DevSecOps: Shift Left Security

October 28, 2019

devops security

Finding a vulnerability in production costs 100x more than finding it in development. DevSecOps—integrating security into the DevOps pipeline—shifts security left.

What is “Shift Left”?

Traditional security:

Code → Build → Test → Deploy → Security Test → Production
                                     ↑
                              (Too late, too expensive)

Shift left:

Code → Security Scan → Build → Security Test → Deploy → Production
  ↑                      ↑                        ↑
(Early detection)  (Continuous)              (Defense in depth)

Find issues early. Fix them cheaply.

The DevSecOps Pipeline

Stage 1: Pre-Commit

IDE Integration:

// VS Code settings
{
    "editor.formatOnSave": true,
    "python.linting.banditEnabled": true,
    "eslint.enable": true
}

Pre-commit Hooks:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.0
    hooks:
      - id: bandit
        args: [-r, src/]
  
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.0.0
    hooks:
      - id: gitleaks

Stage 2: Commit/PR

Static Analysis (SAST):

# GitHub Actions
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: p/python

- name: Run Snyk Code
  uses: snyk/actions/python@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Secret Scanning:

- name: Detect Secrets
  uses: trufflesecurity/trufflehog@main
  with:
    path: ./
    base: main

Stage 3: Build

Dependency Scanning:

- name: Check Dependencies
  run: |
    pip-audit --requirement requirements.txt
    npm audit --audit-level high

Container Scanning:

- name: Scan Container
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    severity: 'CRITICAL,HIGH'

Stage 4: Test

Dynamic Analysis (DAST):

- name: OWASP ZAP Scan
  uses: zaproxy/action-full-scan@v0.4.0
  with:
    target: 'https://staging.example.com'

Infrastructure Scanning:

- name: Scan Terraform
  uses: aquasecurity/tfsec-action@v1.0.0

Stage 5: Deploy

Admission Control:

# Kubernetes admission policy
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: no-latest-tag
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    tags: ["latest"]

Stage 6: Runtime

Runtime Protection:

Web Application Firewall (WAF)
API gateways with rate limiting
Security monitoring (SIEM)
Anomaly detection

Essential Tools

Static Analysis (SAST)

Language	Tools
Python	Bandit, Semgrep, Snyk
JavaScript	ESLint, npm audit, Snyk
Go	gosec, staticcheck
Java	SpotBugs, Checkmarx
Multi	SonarQube, Veracode

Dependency Scanning

# Python
pip-audit
safety check

# JavaScript
npm audit
yarn audit

# Universal
snyk test

Container Security

# Scan images
trivy image myapp:latest

# Scan Dockerfile
hadolint Dockerfile

# Scan running containers
falco

Infrastructure as Code

# Terraform
tfsec .
checkov -d .

# Kubernetes
kubesec scan deployment.yaml
kube-bench

Implementing DevSecOps

Phase 1: Foundation

Inventory: Know your dependencies, containers, infrastructure
CI/CD pipeline: Automated builds and deployments
Version control: Everything as code

Phase 2: Integration

Add scanning: Start with one tool per category
Gate deployments: Block on critical vulnerabilities
Train developers: Security awareness

Phase 3: Automation

Auto-fix: Dependabot, Renovate for dependency updates
Policy as code: OPA, Gatekeeper for enforcement
Self-service: Security tools accessible to developers

Phase 4: Culture

Security champions: Developers leading security in teams
Blameless postmortems: Learn from incidents
Continuous improvement: Regular security reviews

Common Pitfalls

Too Many Alerts

Start with critical/high severity only:

# Don't do this
- run: trivy --severity CRITICAL,HIGH,MEDIUM,LOW

# Do this
- run: trivy --severity CRITICAL,HIGH

Add more over time as you reduce backlog.

Blocking Everything

Start in report mode, then enforce:

# Week 1-2: Warn
- run: snyk test --severity-threshold=critical || true

# Week 3+: Block
- run: snyk test --severity-threshold=high

Ignoring Developers

Security tools should:

Integrate into existing workflow
Provide clear remediation guidance
Not require security expertise

Metrics

Track progress:

Mean Time to Remediate (MTTR): How fast you fix vulnerabilities
Escape rate: Vulnerabilities found in production vs development
Coverage: Percentage of repos/containers scanned
False positive rate: Tune scanners over time

Final Thoughts

DevSecOps isn’t about tools—it’s about integrating security into how you build software. The goal is making secure development the path of least resistance.

Start small. Add one security check to your pipeline. Fix what it finds. Iterate.

Security is everyone’s job. Make it easy.