DevSecOps Best Practices: How to Ship Secure Software Fast

Before writing code, ask: What are we building? What data does it handle? Who might want to attack it? How?

Threat modeling frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) or PASTA provide structured approaches to identifying potential attack vectors during architecture and design.

A 60-minute threat modeling session during sprint planning can prevent weeks of remediation later. Document the results. Revisit them when the architecture changes.

Establish and enforce secure coding standards before development begins. OWASP’s Secure Coding Practices provide a language-agnostic foundation. Layer in language-specific guidelines: CERT for C/C++, OWASP for Java and .NET, ESLint security plugins for JavaScript/TypeScript.

Standards must be actionable and integrated into the developer’s workflow, not buried in a PDF nobody reads.

Every user story with security implications should have explicit security acceptance criteria. “As a user, I can reset my password” should include requirements for rate limiting, token expiration, secure token generation, and notification to the account owner. If security requirements aren’t in the backlog, they don’t exist.

Analyzes source code for security vulnerabilities without executing the application. Catches SQL injection, XSS, buffer overflows, insecure cryptography.

When: Every PR and commit. Tools: SonarQube, Semgrep, Checkmarx, CodeQL.

Key practice: Run incrementally on changed files, not the entire codebase. Full scans nightly/weekly.

Tests running applications by simulating attacks against live endpoints. Finds runtime vulnerabilities SAST can’t detect: authentication flaws, server misconfigurations, injection at execution.

When: Against staging after deployment, before promotion to production. Tools: OWASP ZAP, Burp Suite, Nuclei.

Key practice: Integrate results into the same issue tracker developers already use.

Scans dependencies for known CVEs: open-source libraries, frameworks, container images. Modern applications are commonly 70–90% open-source code by volume – industry audits such as the OSSRA report put the average around 70–80%, making SCA arguably the highest-impact security automation.

When: Every build + scheduled scans for new CVEs. Tools: Snyk, Dependabot, Trivy, Mend.

Key practice: Auto-generate PRs for dependency updates. Block builds on critical/high CVEs.

Scans commits for hardcoded API keys, database credentials, tokens, private keys.

When: Pre-commit hooks (prevents secrets from entering the repo) + CI scans. Tools: GitLeaks, TruffleHog, GitHub Secret Scanning, GitGuardian.

Key practice: Pre-commit hooks first. Preventing is far easier than rotating after the secret reaches 50 contributors.

A complete inventory of every component in your software. When a critical CVE drops (like Log4Shell), an SBOM tells you in minutes whether you’re affected. Without one, you’re grepping through repositories and hoping.

Formats: SPDX (ISO/IEC 5962:2021) and CycloneDX.

Key practice: Auto-generate SBOMs for every build. US Executive Order 14028 and the EU Cyber Resilience Act increasingly require them.

• Pin all dependency versions explicitly (no floating ranges like ^1.2.0)
• Verify package integrity using checksums or lock file hashes
• Use private registries or proxy caches (Artifactory, Nexus)
• Monitor for dependency confusion attacks

• Use minimal base images (distroless, Alpine)
• Scan images for CVEs before pushing to registries (Trivy, Grype, Snyk Container)
• Sign images with Cosign (Sigstore) to verify provenance
• Never run containers as root in production
• Implement admission controllers (OPA Gatekeeper, Kyverno) in Kubernetes

Misconfigured cloud infrastructure is a leading cause of breaches. Open S3 buckets, overly permissive IAM roles, unencrypted databases – all trivially detectable before deployment.

Tools: Checkov, tfsec, KICS. Key practice: Required check on every infra PR. Block merges on high-severity issues.

Every service, container, and function should operate with minimum permissions:

• IAM: avoid wildcard * permissions
• Database: read-only where writes aren’t needed
• Network: deny all, allow explicitly
• Kubernetes RBAC: scoped to namespace and resource type

When deployed infrastructure diverges from IaC-defined state, it creates unmonitored security gaps. Use drift detection (Terraform Cloud, Spacelift, env0) to alert on manual changes.

Store all secrets in a dedicated secrets manager, never in code, environment variables, or config files in version control. The Uber 2022 breach is the textbook example of what happens when this rule is broken.

Tools: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Doppler.

Key practice: Secrets injected at runtime, never baked into build artifacts or container images.

Static secrets are a ticking clock. Implement automated rotation:

• Database passwords: 90-day maximum
• API keys/tokens: tied to service identity, not individual developers
• TLS certificates: ACME/Let’s Encrypt for automated renewal
• Cloud access keys: prefer short-lived credentials via IAM roles

Every access to a secret should be logged. When an incident occurs, you need: who accessed what, when, and from where.

One champion per 8–10 developers. Monthly training, direct channel to the security team, recognition and career incentives. Champions don’t replace a security team: they amplify it by embedding awareness where code is written.

When a developer introduces a vulnerability:

• Share anonymized patterns in retrospectives
• Build internal knowledge bases of common issues
• Provide contextual remediation guidance, not just scan results
• Track trends to measure cultural progress

Developers ignore findings that arrive days late, in separate tools, without clear remediation. Fix this:

• Surface findings directly in pull requests
• Provide specific fix suggestions
• Prioritize by severity and exploitability
• Measure and reduce mean time to remediate (MTTR)

Operates inside the application with full context of execution flow, unlike WAFs which filter traffic before it reaches the app.

• Centralize security logs in SIEM or log aggregation
• Alert on anomalous behavior: unusual API patterns, privilege escalation, unexpected geographies
• Correlate security events with deployment events

• Documented, tested runbooks for common incident types
• Automated initial response: isolate services, rotate credentials, notify stakeholders
• Post-incident reviews focused on improving, not blaming

Codify security policies using OPA, Kyverno, or Sentinel. Enforceable at every pipeline stage:

• Pre-commit: block secrets and naming violations
• Build: enforce dependency policies
• Deploy: validate infra against compliance baselines
• Runtime: enforce network policies and access controls

Every security check generates evidence mapped to compliance controls:

• SAST/DAST reports → vulnerability management
• SBOM → asset inventory
• Access logs → access control evidence
• IaC scans → configuration management

Centralize metrics: pipeline security gate coverage, MTTR for critical vulns, SBOM coverage, secret rotation compliance, drift detection alerts.

Start with secret detection, SCA, and IaC scanning. Add SAST/DAST once the team absorbs the initial workflow.

Prioritize ruthlessly. A critical SQL injection in a public API ≠ low-severity info disclosure in an internal admin tool.

If security checks block every deployment for hours, developers route around them. Target under 5 minutes for PR-level checks.

Your code may be secure. Your 847 npm dependencies may not be. SCA and SBOM are not optional.

Track: MTTR, vulnerability escape rate, security debt trends, % deployments passing security gates.