DevSecOps: Integrating Security into DevOps

DevSecOps Glossary

This glossary provides definitions for common terms you'll encounter in the field of DevSecOps. Understanding this terminology is crucial for effective communication and implementation of DevSecOps principles.

Abstract image of interconnected words and definitions, symbolizing a glossary
CI/CD (Continuous Integration/Continuous Delivery or Deployment)
The practice of frequently integrating code changes (CI) and automating the delivery (CD) of applications to production. DevSecOps integrates security into this pipeline. Learn more about Modern DevOps Practices.
SAST (Static Application Security Testing)
A white-box testing methodology that analyzes an application's source code, byte code, or binary code for security vulnerabilities without executing the application. Covered in Key DevSecOps Practices.
DAST (Dynamic Application Security Testing)
A black-box testing methodology that examines an application in its running state to find vulnerabilities by simulating external attacks. Also detailed in our Key Practices section.
IAST (Interactive Application Security Testing)
A testing methodology that combines elements of SAST and DAST. It uses instrumentation within the running application to identify vulnerabilities as the application is used, often during automated or manual testing.
SCA (Software Composition Analysis)
Tools and processes to identify open-source components in a codebase and their known security vulnerabilities, licensing issues, and code quality problems.
Shift Left
The practice of integrating security testing and considerations as early as possible in the software development lifecycle (SDLC), rather than waiting until the end. A core principle of What is DevSecOps?.
Visual representation of various security testing concepts like SAST and DAST shields
Infrastructure as Code (IaC)
Managing and provisioning infrastructure (networks, virtual machines, load balancers, etc.) through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. Securing IaC is a key DevSecOps practice.
Secrets Management
The tools and methods for managing digital authentication credentials (secrets), such as passwords, API keys, tokens, and certificates, throughout their lifecycle. Essential for preventing unauthorized access.
Threat Modeling
A proactive process of identifying potential threats, vulnerabilities, and attack vectors relevant to an application or system, and then defining countermeasures to prevent or mitigate their effects. This is often a starting point for secure design.
Vulnerability
A weakness in a system, application, or process that could be exploited by an attacker to compromise security.
Penetration Testing (Pen Test)
An authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed. Insights from penetration testing are crucial, similar to how AI Co-Pilots for financial decisions provide insights in complex markets.
Immutable Infrastructure
An approach where servers, once deployed, are never modified. If changes are needed, new servers are built from a common image with the changes and replace the old ones. This can improve security and simplify management, a concept often used with containerization technologies.
Abstract representation of automated security processes and definitions