hi I'm Andrea Crawford with IBM cloud so we're going to talk about dev sec ops dev sec ops is all about DevOps with the lens on security the benefits of dev sec ops primarily address observability this is observability in context of how observable is your application delivery process in and of itself do we know what's happening between user story all the way through to code bill deploying manage and continuous improvement another benefit is traceability so are we able to understand what user stories are being deployed and managed in the runtime environment and can we prove
it the next benefit is confidence and this is all about the business having a trustful relationship with the IT organization that what is being delivered is actually what started off in the beginning of the pipeline as a requirement or a user story and the last benefit here is compliance this becomes increasingly important for specific industries like healthcare public federal banking and the like we need to have compliance built into this release pipeline and it needs to be engineered from day one dev sack ops can really involve a lot of different activities in the supply chain
or this pipeline part of those are things like well-formed user stories over here these user stories have to be the appropriate sized well-formed and be understandable by the development team additional security features are going to be piped in over here in the code phase these involve things like test-driven development pair programming these are specific activities and new ways of working that mitigate the risk of someone or somebody introducing a bug or a defect at the coding level we also are able to achieve better test code coverage by writing our test cases first and then writing
our code we also have security aspects that we can infuse into the build phase here and this is more along the lines of linting and making sure that our code is able to conform to standard coding practices we also have this notion of scanning particularly for things like infinite loops or undeclared variables these are all potential vulnerabilities that could manifest themselves in very adverse ways once we get into production and then some additional security practices around the deploy aspect can also be infused so with the advent of cloud native and images there are even things
like notary services where we can ensure that images are not only immutable but docker images that are being deployed are in fact the same in images that are produced from the build process and then we have in the manage section here activities such as mutation detection and this is all about making sure that any runtime containers that are in your operational environment don't all of a sudden spark some sort of vulnerability in the runtime environment that you may not have caught in the build phase so dev sack ops is all about infusing risk mitigating activities
throughout this pipeline here so what are some of the use cases for infusing secure well pretty much everything but in particular if you have issues with a lack of visibility in terms of how how your applications are progressing through the pipeline and who's deploying what when and in which environment if you have cases where you are troubled with audits and being able to prove with empirical data that what you are delivering is in fact what you started out with in the beginning of the pipeline empirically tracing back all the way through from beginning to end
if you have issues with unified governance and being able to use this pipeline here across your enterprise in a uniform way so making sure that we are delivering software by appropriate by appropriating the right kind of risk mitigation are we doing the right kind of activities throughout this pipeline to mitigate the risk of getting our digital reputation in trouble at an enterprise level so these are the use cases for employing some of these dev sec ops principles there are industry standard organizations like Oh wasp or open web application security project that actually have Software Assurance
maturity models to address not just these pipeline activities but also governance construction and even recommending secure coding practices that you would find over here so to sum all of this up Duff's a cop's is all about a holistic secured by design approach to code to delivery and it all involves people process and tools thanks for watching this video if you have any questions or comments be sure to drop a line below if you want to see more videos like this in the future be sure to LIKE and subscribe
