Wednesday, July 6, 2022
HomeCyber SecurityDevSecOps glossary: 24 phrases safety professionals must know

DevSecOps glossary: 24 phrases safety professionals must know

Picture: Song_about_summer/Adobe Inventory

What’s DevSecOps?

DevSecOps is a portmanteau of growth, safety and operations. Like DevOps, DevSecOps refers to a mixture of tradition, processes and applied sciences. However whereas DevOps focuses on optimizing and streamlining the software program growth lifecycle, DevSecOps seeks to enhance safety all through a corporation’s product supply pipeline. Additional, DevSecOps immediately addresses potential safety weaknesses launched by the DevOps mannequin.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

DevSecOps phrases it’s essential to know

Assault floor

A corporation’s assault floor refers back to the potential vulnerabilities inside a system that may be exploited by an attacker—the publicity that the community has to potential threats. Web of Issues (IoT) units, cellular units, cloud computing and distant work have all expanded the typical group’s assault floor.


On the whole, automation refers to the usage of expertise to finish a activity that may in any other case be accomplished by a human. Within the context of DevSecOps, automation refers to the usage of automated expertise—scripts, bots and algorithms—to automate safety duties all through the software program growth life cycle.

Chain of custody

The chain of custody is the report of who had possession of proof at a given time. Within the context of digital proof, the chain of custody have to be maintained to make sure that the proof has not been altered and that its authenticity may be verified. Trendy doc administration programs, for instance, include thorough audit logs.


CI/CD, or steady integration and steady supply, is a software program growth observe through which builders combine code adjustments right into a shared repository regularly, and software program adjustments are routinely constructed, examined and deployed to manufacturing. These exceptionally quick iterations produce worth for the group quicker, however in addition they demand increased ranges of safety to cut back the potential for disruption.

Code dependencies

Code dependencies are the exterior libraries, frameworks and modules your code requires to be able to run. These dependencies can introduce vulnerabilities into your codebase if they aren’t correctly managed. Third-party vulnerabilities are the commonest vulnerabilities inside a system.


Compliance refers to a corporation’s adherence to exterior rules, requirements or finest practices. Within the context of DevOps and safety, compliance can check with every thing from adherence to industry-specific rules, such because the CMMC for Division of Protection contractors, to inside firm insurance policies.

Configuration drift

Configuration drift happens when the configuration of a system adjustments with out being tracked or authorised. Configuration drift can result in safety vulnerabilities over time because the group more and more broadens its scope.


Containerization is a technique of packaging software program, so it may be run in remoted environments. Containers are self-contained and embrace all of the dependencies essential to run the software program, making them transportable and simple to deploy. Importantly, containerized situations have a restricted impression on one another, making them safer.

Information breach

A knowledge breach is any unauthorized entry to or disclosure of delicate info. Information breaches can happen when a malicious attacker good points entry to a system, however they’ll additionally happen when a licensed person mishandles information—for instance, by sending it to the incorrect individual or posting it on-line. Most firms will expertise a knowledge breach in some unspecified time in the future, however the correct DevSecOps practices will mitigate hurt.

Information loss prevention

Information loss prevention refers back to the observe of stopping the unauthorized disclosure of delicate info, whether or not by way of the usage of automated instruments or restricted entry. Information loss prevention instruments can be utilized to encrypt information in transit and at relaxation in addition to to observe and management entry to information.

Endpoint safety

Endpoint safety is the observe of securing the units that connect with a community. Endpoints can embrace laptops, smartphones, tablets and IoT units. Endpoint safety options sometimes embrace antivirus software program, firewalls and intrusion detection and prevention programs.

Identification and entry administration (IAM)

IAM is the observe of managing identities—each digital and bodily—and the entry they must delicate info and programs. IAM contains the provisioning and de-provisioning of person accounts in addition to the administration of entry controls. To be actually efficient, IAM suites have to be paired with the suitable safety processes.

Maturity mannequin

A maturity mannequin is a framework that can be utilized to evaluate a corporation’s progress in adopting a selected observe or functionality. Within the context of DevSecOps, a maturity mannequin can be utilized to evaluate a corporation’s progress in adopting DevSecOps practices and attaining DevSecOps aims.

Passwordless authentication

Passwordless authentication is a technique of authenticating customers with out the usage of passwords. As a substitute, it may be achieved with the usage of biometrics, {hardware} tokens or one-time passcodes (OTPs). Many safety analysts imagine this sort of authentication is safer than conventional passwords, as passwordless authentication doesn’t rely on the person to uphold safety requirements.

Penetration testing

Penetration testing, often known as pen testing, is the observe of simulating an assault on a system to be able to establish vulnerabilities. Pen assessments may be performed manually or with automated instruments, and they are often focused at particular person programs or your entire community.

Perimeter safety

Perimeter safety is the observe of defending the boundaries of a community. Perimeter safety options sometimes embrace firewalls and intrusion detection and prevention programs. Immediately, organizations are drifting away from perimeter-based safety and towards access-based safety.

Danger administration

Danger administration is the method of figuring out, assessing and mitigating dangers. Within the context of safety, danger administration is a vital part that features the identification of threats and vulnerabilities in addition to the evaluation of their impression on the group.

Safety info and occasion administration (SIEM)

SIEM is a safety administration strategy that mixes the capabilities of safety info administration (SIM) and safety occasion administration (SEM). SIEM offers organizations with a real-time view of their safety posture in addition to the flexibility to detect, examine and reply to safety incidents.

Safety as code

Safety as code is the observe of treating safety configurations and insurance policies as code, which may then be managed like another software program asset. Safety as code helps to make sure safety configurations are constant throughout environments and that adjustments may be tracked over time.

Safety posture

A corporation’s safety posture refers back to the total state of its safety, together with the effectiveness of its controls and the adequacy of its insurance policies and procedures. The safety posture may be measured by way of the usage of safety assessments and audits.

Shift Left

Shift Left is a DevOps precept that advocates for the sooner inclusion of safety within the software program growth course of. By shifting left, organizations can discover and repair safety vulnerabilities earlier within the growth cycle, which may save money and time.

Siloed safety

Siloed safety is the observe of isolating safety capabilities from different components of the group. Siloed safety can result in inefficiencies and blind spots in addition to an elevated danger of safety incidents.

Risk modeling

Risk modeling is the observe of figuring out, assessing and mitigating threats. It helps organizations to know their assault floor and establish the most certainly and impactful threats by auditing current programs and figuring out potential gaps.

Zero belief

Zero belief is a safety mannequin that assumes all customers and units are untrustworthy. In a zero-trust atmosphere, all site visitors is handled as malicious and all property are protected accordingly. Zero belief is commonly used along side micro-segmentation to additional isolate programs and information.



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments