Skip to main content

Skillber v1.0 is here!

Learn more

DevSecOps

Checking access...

The DevSecOps Mindset

Shift-left: find vulnerabilities as early as possible. A bug found in development costs $100 to fix; in production it costs $10,000+.

Security in CI/CD

# GitLab CI security template
stages:
- lint
- security
- compliance
- build
- deploy
security-sast:
stage: security
script: semgrep scan --config=auto .
security-sca:
stage: security
script: snyk test --all-projects
security-secret:
stage: security
script: trufflehog filesystem .
security-sbom:
stage: compliance
script: syft packages . -o cyclonedx > sbom.cdx.json
security-dast:
stage: deploy # Post-deploy
script: zap-cli quick-scan https://staging.example.com
only:
- main

Supply Chain Security

Terminal window
# Verify image signatures
cosign verify example.com/my-app:latest \
--certificate-identity "devops@example.com" \
--certificate-oidc-issuer "https://accounts.google.com"
# Generate SLSA provenance
slsa-provenance generate my-app:latest

Developer Security Ownership

PracticeDeveloper ResponsibilitySecurity Team Role
SAST scanningRun on every commitDefine rules, review exceptions
Dependency updatesMerge Dependabot PRs within SLADefine allowed/blocked licenses
Secret managementUse vault/Secrets Manager, never hardcodeProvide tooling, scan for leaks
Code reviewReview for security as well as functionalityReview high-risk changes
Access controlFollow least privilege in code (IAM policies)Define patterns, audit compliance