DevSecOps
Checking access...
The DevSecOps Mindset
Shift-left: find vulnerabilities as early as possible. A bug found in development costs $100 to fix; in production it costs $10,000+.
Security in CI/CD
# GitLab CI security templatestages: - lint - security - compliance - build - deploy
security-sast: stage: security script: semgrep scan --config=auto .
security-sca: stage: security script: snyk test --all-projects
security-secret: stage: security script: trufflehog filesystem .
security-sbom: stage: compliance script: syft packages . -o cyclonedx > sbom.cdx.json
security-dast: stage: deploy # Post-deploy script: zap-cli quick-scan https://staging.example.com only: - mainSupply Chain Security
# Verify image signaturescosign verify example.com/my-app:latest \ --certificate-identity "devops@example.com" \ --certificate-oidc-issuer "https://accounts.google.com"
# Generate SLSA provenanceslsa-provenance generate my-app:latestDeveloper Security Ownership
| Practice | Developer Responsibility | Security Team Role |
|---|---|---|
| SAST scanning | Run on every commit | Define rules, review exceptions |
| Dependency updates | Merge Dependabot PRs within SLA | Define allowed/blocked licenses |
| Secret management | Use vault/Secrets Manager, never hardcode | Provide tooling, scan for leaks |
| Code review | Review for security as well as functionality | Review high-risk changes |
| Access control | Follow least privilege in code (IAM policies) | Define patterns, audit compliance |