DevSecOps

00:00

hi and welcome to module to lessen 5.2. This will be a really quick lesson on the concept of Def SEC ops, and this will be the final lesson in our application layer section. After this section, we're going to move on to the actual data layer where we've got several concepts we want to learn there.

00:17

In the context of these, this infrastructure security course, all we really need to know about Def SEC ops is that it's a philosophy. It's a philosophy that that fosters that ongoing, flexible collaboration between software engineers and security teams. We talked a little bit in the last section during the change management section

00:35

about the concept of Dev ops, and that's the concept of just taking the development in the operations environment

00:42

and blurring the lines between the two so that we can have quicker release cycles. We can go to market quicker with things,

00:48

def. Sec Ops is simply inserting in security into that concept. So now, as we're releasing quickly and we're going through development and testing and releasing quickly, we're inserting security at every step along the way. Really, it should be one word. It's it's kind of the latest buzzword. But really, Dev ops

01:06

def sec ops should just be part of Dev ops. It should just be inherently part of it. But def SEC ops came along,

01:11

I think, because there were enough people that were just doing Dev ops and weren't thinking about security as they released. So we had to add the word second, their toe make sure security was being thought about.

01:23

Now all that's gonna really do is it's gonna give us this secure code release environment. So as we, as we blur the boundaries, were making sure that security is embedded in some of the tools that we can use our static code analysis tools. That's one of them. Static code analysis is simply a tool that allows, as developers write code,

01:42

they don't write the entire application at one time. They write a part of the application and they commit the code and commit and commit.

01:48

So as developers write code and commit the code, you can use static analysis to a static code analysis to us to actually look at that code and try to find anomalies within the code itself before it's actually executed. For example, maybe a developer as a placeholder put their own credentials in the code because the code, the application's gonna need some sort of credentials.

02:07

So just as a placeholder to to get through something when they were testing, they put their own credentials in or some

02:13

temporary credentials in on and forgot about it and committed the code. Static code analysis can find these types of things before the code is compiled, because later finding these things later whenever the code is finished may take a lot of work to have to go back and actually

02:29

get to the point where you can strip it down and fix this one problem and then build back up. On top of that

02:35

dynamic code analysis is another term. You'll hear a lot of the def SEC ops world. All that is is a vulnerability scanner recovered those in a couple different places in this course, dynamic code analysis is just testing the code as it's running at runtime environment.

02:50

So static code analysis is testing the code itself when it's not running and dynamic code analysis is testing the code while it's running,

02:55

and that could be done in the form of a simple vulnerability scan.