Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
DevSecOps Glossary

DevSecOps - Sicherheit von Anfang an im Software-Entwicklungsprozess

DevSecOps integrates security into the DevOps cycle from the first line of code through to deployment. Core principle: Shift Left Security. Key toolchain: SAST (Semgrep, SonarQube), DAST (OWASP ZAP), SCA (Snyk, Trivy), secrets detection (GitLeaks, TruffleHog), IaC scanning (Checkov, tfsec), and security gates in CI/CD pipelines. NIS2 and ISO 27001 explicitly require security in the SDLC.

DevSecOps is not a new role—it is a culture that embeds security as a shared responsibility for everyone involved in the development process. The traditional approach—treating security as an audit conducted just before launch—creates technical debt, costly rework, and blind spots.

Shift Left: Why Earlier Is Cheaper

The later security vulnerabilities are found, the more expensive it becomes to fix them:

PhaseDiscovery Costs (relative)
Requirementsx1 – Changing the concept is free
Designx5 – Adapting the architecture
Codingx10 – Rewriting the code
Testingx25 – Repeating the QA cycle
Productionx100+ – Incident response, GDPR fines!

Shift-Left Measures by Phase

Requirements Phase:

  • Threat Modeling: What threats does this feature pose?
  • STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege

Coding Phase:

  • Pre-commit Hooks: Secrets scanner, SAST (local)
  • Secure Coding Guidelines (OWASP Top 10)
  • Security-focused code reviews

CI/CD Pipeline:

  • Automated security gates (SAST, DAST, SCA, IaC)
  • "Fail Fast": Build aborts upon critical findings

SAST: Static Application Security Testing

Source code is analyzed without execution.

Semgrep (free + very effective)

# .github/workflows/semgrep.yml:
semgrep-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - run: semgrep --config "p/owasp-top-ten" --config "p/secrets" --error .
# p/owasp-top-ten:  SQL injection, XSS, SSRF, path traversal
# p/secrets:        API keys, tokens in code

SonarQube (SAST + Code Quality)

# Community Edition = free (self-hosted)
- name: SonarQube Scan
  uses: sonarsource/sonarqube-scan-action@master
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

CodeQL (GitHub Advanced Security)

# .github/workflows/codeql.yml:
- uses: github/codeql-action/init@v3
  with:
    languages: javascript, python, java
- uses: github/codeql-action/analyze@v3
# Results available for free in the GitHub Security tab!

DAST: Dynamic Application Security Testing

OWASP ZAP (free)

# Full Scan:
docker run -t owasp/zap2docker-stable zap-full-scan.py \
  -t https://staging.app.example.com \
  -r zap-report.html

# API Scan:
docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi

Nuclei

nuclei -u https://staging.app.example.com \
  -severity critical,high \
  -exit-code 1

DAST Limitations:

  • Only for running applications
  • Use a staging environment (never production!)
  • Authenticated scans: more complex to configure

SCA: Software Composition Analysis

Snyk

# GitHub Action:
- name: Snyk Security Scan
  uses: snyk/actions/node@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high

Trivy (Container + Filesystem + SBOM)

# Filesystem scan:
trivy fs --exit-code 1 --severity CRITICAL,HIGH .

# Generate SBOM (CycloneDX):
trivy sbom --format cyclonedx -o sbom.json .

GitHub Dependabot

# .github/dependabot.yml:
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
# Automatically creates PRs for security updates!

Secrets Detection

GitLeaks (Pre-commit + CI)

# .github/workflows/gitleaks.yml:
- name: Detect secrets
  uses: gitleaks/gitleaks-action@v2
# .pre-commit-config.yaml:
repos:
  - repo: https://github.com/gitleaks/gitleaks
    hooks:
      - id: gitleaks
trufflehog git https://github.com/company/repo.git \
  --only-verified --json > secrets-found.json

Commonly Found Secrets:

  • AWS Access Keys
  • Stripe/PayPal API Keys
  • Database connection strings
  • Private SSH keys
  • JWT signing secrets

Secret management best practices:

  • Production secrets: Vault (HashiCorp) or Cloud KMS
  • CI/CD: GitHub Secrets, GitLab CI variables
  • Local: NEVER commit .env files to Git

IaC scanning

Checkov

- name: Checkov IaC Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: infrastructure/
    framework: terraform

# Typical Findings:
# CKV_AWS_20: S3 bucket without encryption
# CKV_AWS_18: S3 access logging disabled
# CKV_AZURE_13: Subnet without NSG

tfsec (Terraform)

tfsec . --format sarif --out tfsec.sarif
# SARIF importable into GitHub Security Tab

OPA/Rego (Policy as Code)

# No privileged containers allowed:
package kubernetes.admission
deny[msg] {
  input.request.kind.kind == "Pod"
  container := input.request.object.spec.containers[_]
  container.securityContext.privileged == true
  msg := "Privileged container not allowed!"
}

DevSecOps Maturity Model

Level 1 (Months 1–2)

  • Secrets detection (GitLeaks Pre-commit)
  • SCA (Dependabot or Snyk free)
  • Automatic dependency updates

Level 2 (Months 3–4)

  • SAST in CI/CD (Semgrep)
  • OWASP ZAP against staging
  • Track findings in the ticket system

Level 3 (Months 5–6)

  • IaC scanning (Checkov/tfsec)
  • Container images (Trivy)
  • SBOM for all releases

Stage 4 (Months 7–12)

  • Threat modeling for new features
  • DAST with authentication
  • Security KPIs: MTTR for vulnerabilities

Compliance Mapping

FrameworkRequirement
ISO 27001A-8.25 (Secure Development), A-8.26 (App Security)
NIS2Art. 21 (Supply Chain Security)
GDPRArt. 25 (Privacy by Design and by Default)

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation