openskills.info

DevSecOps Fundamentals

itOffensive security and application security

DevSecOps Fundamentals

DevSecOps integrates security into the way you plan, build, test, release, and operate software. It does not create a separate security phase. It makes security part of the delivery system and gives every change a path from risk to evidence.

Use this mental model:

risk → requirement → change → checks → release decision → runtime feedback
  ↑                                                        ↓
  └────────────── defects, incidents, and learning ────────┘

The loop matters more than any single tool. A scanner can detect a known pattern. It cannot decide which risks matter to the product. A signed artifact can prove where a build came from. It cannot prove that the application has no vulnerabilities. DevSecOps connects these forms of evidence to owners and decisions.

What changes with DevSecOps

Traditional delivery can hand software from development to security and then to operations. Each handoff delays feedback and loses context. DevSecOps keeps the specialties but changes the working system.

  • Product teams include security requirements in planned work.
  • Developers receive fast feedback while a change is still small.
  • Security specialists define standards, threat models, reusable controls, and escalation paths.
  • Platform teams provide protected build and deployment paths.
  • Operations teams return runtime findings and incidents to the backlog.
  • Accountable owners make explicit release and risk decisions.

Security remains skilled work. Shared responsibility does not mean that responsibility is vague. Every control, exception, finding, and response action needs an owner.

Start with outcomes, not tools

NIST's Secure Software Development Framework groups secure development into four practice areas: prepare the organization, protect the software, produce well-secured software, and respond to vulnerabilities. These outcomes apply across development methods.

For one service, translate them into questions:

  1. Which security requirements and risks apply?
  2. How are source, credentials, build systems, and artifacts protected?
  3. Which design, code, dependency, configuration, and runtime checks provide evidence?
  4. Who decides whether the evidence is sufficient for release?
  5. How do vulnerabilities and incidents improve the next change?

This approach prevents a common failure: installing many tools without defining the decisions they support.

Map security across the delivery path

A delivery path starts before code enters a repository and continues after deployment.

StageSecurity workUseful evidence
PlanClassify risk, write requirements, assign ownersRisk record, acceptance criteria
DesignModel threats and trust boundariesThreat model, architecture decision
CodeUse secure patterns and review sensitive changesReview record, focused tests
BuildProtect dependencies, runners, and outputDependency inventory, build record
TestRun complementary security checksScoped findings and test results
ReleaseApply policy and verify artifact identityGate result, approval or exception
DeployUse controlled identities and configurationDeployment record, policy result
OperateDetect, respond, patch, and learnAlerts, incidents, remediation data

You can automate many of these activities. You cannot automate the product context that tells you what failure means.

Shift feedback left and keep it right

Shift left means moving useful feedback closer to planning, design, and coding. Examples include threat modeling before implementation, editor or commit-time secret detection, and fast static or dependency checks on a proposed change.

Early feedback is cheaper to act on because the relevant design and code are still in the team's working context. Yet early checks cannot see production identity, traffic, configuration, or attacker behavior.

Keep controls right as well. Verify release artifacts. Enforce deployment policy. Monitor security events. Test response. Feed operational evidence back into requirements and tests.

The goal is continuous feedback, not moving every control to the earliest possible point.

Build a layered verification portfolio

Security techniques inspect different surfaces:

  • Threat modeling examines the design, assets, trust boundaries, and abuse paths.
  • Static application security testing examines code or compiled artifacts without running the application.
  • Software composition analysis identifies third-party components and associated risk information.
  • Secret detection looks for exposed credentials and tokens.
  • Infrastructure-as-code scanning checks declarative infrastructure and policy.
  • Dynamic application security testing probes a running application from the outside.
  • Container and infrastructure scanning examines packaged software and deployed environments.
  • Manual review and purpose-built tests examine authorization, business logic, and system-specific requirements.

Do not run every check on every event. Fast, deterministic checks fit pull requests. Slower integration and dynamic tests may fit a protected test environment. Independent assessment may fit high-impact releases.

Define each check's scope, owner, expected signal, and response. A check that produces ignored findings is delay, not control.

Design useful gates

A security gate is a decision rule applied to evidence. A gate should answer four questions:

  1. What condition is being evaluated?
  2. Which result blocks or permits progress?
  3. Who owns remediation and exceptions?
  4. How long may an exception remain valid?

