Name – Aarya Raakh

Roll No. – 21111040

Q1. 1. Explain DevSecOps and all the terms.

DevSecOps is an approach to software development and operations that integrates security practices
into the entire software development lifecycle. It aims to ensure that security considerations are
prioritized and incorporated early on in the development process, rather than being treated as an
afterthought.

DevOps: DevOps is a software development methodology that emphasizes collaboration and

integration between development (Dev) and operations (Ops) teams. It focuses on automating
processes, improving communication, and increasing efficiency throughout the software
development lifecycle.

Security (Sec): Security refers to protecting software applications and systems from potential threats
and vulnerabilities. In the context of DevSecOps, it involves implementing security controls,
conducting security assessments, and ensuring compliance with relevant regulations and best
practices.

Software Development Lifecycle (SDLC): The SDLC represents the phases through which software
goes, from its initial conception to retirement. It typically includes requirements gathering, design,
development, testing, deployment, and maintenance. DevSecOps integrates security practices
throughout each stage of the SDLC.

Continuous Integration (CI): Continuous Integration is a practice in which developers frequently

merge their code changes into a central repository. This approach allows for early detection of
integration issues and encourages collaboration among team members.

Continuous Delivery (CD): Continuous Delivery is an extension of continuous integration that ensures
software can be reliably released at any time. It involves automating the build, test, and deployment
processes to enable faster and more frequent releases.

Automation: Automation involves using tools and scripts to perform repetitive tasks automatically. In
the context of DevSecOps, automation is crucial for tasks such as code scanning, vulnerability testing,
security configuration checks, and deployment processes.
Infrastructure as Code (IaC): Infrastructure as Code refers to the practice of managing and
provisioning infrastructure resources (e.g., servers, networks, and storage) using machine-readable
configuration files. This approach allows for consistent, version-controlled, and automated
infrastructure deployment, reducing the risk of misconfiguration and enhancing security.

Shift Left: Shift Left refers to the integration of security practices earlier in the development process.
Traditionally, security considerations were addressed late in the SDLC. However, in DevSecOps,
security testing and assessments are performed early, enabling developers to address vulnerabilities
and weaknesses proactively.

Threat Modeling: Threat modeling is a process used to identify potential threats and vulnerabilities in
a system or application. It involves analyzing the system's architecture, understanding potential
attacker motivations, and identifying potential attack vectors. By conducting threat modeling,
developers can implement security controls that mitigate the identified risks.

Security Testing: Security testing involves assessing the security of an application or system to
identify vulnerabilities, weaknesses, and potential security breaches. It includes activities such as
penetration testing, vulnerability scanning, code reviews, and security configuration checks.

In summary, DevSecOps is an approach that combines the principles of DevOps and security to
ensure that software development and operations are conducted with security as a top priority. It
involves integrating security practices throughout the SDLC, leveraging automation, and promoting
collaboration between development, operations, and security teams.
2. Send the screenshot of SonarQube SAST analysis of code written in Assignment number 6.