You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: secure_software_development_fundamentals.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -612,6 +612,8 @@ Many organizations want to deploy software/services more rapidly, and have adopt
612
612
613
613
* DevSecOps (also called SecDevOps) is DevOps, but specifically integrating security concerns into the development and operations process (Red Hat, [*What Is DevSecOps?*](https://www.redhat.com/en/topics/devops/what-is-devsecops))
614
614
615
+
* GitOps "is a way of implementing Continuous Deployment for cloud native applications. It focuses on a developer-centric experience when operating infrastructure, by using tools developers are already familiar with, including Git and Continuous Deployment tools. The core idea of GitOps is having a Git repository that always contains declarative descriptions of the infrastructure currently desired in the production environment and an automated process to make the production environment match the described state in the repository. If you want to deploy a new application or update an existing one, you only need to update the repository - the automated process handles everything else" per <https://www.gitops.tech/>. Similar definitions are "GitOps uses Git repositories as a single source of truth to deliver infrastructure as code." (Red Hat, [*What Is GitOps?*](https://www.redhat.com/en/topics/devops/what-is-gitops)) and "GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation." (GitLab, [*What is GitOps?*](https://about.gitlab.com/topics/gitops/)).
616
+
615
617
All these depend on automated tests and quality checks, and from a security perspective, what is critical is that tools to check for security vulnerabilities and potential security issues need to be integrated into those automated tests and quality checks. For example, you should ensure that tools are in your CI pipeline that check for various security issues, so that any security problems are detected early. Security tools that take a long time to run might be run in parallel but be used as a “gate” for CDE. We will discuss much more about tools to support security later in the course.
616
618
617
619
Simply inserting some “security tools” into an automated test suite, by itself, tends to be ineffective. Security tools will not generally know what the software is supposed to do (the requirements). For example, security tools will not know what information is confidential. Security tools usually cannot detect fundamental problems in the software design, and even if they could, fixing design problems is not what detection tools do. Security tools often miss vulnerabilities, especially if the software is poorly designed. And perhaps most importantly, information from security tools generally do not make sense to developers if they do not have a basic understanding about security. There is an old phrase that is still true: *“a fool with a tool is still a fool”*.
@@ -5830,6 +5832,8 @@ Gerrand, Andrew, *The Go Blog: Error handling and Go*, 2011 ([https://blog.golan
5830
5832
5831
5833
GitHub Security, *Password reset emails delivered to the wrong address*, 2016-07-05 ([https://bounty.github.com/researchers/jagracey.html](https://bounty.github.com/researchers/jagracey.html))
5832
5834
5835
+
GitLab, *What is GitOps?* ([https://about.gitlab.com/topics/gitops/])
5836
+
5833
5837
Gooding, Dan, *Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again*, Ars Technica, 2020-06-09 ([https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-intels-ultrasecure-sgx/](https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-intels-ultrasecure-sgx/))
Red Hat, *What Is DevSecOps?* ([https://www.redhat.com/en/topics/devops/what-is-devsecops](https://www.redhat.com/en/topics/devops/what-is-devsecops))
5944
5948
5949
+
Red Hat, *What Is GitOps?* ([https://www.redhat.com/en/topics/devops/what-is-gitops])
5950
+
5945
5951
Regehr, John, *A Guide to Undefined Behavior in C and C++ (Parts 1-3)*, 2010 ([http://blog.regehr.org/archives/213](http://blog.regehr.org/archives/213))
5946
5952
5947
5953
Reichel, Robert, *How we threat model*, 2020-09-02 ([https://github.blog/2020-09-02-how-we-threat-model/](https://github.blog/2020-09-02-how-we-threat-model/))
0 commit comments