DevSecOps Pipeline — modularCISO

Module 02 · Lesson 10

Building a DevSecOps pipeline

Security bolted on after development is expensive and incomplete. Security built into the process catches vulnerabilities when they're cheap to fix.

Shift Left

The cost multiplier

Design

Threat Model

1×

Code

IDE Plugins

5×

Build

SAST + SCA

10×

Test

DAST

15×

Deploy

Config Scan

30×

Prod

WAF

100×

Design fix: 1×. Production fix: 100×. Emergency patches, customer notification, incident response.

Tool Chain

Five security tools in CI/CD

SAST

Static Analysis: Scans source code. SQL injection, XSS, secrets. Every PR. Semgrep, SonarQube. Tune for false positives.

SCA

Composition: Dependency CVEs. 80-90% of code is third-party. Snyk, Dependabot, Trivy. Low false positives.

DAST

Dynamic: Tests running app with malicious requests. Auth bypasses, CORS. ZAP, Burp Suite. Run on staging.

Container

Image Scan: OS vulns, root user, secrets in Docker images. Trivy, Docker Scout. Before registry push.

Secrets

Secret Scan: API keys, tokens in code. GitLeaks, TruffleHog. Block the commit, don't just alert.

Pipeline Placement

Fast scans block, slow scans advise

Stage	Tool	Blocks?	Speed
Pre-commit	Secret scan, lint	Yes	<5 sec
PR pipeline	SAST + SCA	Yes	1-3 min
Build	Container scan	Yes	2-5 min
Staging	DAST, fuzzing	Advisory	10-30 min
Production	WAF, monitoring	Runtime	Always on

A 2-minute SAST scan gets adopted. A 45-minute scan gets bypassed.

Culture

Tools without culture fail

Champions

Scale through people

One dev per team as security point of contact. Extra training, mentors teammates. Scales without hiring.

Fast Feedback

Speed = adoption

Security checks must fit existing workflow. If it's slow, developers route around it.

Blameless

Process, not people

"Why didn't our pipeline catch this?" not "Who wrote this?" Blame drives vulns underground.

Practical

CTF > slides

Annual training tailored to tech stack. Hands-on exercises beat death-by-PowerPoint.

Anti-Patterns

What breaks DevSecOps

Gate with no owner: Pipeline blocks but nobody triages. Developers bypass.

Tool sprawl: Five scanners, five dashboards, no integration. Noise everywhere.

Scan all, fix nothing: 10,000 findings, no prioritization. Everything "critical." Nothing fixed.

The "no" team: Only blocks releases, never helps fix. Developers route around you.

Key Takeaway

Embed, don't bolt on

Remember this

Design fix = 1×. Production fix = 100×. Shift left.

Five tools at the right stages: SAST, SCA, DAST, container scan, secret scan.

Security champions scale your knowledge without scaling your team.

Be the team that helps ship securely, not the team that blocks shipping.

1 / 7