,

Talk the Talk: 3 Software Security Concepts to Know Now

You’ve heard these terms in meetings and used with authority by your peers, but do you fully understand them? Today’s executive-level explainer will give you the vocabulary and context to discuss software security with greater confidence and deeper meaning – to walk the walk AND talk the talk.

DevSecOps

DevSecOps (development + security + operations) describes a security-focused, continuous delivery software development lifecycle. DevSecOps builds on the best practices of general DevOps by integrating security verification earlier in the software build as part of the development process.

The concept: DevSecOps shortens the testing feedback loop, so developers receive feedback and notifications of security related events early and often. This makes it easier to fix vulnerabilities when security issues or bad code can be identified early in the pipeline. The process relies on communication and cooperation between different software development functions. It also uses automated tools to enhance workflows. 

Software Bill of Materials

Software Bill of Materials (SBOMs) are used to create a complete inventory of every software component that is needed to build a software program or application. SBOMs list all the build packages and dependencies, their sizes, and the licenses associated for each in an easily consumable format. Other metadata, such as which developer created the package or dependency, is also included. These lists are useful for detecting malicious packages, secrets or passwords that might be embedded within the software, making SBOM use not only a best practice, but a critical piece of cybersecurity.

GitOps

GitOps is a set of practices that allow developers to perform coding tasks and other functions that typically are housed as IT operations. The best explanation of GitOps that I have read comes from WeaveWorks, which I’ve summarized below.

GitOps works by using Git (an open-source version control for code) as a single source of truth. With GitOps, software agents can find and alert any divergence between Git and what’s running in a cluster. If there’s a difference, the process automatically updates, or rolls back, the cluster. With Git at the center of a delivery pipeline, approved changes can automatically be applied to the system – to accelerate and simplify both application deployments and operations tasks.

Both DevSecOps and cybersecurity are evolving rapidly. Take the time to brush up on the latest key terms and solidify your understanding of important concepts. This will allow you to keep pace and help your organization or team anticipate coming changes.

Related content:

GovLoop – 5 Best Practices to Guide Your DevSecOps Journey

GovLoop – How to Get Real with DevSecOps

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.

Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.

Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.


Leave a Comment

Leave a comment

Leave a Reply