DevSecOps: Shifting Security Left¶

DevSecOps integrates security into every stage of the software lifecycle — automated, continuous, and owned by everyone, not bolted on at the end.

Shift Left¶

The earlier you catch a flaw, the cheaper it is to fix. A bug found in design costs a fraction of one found in production.

Plan → Code → Build → Test → Deploy → Operate └──── security at EVERY stage, automated ────┘

Security in the CI/CD Pipeline¶

SAST vs DAST vs SCA vs IAST¶

• SAST — analyzes source code for flaws (white-box, early).
• DAST — tests the running app from outside (black-box).
• SCA — finds vulnerable third-party dependencies.
• IAST — instruments the app during testing (hybrid).

Use them together — each catches what the others miss.

Software Supply-Chain Security¶

Modern apps are mostly third-party code. Attacks like SolarWinds, Log4Shell, and malicious npm packages target the supply chain.

Defenses:

• SCA / dependency scanning + automated updates.
• SBOM (Software Bill of Materials) — an inventory of every component, so you can instantly answer "are we affected by CVE-X?"
• Pin and verify dependencies; use lockfiles.
• Sign artifacts (Sigstore) and verify provenance (SLSA framework).
• Beware typosquatting and dependency confusion in package registries.

Secrets Management¶

• Never commit secrets — scan commits and history.
• Use a secrets manager / vault (HashiCorp Vault, cloud secret stores).
• Inject secrets at runtime, not build time.
• Rotate regularly and on exposure; use short-lived, dynamic secrets where possible.

Infrastructure as Code (IaC) Security¶

When infra is code (Terraform, CloudFormation), it can be scanned before deployment:

• Scan with Checkov / tfsec / Terrascan in CI.
• Enforce policy as code (OPA) — block insecure configs from ever deploying.
• Get the security benefits of code review and version control for your infrastructure.

Culture¶

DevSecOps is as much culture as tooling: shared ownership, fast blameless feedback, and security as an enabler — guardrails, not gates.