DevSecOps

In 2022, hackers stole $130M from Wintermute (a crypto trading firm) using a vulnerability in a library that could have been caught by a standard npm audit. The library had a known CVE for 6 months. DevSecOps is not about adding more tools - it is about catching known vulnerabilities before they reach production.

• **GitHub** scans every commit for secrets via Secret Scanning - in 2023, 1.7 million tokens and keys were detected and blocked before publication.
• **Netflix** requires SAST and dependency scanning as a gate for every PR - Semgrep blocked 200+ critical vulnerabilities before reaching production in 2023.
• **Shopify** uses OIDC for all GitHub Actions instead of static AWS credentials - eliminating the risk of credential compromise via leaked CI/CD keys.

Shift-Left Security

Shift-left moves security checks as early as possible in the development cycle. Fixing a vulnerability costs 100x more in production than in development: production requires hotfix deploy, incident response, customer notification, and potential regulatory reporting.

The 100x cost multiplier is not theoretical: a SQL injection found in IDE takes 10 minutes to fix. The same vulnerability found via bug bounty in production requires a hotfix, incident review, customer notification, and 40+ engineer-hours.

SAST (Static Analysis)

SAST (Static Application Security Testing) analyzes source code without executing it. Finds: SQL injection, XSS, insecure deserialization, hardcoded credentials, vulnerable dependency versions. Runs in CI/CD as a PR gate.

Snyk vs npm audit: both scan for CVEs, but Snyk provides fix PRs, license compliance checking, container image scanning, and IaC scanning. npm audit is built-in but gives raw CVE data without remediation guidance.

DAST (Dynamic Analysis)

DAST (Dynamic Application Security Testing) tests the running application: sending specially crafted requests to find SQL injection, XSS, CSRF, broken authentication, and exposed sensitive endpoints. Runs against staging, never directly against production.

DAST tests the actual running application, catching issues SAST cannot find: runtime configuration errors, incorrect CORS settings, missing security headers, and business logic vulnerabilities.

Secret Management in CI/CD

Secrets in CI/CD: API keys, database passwords, TLS certificates, SSH keys. Never store in git. Even private repositories expose secrets in commit history, forks, and to all developers with repository access.

OIDC eliminates the rotation problem: temporary tokens expire automatically at job completion. Static credentials require manual rotation and can be valid for months or years after a team member leaves.

Key Ideas

• **Shift-left** - find vulnerabilities in IDE and pre-commit hooks: fixing costs 100x less than in production.
• **SAST + DAST** - static code analysis (Semgrep, Snyk) + dynamic testing of the running application (OWASP ZAP, Nuclei) in CI/CD.
• **Secret Management via OIDC** - no static credentials in GitHub Secrets; temporary tokens via OIDC + secrets from AWS Secrets Manager/Vault.

Related Topics

DevSecOps integrates with secrets management and platform engineering:

• Vault and Secrets Management — HashiCorp Vault is the advanced solution: dynamic secrets, PKI, audit log for enterprise compliance.
• Platform Engineering — Security scanning is embedded in golden path templates - every new service automatically gets SAST/DAST.

Вопросы для размышления

• If Snyk finds a critical CVE in a production dependency - what is the correct remediation process and how quickly must it be done?
• How do you run DAST without corrupting staging data on every pipeline run?
• Why is GitHub OIDC better than storing AWS credentials in HashiCorp Vault for CI/CD?

Связанные уроки

• sec-01