8. DevOps Security Fundamentals

Security in the DevOps Context

The DevSecOps Mindset

Shift Left
- Embed security activities early in the development lifecycle—requirements, design, coding—rather than bolting them on at the end.
- Teams (“security as code”) collaborate from day one to define threat models, secure architectures, and compliance checkpoints.
Security as Code
- Treat security rules, policies, and controls as versioned, testable code artifacts.
- Examples: policy-as-code with Open Policy Agent (OPA), automated firewall rules in Terraform, container image signing.
Cross-Functional Ownership
- Security champions embedded in each development team.
- Regular “blameless” postmortems that include security findings.
- Shared responsibility: developers, operations, and security engineers collaborate on threat modeling, risk assessment, and incident response planning.
Automation & Continuous Feedback
- Automate security gates in CI/CD pipelines to catch issues immediately.
- Provide fast, contextual feedback in pull requests (e.g., inline comments from SAST/DAST tools).
- Integrate security dashboards (SLA for vulnerabilities, mean time to remediation) into team OKRs.

Secure Coding and Vulnerability Scanning

Secure Coding Principles

Input Validation & Output Encoding
- Validate all inputs against strict schemas or whitelists.
- Encode or escape outputs when rendering in HTML, SQL, or OS commands to prevent injection attacks.
Principle of Least Privilege
- Code and services run with only the minimum permissions necessary.
- Use role-based access control (RBAC) in Kubernetes, IAM roles in AWS.
Dependency Management
- Pin dependencies to known-good versions.
- Regularly update libraries to incorporate security patches.
- Avoid excessive transitive dependencies.
Error Handling & Logging
- Fail securely: hide sensitive details in error messages.
- Ensure logs do not contain secrets or PII.
- Use structured logging for easier filtering and alerting on anomalies.
Cryptography Best Practices
- Use proven libraries (e.g., libsodium, Java JCA).
- Avoid custom encryption schemes.
- Enforce TLS 1.2+ for all service-to-service and client-server communications.

Automated Vulnerability Scanning

Scan Type	Tools & Techniques	When to Run
SAST	SonarQube, Checkmarx, Fortify, GitHub CodeQL	On every PR / commit
DAST	OWASP ZAP, Burp Suite, Nikto	Against deployed staging
SCA	Snyk, Dependabot, OWASP Dependency-Check, Trivy	On every build / PR
IAST	Contrast Security, Seeker	During integration tests
RASP	Signal Sciences, Waratek	In production live traffic

Example: Integrating SAST in Jenkins Pipeline

pipeline {
  agent any
  stages {
    stage('Static Analysis') {
      steps {
        // Run SonarQube scanner
        withSonarQubeEnv('MySonarServer') {
          sh 'mvn clean verify sonar:sonar'
        }
      }
    }
    stage('Quality Gate') {
      steps {
        timeout(time: 2, unit: 'MINUTES') {
          waitForQualityGate abortPipeline: true
        }
      }
    }
  }
}

Example: Adding DAST with OWASP ZAP in GitLab CI

stages:
  - build
  - test
  - security

security_scan:
  image: owasp/zap2docker-stable
  stage: security
  script:
    - zap-baseline.py -t <http://web-app:8080> -r zap-report.html
  artifacts:
    paths:
      - zap-report.html