DevSecOps & DevOps
DevSecOps is the practice of embedding security into every phase of software development and delivery — not bolting it on at the end. The goal: ship fast and ship secure.
Why DevSecOps
Section titled “Why DevSecOps”Traditional security reviews happen late in the cycle — after code is written, after containers are built, sometimes after deployment. By then, fixing issues is expensive. DevSecOps shifts security left: find issues when they cost the least to fix.
Cost to fix a vulnerability: Design phase: $100 Development: $1,000 QA/staging: $10,000 Production: $100,000+Core pillars
Section titled “Core pillars”| Pillar | What it means |
|---|---|
| Shift-left security | Run SAST, dependency scanning, secrets detection on every commit |
| Infrastructure as Code | Scan IaC templates (Terraform, Helm) for misconfigurations |
| Container security | Scan images, sign them, enforce admission policies in Kubernetes |
| Continuous compliance | Automated policy checks replace manual audits |
| Incident readiness | Logging, alerting, and runbooks in place before incidents happen |
The DevSecOps pipeline
Section titled “The DevSecOps pipeline”A secure pipeline runs these stages automatically on every merge request:
Source → SAST → Dependency Scan → Build → Image Scan → Deploy → DAST- SAST (Static Application Security Testing) — analyse source code for vulnerabilities before compilation
- Dependency scanning — check third-party libraries against known CVE databases (Trivy, Grype)
- Container image scanning — scan the final built image layer by layer
- DAST (Dynamic Application Security Testing) — probe the running application from the outside (OWASP ZAP)
Where to go next
Section titled “Where to go next”GitLab CI/CD — build and secure pipelines on GitLab
Pipeline Security — deep dive on each security stage