โ๏ธ DevSecOps
Integrating security into CI/CD pipelines, Infrastructure as Code scanning, shift-left testing, and secure software delivery.
Overview
DevSecOps embeds security as a shared responsibility throughout the entire software delivery lifecycle. Instead of security being a gate at the end, it's integrated into every phase โ from coding to deployment. It encompasses shift-left security, automated testing in CI/CD, infrastructure as code scanning, container security, and supply chain protection.
Key Concepts
Shift-Left Security
Moving security testing earlier in the SDLC. Detecting vulnerabilities during coding (IDE plugins, pre-commit hooks) rather than after deployment. Reduces cost and risk.
CI/CD Pipeline Security
Automated security gates in build pipelines: SAST, SCA, container scanning, IaC scanning, secrets detection. Fail builds on critical findings.
Infrastructure as Code (IaC) Security
Scanning Terraform, CloudFormation, Kubernetes manifests for misconfigurations before deployment. Tools: Checkov, tfsec, KICS, Bridgecrew.
Secrets Management
Preventing hard-coded secrets in code. Using vaults (HashiCorp Vault, AWS Secrets Manager), pre-commit scanning (git-secrets, detect-secrets), and rotation policies.
Container Security
Image scanning in registries, minimal base images, non-root containers, signing and attestation, runtime protection with Falco/Sysdig.
Supply Chain Security
Verifying integrity of dependencies, build systems, and deployment artifacts. SLSA framework, SBOM generation, artifact signing, and provenance attestation.
DevSecOps Pipeline Architecture
Secure DevOps Pipeline
Security integrated at every stage โ from code to monitoring to AI-powered operations
Interview Preparation
How would you implement DevSecOps in an organization?
Phased approach: 1) Start with secrets scanning in pre-commit hooks (quick win). 2) Add SAST and SCA to CI/CD with initially non-blocking alerts. 3) Introduce IaC scanning for Terraform/K8s. 4) Add container image scanning in registry. 5) Implement DAST in staging pipelines. 6) Graduate to blocking builds on critical/high findings. 7) Establish security champion program. 8) Measure with metrics: vulnerability escape rate, MTTR, developer adoption rate, pipeline failure false positive rate. Cultural change is harder than tooling.
What tools would you use in a DevSecOps pipeline?
Code: Semgrep (SAST), git-secrets (secrets). Build: Snyk/Dependabot (SCA), Syft (SBOM). Test: OWASP ZAP (DAST), Checkov (IaC scanning), Trivy (container scanning). Deploy: OPA/Kyverno (policy enforcement), Cosign (image signing). Runtime: Falco (container runtime), CloudGuard (CSPM). Orchestration: GitHub Actions/GitLab CI for pipeline, Defect Dojo for vulnerability aggregation. Key: Choose tools that integrate well, minimize developer friction, and provide actionable results.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 SA-11 (Dev Testing), SA-15 (Dev Process), CM-3 (Config Change Control), SI-7 (SW Integrity) |
| OWASP | SAMM (Software Assurance Maturity Model), DevSecOps Guideline |
| MITRE | T1195 (Supply Chain Compromise), T1072 (Software Deployment Tools) |