Bake security into every step of delivery.
3 topics
DevSecOps starts with a security-first mindset. Threat modeling (STRIDE, DREAD, PASTA) is the practice of identifying what can go wrong before you write code. You map data flows, trust boundaries, and entry points, then brainstorm threats for each. Every feature design should include a lightweight threat model. This proactive approach catches vulnerabilities at design time rather than in production. Understand the difference between vulnerabilities, threats, and risks. Learn the CIA triad (Confidentiality, Integrity, Availability) and the principle of least privilege. Security is everyone's responsibility — DevSecOps means making it part of the culture, not a gate at the end.
2 resources
The OWASP Top 10 lists the most critical web application security risks: injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, XSS, insecure deserialization, using components with known vulnerabilities, and insufficient logging. CWE (Common Weakness Enumeration) is a broader catalog of software weakness types. Understanding these is the baseline for secure development. Every developer and DevSecOps engineer should know how to identify and prevent each of these in code reviews, automated scans, and architecture decisions. Map your scanning tools to specific CWE/OWASP categories for traceability.
Secure coding means writing code that is resilient to attack. Key practices include: input validation (never trust user input — validate type, length, range, and format), output encoding (prevent XSS by encoding data before rendering), parameterized queries (prevent SQL injection), proper error handling (never expose stack traces or internal details), secure defaults (deny by default, allow explicitly), cryptographic best practices (use established libraries, never roll your own crypto), and secrets management (never hardcode passwords, API keys, or tokens). Use linting rules and code review checklists to enforce these practices. Languages and frameworks offer built-in protections — learn what your stack provides and ensure those protections are not bypassed.
4 topics
Static Application Security Testing (SAST) analyzes source code for vulnerabilities without executing it. SAST tools scan for patterns like SQL injection, XSS, buffer overflows, hardcoded secrets, and insecure cryptography. Integrate SAST into your CI pipeline so every pull request is scanned before merge. Popular tools include: Semgrep (fast, customizable rules), SonarQube (broad language support), CodeQL (GitHub's semantic analysis), and Snyk Code. SAST catches issues early (shift-left) but can produce false positives — tune rules for your codebase and triage findings to reduce noise. Combine SAST with secret scanning tools like Gitleaks or TruffleHog to catch exposed credentials.
Dynamic Application Security Testing (DAST) tests a running application by sending malicious requests and analyzing responses. Unlike SAST which reads code, DAST attacks the application like an external attacker would. It finds runtime vulnerabilities: XSS, injection, authentication flaws, CORS misconfigurations, and missing security headers. OWASP ZAP is the leading open-source DAST tool — it can be run in CI pipelines against staging environments. Burp Suite is the commercial standard for manual penetration testing. DAST complements SAST: SAST finds code-level issues, DAST finds deployment and configuration issues. Run DAST against staging environments in your CD pipeline, not production (to avoid disruption).
Software Composition Analysis (SCA) identifies vulnerabilities in third-party dependencies. Modern applications use hundreds of open-source packages, each with their own dependencies — any one could contain known vulnerabilities (CVEs). SCA tools scan your dependency tree against vulnerability databases: Snyk, Dependabot (GitHub), Renovate, npm audit, and Trivy. Integrate SCA into CI to block merges that introduce critical vulnerabilities. Establish a policy: critical CVEs block deployment, high CVEs require a fix within a sprint, medium/low are tracked and scheduled. License compliance is another SCA function — ensure dependencies use compatible open-source licenses. Pin dependency versions and use lock files to prevent supply chain attacks.
Container images can contain vulnerable OS packages, misconfigured settings, and embedded secrets. Scan images in CI before pushing to a registry using Trivy, Grype, or Snyk Container. Check for: running as root, unnecessary packages, outdated base images, and exposed secrets. For Infrastructure as Code (IaC), tools like Checkov, tfsec, and KICS scan Terraform, CloudFormation, Kubernetes YAML, and Dockerfiles for security misconfigurations — open security groups, unencrypted storage, missing logging, overly permissive IAM policies. Integrate these scans into pull request checks so infrastructure changes get the same security review as application code.
Secrets (API keys, database passwords, certificates, tokens) must never be stored in code, config files, or environment variables in plain text. Use a dedicated secrets manager: HashiCorp Vault (the gold standard — dynamic secrets, auto-rotation, audit logging), AWS Secrets Manager, Azure Key Vault, or Doppler. In Kubernetes, use External Secrets Operator to sync from your vault to K8s secrets. In CI/CD, use encrypted secrets (GitHub Secrets, GitLab CI Variables). Implement secret rotation — automatically change credentials on a schedule without downtime. Scan for accidentally committed secrets with pre-commit hooks (Gitleaks) and CI scanners. If a secret is exposed, rotate immediately and audit access logs.
Runtime security protects applications after deployment. Web Application Firewalls (WAFs) like Cloudflare WAF or AWS WAF inspect HTTP traffic and block malicious requests (SQL injection, XSS, bot attacks). Runtime Application Self-Protection (RASP) instruments the application itself to detect and block attacks in real-time. Container runtime security tools like Falco monitor system calls for suspicious behavior (shell in container, unexpected network connections, privilege escalation). Implement security-focused logging: log authentication events, authorization failures, input validation failures, and admin actions. Send security logs to a SIEM (Security Information and Event Management) for correlation and alerting. Regular vulnerability scanning of production infrastructure with tools like Nessus or Qualys rounds out runtime security.
Compliance frameworks define security requirements for regulated industries. SOC 2 (trust services criteria for SaaS companies), ISO 27001 (information security management), PCI DSS (payment card data), HIPAA (healthcare data), and GDPR (EU data privacy) each have specific technical controls you must implement and evidence. DevSecOps automates compliance: policy-as-code with Open Policy Agent (OPA) enforces rules at deployment time, automated evidence collection documents control effectiveness, and continuous compliance monitoring ensures drift is detected. Use frameworks like NIST CSF to structure your security program. Regular penetration testing (at least annually) validates your security posture. Document everything — audit trails, remediation timelines, and risk acceptance decisions.