• Why GitHub?
    Features →
    • Code review
    • Project management
    • Integrations
    • Actions
    • Package registry
    • Security
    • Team management
    • Social coding
    • Documentation
    • Code hosting
    • Customer stories →
    • Security →
  • Enterprise
  • Explore
    • Explore GitHub →

    Learn & contribute

    • Topics
    • Collections
    • Trending
    • Learning Lab
    • Open source guides

    Connect with others

    • Events
    • Community forum
    • GitHub Education
  • Marketplace
  • Pricing
    Plans →
    • Compare plans
    • Contact Sales
    • Nonprofit →
    • Education →
Sign in Sign up
Resources
Videos Webcasts Whitepapers Contact sales
This site uses cookies for internal analytics based on your settings. Do you consent to the use of cookies?
Accept Dismiss

Whitepaper

The enterprise architect's guide to DevSecOps

November 3, 2019

Enterprise DevOps is here to stay. But enterprise architects have long understood what DevOps leaders are just discovering—security, not only shipping, is a shared responsibility.

Today, operations teams use collaboration, automation, and containers to speed up software delivery. While these DevOps best practices have helped them find new ways to build faster, old security practices still slow many organizations down.

Enter DevSecOps. DevSecOps brings IT security into development and operations teams to ensure that security is a priority at every step of the software development lifecycle. With a few changes, your organization can ship better, more secure software—without delays or increased costs.

Why DevSecOps?

Lower security costs

DevSecOps includes all the DevOps best practices high-performing teams live by, with the security large organizations require. By building security into your DevOps pipeline, it’s possible to find vulnerabilities before they’re ever released—and easier and less expensive to remediate them.

More effective teamwork

Just as developers and operations are both responsible for reliability and quality in DevOps, DevSecOps makes security a team effort, not a final step. Developers, operations, and security teams work together to keep applications secure from the first line of code to final production.

Policy-driven automation

A good DevSecOps program also increases confidence in your organization’s entire software delivery process. Automated checks implement security in a policy-driven way, rather than as a set of confusing manual tools that slow development down for everyone.


Then: Siloed security

Now: DevSecOps

Testing just before deployment

Static testing and dynamic testing happened at the end of the delivery cycle, right before release.

Testing from idea to production

Static and dynamic testing happens alongside secure coding practices, quality gate checks, and security vulnerability fixes.

Separate security expertise

Development, IT operations, and security teams worked independently.

Shared security expertise

Developers, IT operations, and security teams all follow shared security guidelines in their work.

Manual security testing

Organizations deployed less often and ran security checks individually, as needed.

Automated security testing

Organizations deploy more frequently and add automated security checks to their CI/CD pipeline.


Three DevSecOps tips to get started

1. Use a shared, safe platform for collaboration

Like DevOps, DevSecOps depends on and ends with collaboration. A shared platform helps development, IT operations, and security teams build together and standardize how they work. Prioritize platforms with built-in security so your entire organization can share best practices, find and reuse code, and collaborate from the start.

GitHub tip: Good security begins at sign in. When you find the right collaboration platform, it should also support identity management features like two-factor authentication, single sign-on, automatic organization syncs, and more.

2. Secure your SDLC from end to end

Up to 99 percent of recently released applications contain open source code—meaning open source dependencies are already part of your codebase.* Integrate code security tools into your CI/CD pipeline that can proactively identify security vulnerabilities in both open and internal source code.

GitHub tip: Open source software is everywhere. Automated security tools like LGTM variant analysis, WhiteSource, and Snyk can make it easy to find and eliminate bugs and vulnerabilities your team can’t track by hand.

* 2019 Open Source Security and Risk Analysis Report

3. Track security after production

Security doesn’t end once code is committed—and neither does your DevSecOps pipeline. After deployment, keep code and customers safe by continuously monitoring for vulnerabilities. Look for tools that can track and update vulnerable dependencies post-launch, before would-be hackers can take advantage. GitHub tip: While security vulnerability alerts make projects safer, industry data shows that more than 70 percent of vulnerabilities remain unpatched after 30 days—and many up to a year. Use integrations that don’t just identify vulnerable dependencies, but fix them automatically.

  • Tags:
  • devops
  • security
See all whitepapers →

Download free PDF

Your full name is required.
A valid email address is required.
A valid job title is required.
A valid company name is required.

Related

Whitepaper

The complete guide to developer-first application security for government agencies

September 14, 2020
The key to the government’s ability to innovate at speed is access to secure, high-quality software. For agencies at every level, advancing your mission depe...
View →
Whitepaper

Achieving DevSecOps maturity with GitHub

August 13, 2020
GitHub has been rapidly evolving into a complete development platform over the past year and a half, with the addition of native CI/CD capabilities using Git...
View →
Whitepaper

How leading software teams build securely on GitHub

August 12, 2020
Today, every company is a software company.
View →

Product

  • Features
  • Security
  • Team
  • Enterprise
  • Customer stories
  • The ReadME Project
  • Pricing
  • Resources
  • Roadmap

Platform

  • Developer API
  • Partners
  • Atom
  • Electron
  • GitHub Desktop

Support

  • Help
  • Community Forum
  • Professional Services
  • Learning Lab
  • Status
  • Contact GitHub

Company

  • About
  • Blog
  • Careers
  • Press
  • Social Impact
  • Shop
  • Twitter
  • Facebook
  • YouTube
  • LinkedIn
  • GitHub
  • © 2021 GitHub, Inc.
  • Terms
  • Privacy