Security

DevSecOps Operating Model

Secure delivery without turning every release into a security project


DevSecOps works when security controls are close to the work, automated where possible, and owned by the same teams that operate production. The goal is faster feedback, clearer accountability, and evidence that survives customer or auditor review.

Operating principles#

  1. Shift left and keep right — catch preventable issues before merge, then monitor production for what only appears at runtime.
  2. Make secure paths the default — templates, reusable workflows, golden images, and policy bundles should be easier than exceptions.
  3. Keep humans for risk decisions — automation should classify, block obvious failures, and route ambiguous issues to the right owner.
  4. Record evidence automatically — every production deployment should be traceable to source, artifact, approval, and runtime owner.

Responsibility model#

CapabilityProduct teamPlatform teamSecurity/compliance owner
Threat modelingOwn service assumptions and abuse casesProvide templates and facilitationReview high-risk changes
CI/CD controlsFix findings and own exceptionsProvide reusable workflows and runnersDefine required controls
Dependency securityUpgrade and test packagesProvide bots, caches, and mirrorsSet severity policy
Cloud/IaC policyOwn service-level IaCMaintain policy-as-code and landing zonesApprove risky exceptions
Incident responseTriage service impactSupport infrastructure recoveryCoordinate severity, evidence, and disclosure
Compliance evidenceProvide service recordsAutomate control exportsMaintain control map and audit package

Pipeline control stack#

StageControlsFail conditionEvidence
CommitSecret scanning, pre-commit checksVerified credential or private key committedScanner alert and rotation ticket
Pull requestCode review, dependency diff, IaC lintHigh-risk change without owner reviewPR review and check status
BuildSAST, dependency scan, SBOM, container scanCritical exploitable dependency with no exceptionBuild logs, SBOM, artifact digest
DeployPolicy-as-code, approval for production, signed artifact verificationUnknown artifact or unapproved production changeDeployment record and approver
RuntimeCloud audit logs, workload telemetry, vulnerability monitoringActive exploit path or suspicious control-plane actionAlert, incident timeline, remediation record
yaml
1
production_release:
2
requires:
3
- branch_protection: main
4
- artifact_signature: verified
5
- sbom: generated
6
- secrets_scan: passed
7
- container_critical_vulns: none_or_approved_exception
8
- deployment_owner: service_catalog_match

Maturity path#

Stage 1: Stabilize the basics#

  • Enforce branch protection and required reviews.
  • Turn on secret scanning and dependency alerts.
  • Establish ownership for production repositories and cloud accounts.
  • Create a vulnerability severity policy.

Stage 2: Standardize secure delivery#

  • Move teams onto reusable CI/CD workflows.
  • Add IaC scanning and container scanning to the standard pipeline.
  • Generate SBOMs for production artifacts.
  • Define exception records with owner, risk, and expiration date.

Stage 3: Automate evidence#

  • Link source commit, artifact digest, deployment, and runtime service.
  • Export CI/CD and access evidence for customer security reviews.
  • Add policy-as-code for cloud and Kubernetes controls.
  • Review control failures in the same cadence as reliability incidents.

Stage 4: Improve through exercises#

  • Run tabletop exercises for leaked secrets, compromised CI tokens, dependency compromise, and cloud account abuse.
  • Measure mean time to rotate, mean time to patch, and exception age.
  • Feed recurring findings back into platform templates.

DevSecOps checklist#

  • Required reviews and status checks protect production branches.
  • CI logs redact secrets and avoid printing sensitive environment variables.
  • Repository and package permissions use least privilege.
  • Critical dependencies have owners, upgrade paths, and emergency patch procedures.
  • Container images are minimal, scanned, and pinned by digest for production.
  • IaC changes are reviewed with blast-radius context.
  • CI/CD runners are isolated for untrusted code and protected environments.
  • Production deployments produce an auditable record.
  • Exceptions expire and are reviewed by a named risk owner.

Useful standards and references#