A term that has increasingly gained traction in the industry is DevSecOps—the convergence of development, security, and operations. As DevOps practices have become more common and accepted throughout technology practices, security was left behind in the agile-driven practices espoused by DevOps.

DevSecOps applies the same agile build it and own it mentality to security, pulling it into the fold of continuous integration deployment. It is ultimately the belief that a specific set of resources or a small team owns security. It is the culmination of tools, platform, and mindset and the idea that everyone is responsible for security and needs to implement good security practices at every stage of the develop/deploy/operate life cycle.

There are principal guidelines for DevSecOps that constitute a cloud native approach, and these are demonstrated perfectly by the DevSecOps manifesto:

Similar to topics covered in Chapter 5, Scalable and Available, security stands to benefit from defining everything as code, termed here Security as Code (SaC). This means taking the same IaC approach and applying it to security enforcement and operations. Access controls, firewalls, and security groups can be defined within templates and recipes. These templates should be the shared across the organization as the starting point for creating an environment. They can also be used as points of reference to track drift from approved patterns.