DevOps / DevSecOps / Core Concepts

Core Concepts

5 min read

Rapid overview

DevSecOps Core Concepts

Security in the SDLC

Shift Left Security

Integrate security early in the development lifecycle:

┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐
│  Plan   │──│  Code   │──│  Build  │──│  Test   │──│ Deploy  │
└────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘
     │            │            │            │            │
   Threat      SAST        Dependency    DAST        Runtime
   Modeling    Linting       Scan        Pentest     Security

Static Application Security Testing (SAST)

Tools and Integration

# GitHub Actions - CodeQL
name: Security Scan
on: [push, pull_request]

jobs:
  codeql:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: javascript, typescript

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/security-audit
            p/secrets
            p/owasp-top-ten

Common Vulnerabilities Detected

Vulnerability	Description	Prevention
SQL Injection	User input in SQL queries	Parameterized queries
XSS	Unescaped output	Content encoding
Path Traversal	User input in file paths	Input validation
Hardcoded Secrets	Credentials in code	Secret management
Insecure Deserialization	Untrusted data deserialization	Type validation

Dependency Scanning

Software Composition Analysis (SCA)

# GitHub Actions - Dependency Review
name: Dependency Review
on: pull_request

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: high
          deny-licenses: GPL-3.0, AGPL-3.0

Tools Comparison

Tool	Languages	Features
Snyk	Multi	Real-time monitoring, fix PRs
Dependabot	Multi	GitHub native, auto-updates
Trivy	Multi	Fast, containers too
OWASP Dependency-Check	Java, .NET	CVE database

npm Audit

# Check vulnerabilities
npm audit

# Fix automatically
npm audit fix

# Generate report
npm audit --json > audit-report.json

.NET Security

# Check for vulnerable packages
dotnet list package --vulnerable

# Update to secure versions
dotnet outdated --upgrade

Container Security

Image Scanning

# GitHub Actions with Trivy
- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

- name: Upload Trivy scan results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: 'trivy-results.sarif'

Secure Dockerfile

# Use specific version, not latest
FROM node:20.11-alpine3.19

# Don't run as root
RUN addgroup -g 1001 appgroup && \
    adduser -u 1001 -G appgroup -D appuser

WORKDIR /app

# Copy with correct ownership
COPY --chown=appuser:appgroup package*.json ./
RUN npm ci --only=production

COPY --chown=appuser:appgroup . .

USER appuser

# Don't expose unnecessary ports
EXPOSE 3000

# Use exec form
CMD ["node", "server.js"]

Container Runtime Security

# Kubernetes Pod Security Context
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

Secrets Management

HashiCorp Vault

# Store secret
vault kv put secret/myapp/database \
    username="dbuser" \
    password="supersecret"

# Read secret
vault kv get secret/myapp/database

# Dynamic database credentials
vault read database/creds/myapp-role

Kubernetes Secrets

# External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: app-secrets
  data:
    - secretKey: db-password
      remoteRef:
        key: secret/data/myapp/database
        property: password

Sealed Secrets (GitOps)

# Encrypt secret for Git storage
kubeseal --format=yaml < secret.yaml > sealed-secret.yaml

# Only cluster can decrypt
kubectl apply -f sealed-secret.yaml

Network Security

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Only allow from frontend pods
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080
  egress:
    # Only allow to database
    - to:
        - podSelector:
            matchLabels:
              app: database
      ports:
        - protocol: TCP
          port: 5432
    # Allow DNS
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53

Service Mesh Security (Istio)

# Strict mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT
---
# Authorization Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: api-authz
  namespace: production
spec:
  selector:
    matchLabels:
      app: api
  rules:
    - from:
        - source:
            principals:
              - cluster.local/ns/production/sa/frontend
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/*"]

OWASP Top 10 for DevOps

1. Injection Prevention

// Bad
const query = `SELECT * FROM users WHERE id = ${userId}`;

// Good - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await pool.query(query, [userId]);

2. Broken Authentication

# Rate limiting in Kubernetes Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/limit-rps: "10"
    nginx.ingress.kubernetes.io/limit-connections: "5"

3. Sensitive Data Exposure

# Encrypt secrets at rest in Kubernetes
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <base64-encoded-key>
      - identity: {}

Compliance and Auditing

Policy as Code (OPA/Gatekeeper)

# Require resource limits
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: require-resource-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    limits:
      - cpu
      - memory
    requests:
      - cpu
      - memory

Audit Logging

# Kubernetes Audit Policy
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log all requests to secrets
  - level: Metadata
    resources:
      - group: ""
        resources: ["secrets"]

  # Log request/response for sensitive operations
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["pods/exec", "pods/portforward"]

Security Scanning Pipeline

# Complete security pipeline
name: Security Pipeline

on: [push, pull_request]

jobs:
  secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v2
      - uses: github/codeql-action/analyze@v2

  dependency-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm audit --audit-level=high

  container-scan:
    runs-on: ubuntu-latest
    needs: [sast, dependency-scan]
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .
      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

  iac-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Checkov scan
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform/
          framework: terraform

Interview Questions

1. What is "Shift Left" security?

Moving security practices earlier in the SDLC:

Security requirements during planning
SAST during development
Dependency scanning in CI
Container scanning before deployment
Automated security gates in pipeline

2. How do you handle secrets in CI/CD?

Never commit secrets to code
Use CI/CD secret management (GitHub Secrets, Azure Key Vault)
OIDC authentication instead of long-lived credentials
Rotate secrets regularly
Least privilege access
Audit secret access

3. Explain container security layers

Base Image: Minimal, trusted, scanned
Build Process: Multi-stage, no secrets in layers
Runtime: Non-root, read-only filesystem, no capabilities
Network: Network policies, mTLS
Orchestration: Pod security standards, RBAC

4. What is Policy as Code?

Define security/compliance rules as code
Automated enforcement in CI/CD and runtime
Version controlled, auditable
Tools: OPA, Kyverno, Checkov
Examples: Require resource limits, block privileged containers