In the old days, Security tested the app 2 days before release. They found bugs, blocked the release, and everyone hated them. In DevSecOps, we "Shift Left". We test early, often, and automatically.
The Pipeline
- Commit: Developer pushes code.
- Secret Scanning: (TruffleHog) Checks for API keys/Passwords. Fails build if found.
- SCA (Software Composition Analysis): (Snyk/Dependabot) Checks `package.json` for libraries with known CVEs.
- SAST (Static Analysis): (SonarQube) Scans source code for potential SQLi/XSS patterns.
- DAST (Dynamic Analysis): (OWASP ZAP) Deploys app to staging and attacks it with a bot.
- Deploy: If all green, push to production.
1. SAST vs DAST
SAST (White Box): Looks at code.
Pros: fast, finds exact line number.
Cons: False positives (can't tell if a variable is actually tainted).
DAST (Black Box): Looks at running app.
Pros: Real-world results.
Cons: Slow, needs a running environment, might delete data.
2. Infrastructure as Code (IaC) Security
We don't just scan app code. We scan Terraform and Kubernetes manifests.
Tool: Checkov or Trivy.
Example: It flags if an S3 bucket is set to `public-read` or if a Security Group allows SSH from `0.0.0.0/0`.
3. Golden Images
Don't patch servers. Replace them.
Build a secure Docker image or AMI with all patches applied. Scan it for vulnerabilities.
When a new patch comes out, build a NEW image and redeploy. This is "Immutable Infrastructure".
Culture Shift
DevSecOps is 80% culture. Developers must own the security of their code. Security engineers stop being gatekeepers and start being tool-providers and consultants.