A useful gate might reject a release artifact when its provenance does not match an approved build path. A weak gate might block on every scanner label without considering reachability, impact, or an agreed policy.

When a gate fails, choose one of three paths: remediate and reverify, stop the release, or obtain an authorized and time-bounded risk acceptance. Suppressing the result is not a risk decision.

Protect the pipeline itself

The pipeline is part of the product's attack surface. It often holds source access, signing authority, package credentials, and deployment permissions. A compromised pipeline can turn a trusted delivery path into an attack path.

Apply these controls:

  • require reviewed changes to pipeline definitions;
  • use least-privilege workload identities instead of shared long-lived credentials;
  • keep secrets in managed stores and limit where they can be exposed;
  • isolate jobs and treat contributions, dependencies, plug-ins, and build scripts as untrusted input;
  • pin and verify external actions, packages, and base images according to policy;
  • separate build, approval, and production deployment authority where risk requires it;
  • retain security-relevant logs and protect them from alteration;
  • verify artifact integrity before deployment.

OWASP's CI/CD Security Cheat Sheet emphasizes source-control configuration, execution environments, identity, third-party code, integrity, and monitoring. Pipeline security is not the same as putting scanners in a pipeline. You must secure both the product and the machinery that produces it.

Know what you ship

A software bill of materials records components in a software product. It supports inventory, vulnerability response, and supplier communication. Generate it with the release so it reflects that release.

An inventory does not establish integrity by itself. Provenance describes where, when, and how an artifact was produced. SLSA defines progressively stronger build guarantees. At Build Level One, provenance exists. Level Two adds signed provenance from a hosted build platform. Level Three adds a hardened build platform.

Verification gives provenance operational value. A deployment system can check the signature, builder identity, source, and build parameters against expectations before accepting an artifact.

Neither an SBOM nor provenance proves secure code. The SBOM describes components. Provenance describes origin and process. Security tests and reviews provide other evidence.

Manage findings as engineering work

A finding becomes useful when it connects to context:

finding + affected asset + exposure + impact + owner + decision

Deduplicate repeated tool reports. Confirm the affected version and path. Add business impact and existing controls. Then assign a treatment and deadline.

Track more than finding counts. Useful measures include time to remediate by risk class, exception age, control coverage for critical services, repeated defect classes, and the percentage of releases produced through an approved path. Metrics should support a decision, not reward teams for hiding work.

Organize the human system

DevSecOps depends on clear interfaces between people.

  • Product owners define impact and accept risk within their authority.
  • Developers implement controls and tests with the change.
  • Security specialists create standards, advise on threats, tune controls, and challenge evidence.
  • Platform engineers maintain approved build and deployment paths.
  • Operations and incident responders provide runtime evidence and recovery capability.

Security champions can connect a product team with specialists. They do not replace accountable owners or a security function.

OWASP SAMM organizes improvement across governance, design, implementation, verification, and operations. Use a maturity model to select the next capability gap. Do not treat its highest level as a requirement for every team.

Limits and failure patterns

DevSecOps cannot promise vulnerability-free software. Automated checks have blind spots. Threats change. Dependencies and environments change after a scan. People can misconfigure strong tools or ignore weak signals.

Watch for these failure patterns:

  • security begins only after code is complete;
  • one scanner is treated as full coverage;
  • the pipeline can deploy with broad, long-lived credentials;
  • findings have no service owner or response deadline;
  • exceptions never expire;
  • teams measure scan volume instead of risk reduction;
  • production incidents do not update requirements or tests;
  • a central security team becomes the approval queue for every routine change.

The corrective pattern is consistent: define the outcome, assign ownership, choose evidence, automate repeatable work, and close the feedback loop.

A practical adoption path

  1. Choose one important service and map its delivery path.
  2. Name the product, security, platform, and operational owners.
  3. Identify the highest-impact risks and write verifiable requirements.
  4. Protect source, pipeline identities, dependencies, and release artifacts.
  5. Add one fast check for a common defect and one test for a critical requirement.
  6. Define a release gate with remediation and exception rules.
  7. Verify the artifact and deployment path before production.
  8. Connect findings and incidents to the same backlog and ownership model.
  9. Measure outcomes, remove noisy work, and expand the approved path.
  10. Compare the program with NIST SSDF or OWASP SAMM and improve the largest gap.