There is thing about implementing security in the early phases. Owasp mention implementing through AppSec Pipeline. DevOps folks talk about DevSecOps. Looking at the diagrams and phases of implementation. Seems like they are both the same? Yet somewhat distinct from each other.
So what's what?
DevOpsSec CI/CD pipelines generally refer to AWS environments with Auto Scaling and Lambda features, as well as provisioning through Terraform or CloudFormation. DevOps in 2017 should likely include agentless functionality, such as ServerSpec (and/or Test Kitchen). The DevOpsSec book from O'Reilly publishing does make mention to many of these paradigms. The book is actually accurately named DevOpsSec, not DevSecOps.
OWASP AppSec pipelines are different. They are not strictly CI/CD pipelines, but moreso a way of automating hybrid vulnerability (and therefore also software weakness) analysis. The platform Cigital ESP was a classic example of this, but many are looking to secure-appdev platforms such as CodeDx, ThreadFix, SD Elements, or Signal Sciences for a 2017-equivalent. In some cases, an AppSec pipeline could consist of a CI/CD pipeline (i.e., Jenkins) and plug in the functionality of other open-source projects such as find-sec-bugs and OWASP ZAP.
A true DevOps pipeline is a CI/CD pipeline with automated testing and deployment. This would require, for example, integration of ServerSpec, Packer (to launch AMIs), and Jenkins Jobs -- but with the additional ability to perform AB testing while utilizing an ELB for blue/green deployments. AppSec pipelines are never this compex, and I would argue that AppSec is more-difficult to integrate into these environments, especially if the AppSec teams are not communicating effectively with the DevOps teams. The first step in communication is to get the ability to perform automated OS (and package, e.g., rpm/yum, dpkg/apt) updates through Auto Scaling functionality. The surprise is that it's the same CI/CD and deployment techniques that can empower these.
The final piece to seeing full integration of an AppSec pipeline with a DevOps pipeline would be to utilize Start-Stop Lambda Cloudwatch for the automated hybrid vulnerability analysis.
