because containers are commonly used in modern software development and delivery pipelines to deploy and distribute applications via containers.
Continuous Delivery (CD):
A software development practice in which code changes are automatically created, tested, and committed to production. (To ensure the integrity of engineers, CD changes are usually implemented in development and test systems, but changes in production may need to be approved manually).
CD differs from CI in that code changes must be ready for deployment at any time, whereas CI may require additional testing and validation before deployment.
Continuous Delivery also means that the software is always up to date and packaged ready to go into production.
A software development practice in which code changes are automatically created, tested, and deployed to production (or to a development system first) without manual intervention. Continuous deployment requires that code changes be thoroughly tested and validated before deployment to ensure that they do not introduce new bugs or vulnerabilities. Depending on the application, compliance regulations may also impact CD.
Continuous Integration (CI):
Continuous Integration (CI) is a software development practice in which code changes are often integrated into a common repository and the integrated code is automatically built and tested. The main goal of CI is to detect and fix integration problems early in the development process to reduce the risk of bugs and other problems in the final product.
With CI, the software packaging pipeline is run every time a code change is made, as you mentioned. This means that every change a developer makes to the code base is automatically built, tested, and packaged into a deployable artifact. The result is immediate feedback on whether the changes have caused any problems, and if so, what they are.
The practice of continuously monitoring systems and applications for signs of security breaches, vulnerabilities, or other problems. Continuous monitoring helps organizations identify and respond to security threats and vulnerabilities in real time. It is an important component of DevSecOps.
A set of practices and tools aimed at improving collaboration between development and operations teams and accelerating the delivery of software updates. DevOps relies on automation and the use of tools such as Continuous Integration and Delivery to improve the speed and reliability of software updates.
A set of practices and tools aimed at integrating security practices into the software development and deployment process. It emphasizes collaboration between development, security, and operations teams. DevSecOps aims to build security into the software development lifecycle, rather than treating it as an afterthought.
A type of software testing in which code is executed to identify bugs, vulnerabilities, and other issues. Dynamic analysis is commonly used in DevSecOps to verify the behavior of code in real-world scenarios and to identify issues that may not be detected during static analysis. In general, dynamic analysis analyzes and examines running applications. It allows you to review your applications and assess the risks or security vulnerabilities of third-party applications.
Incident response is a process by which organizations identify, contain, and respond to security incidents or other unexpected events that could disrupt business operations. It is a coordinated effort among various teams and stakeholders. The purpose is to quickly identify, assess and mitigate the impact of an incident.
One of the most important tasks in incident response is to fix application failures, which can be caused by a variety of factors. For example, network problems, software errors, or security breaches. When an application fails, the emergency response team must act quickly to restore normal system operation. And thus prevent data loss or other negative impacts.
The hardware, software, and other resources that support the operation of a system or application. Infrastructure includes servers, storage, network devices, other hardware, and the software and tools used to manage and maintain these resources.
Infrastructure as Code (IaC):
A practice where the infrastructure configuration exists as code and is managed and versioned using the same tools and processes as the application code. With IaC, infrastructure can be more easily automated, tested and integrated into the software development and deployment process. In addition, the configuration can persist as code, which saves a lot of manual work and is an important part of automation in Ops.
A type of security test in which an attacker simulates a real attack on a system or application to identify vulnerabilities and assess the security posture of the system. Penetration testing is often used in DevSecOps to identify and fix vulnerabilities before they can be exploited by real attackers.
Security as Code:
Security as Code is an approach to software development that integrates security practices into the software development lifecycle. It aims to make security a seamless and automated part of the development process. By embedding security checks and controls into the code itself, Security as Code aims to reduce the risk of security vulnerabilities and make it easier to maintain a secure infrastructure over time.
Unlike Infrastructure as Code (IaC), which focuses primarily on automating the creation and configuration of infrastructure resources, Security as Code goes beyond infrastructure automation and integrates security controls and policies into the code being developed.
The use of tools and processes to automate security tasks, such as vulnerability scanning, incident response, and compliance reporting. Security automation is an important part of DevSecOps and helps organizations improve the efficiency and effectiveness of their security practices.
Testing systems and applications for vulnerabilities, weaknesses, and other security issues. Security testing is an important part of DevSecOps and can include penetration testing, vulnerability scanning, and code reviews.
The practice of protecting systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction. Under DevSecOps, security practices are integrated into the software development and deployment process to ensure that software updates are secure and do not introduce new vulnerabilities. In addition, information security is about isolating and securing the runtime environment of live applications.
Software delivery process:
The process of developing, testing, and deploying software updates. The software delivery process typically involves a series of steps, including requirements gathering, design, coding, testing, and deployment, and may involve collaboration between development, testing, and operations teams. The software delivery process aims to deliver high-quality software updates in a timely and efficient manner.
A type of software testing that analyzes code without executing it to identify bugs, vulnerabilities, and other problems. Static analysis is commonly used in DevSecOps to detect and fix problems early in the software development process.
Test-Driven Development (TDD):
A software development practice in which tests are written for a portion of the code before the code itself is written. TDD helps ensure that the code is developed in a testable manner and meets the requirements defined by the tests.
Identify, analyze, and prioritize potential security threats to a system or application. Threat modeling is widely used in DevSecOps to help organizations identify and address potential vulnerabilities before they can be exploited by attackers.
The practice of identifying vulnerabilities in systems and applications by scanning them for known vulnerabilities. Vulnerability scanning is often used in DevSecOps to help organizations identify and prioritize vulnerabilities that need to be fixed.
A vulnerability or gap in a system or application that could be exploited by an attacker to gain unauthorized access, disrupt service, or steal or manipulate data. As part of DevSecOps, vulnerabilities are identified and remediated as part of the software development and deployment process to prevent them from being exploited.
This glossary for DevSecOps gives you a first overview of the different terms and definitions for daily use. We are continuously expanding the glossary with additional and new terms.