⚙️ DevSecOps
Integrating security into CI/CD pipelines, Infrastructure as Code scanning, shift-left testing, and secure software delivery.
DevSecOps embeds security as a shared responsibility throughout the entire software delivery lifecycle. Instead of security being a gate at the end, it's integrated into every phase — from coding to deployment. It encompasses shift-left security, automated testing in CI/CD, infrastructure as code scanning, container security, and supply chain protection.
Key Concepts
CI/CD Pipeline Security
Automated security gates in build pipelines: SAST, SCA, container scanning, IaC scanning, secrets detection. Fail builds on critical findings.
Container Security
Image scanning in registries, minimal base images, non-root containers, signing and attestation, runtime protection with Falco/Sysdig.
Infrastructure as Code (IaC) Security
Scanning Terraform, CloudFormation, Kubernetes manifests for misconfigurations before deployment. Tools: Checkov, tfsec, KICS, Bridgecrew.
Internal Developer Platform (IDP)
Self-service portal that abstracts infrastructure complexity. Developers provision environments, deploy services, and manage configurations through golden paths without needing DevOps tickets. Tools: Backstage, Port, Cortex, Humanitec.
Secrets Management
Preventing hard-coded secrets in code. Using vaults (HashiCorp Vault, AWS Secrets Manager), pre-commit scanning (git-secrets, detect-secrets), and rotation policies.
Security Automation Scripting
Scripting is essential for automating security tasks across the DevSecOps pipeline. Python: Most versatile — API integrations (SIEM, ticketing, threat intel), log parsing with pandas, vulnerability report generation, YARA rule automation, boto3 for AWS security, and custom SAST/SCA wrappers. Bash: Linux-native automation — cron-based security scans, log rotation, file integrity monitoring, grep/awk/sed for log analysis, iptables scripting, and quick incident response triage scripts. PowerShell: Windows/AD automation — Active Directory auditing (Get-ADUser, dormant accounts, privileged group changes), Windows Event Log analysis (Get-WinEvent), Group Policy enforcement, endpoint security checks, and Azure/M365 security configuration. Scripting bridges the gap between security tools, enabling custom integrations, automated reporting, and rapid incident response playbooks.
Shift-Left Security
Moving security testing earlier in the SDLC. Detecting vulnerabilities during coding (IDE plugins, pre-commit hooks) rather than after deployment. Reduces cost and risk.
Supply Chain Security
Verifying integrity of dependencies, build systems, and deployment artifacts. SLSA framework, SBOM generation, artifact signing, and provenance attestation.
DevSecOps Pipeline Architecture
Secure DevOps Pipeline
Security integrated at every stage — from code to monitoring to AI-powered operations
🏗️ Internal Developer Platform (IDP) — Platform Engineering
An Internal Developer Platform (IDP) is a self-service layer built by platform engineering teams that abstracts infrastructure complexity so developers can provision, deploy, and manage services through “golden paths” — without filing DevOps tickets. It's the next evolution of DevOps: instead of every team building their own CI/CD, IaC, and monitoring, the platform team provides a unified, opinionated, and secure-by-default experience.
📐 IDP Architecture — 5-Layer Reference Model
IDP 5-Layer Reference Architecture
Developers interact only with the top layer — the platform handles everything below
🏛️ 5 Core Pillars of an Internal Developer Platform
📦 Software Catalog
Central registry of all services, APIs, libraries, and data pipelines. Each entity has an owner, documentation link, SLO targets, dependency map, and security posture score. Think of it as the "phone book" for your entire engineering org.
Tools: Backstage Catalog, Port Catalog, Cortex Scorecards, OpsLevel Service Catalog
🛤️ Golden Paths & Templates
Pre-built, opinionated project templates that bake in CI/CD pipelines, security scanning, logging, monitoring, and compliance from day one. Developers scaffold new services in minutes — with security built in, not bolted on.
Tools: Backstage Software Templates, Cookiecutter, Yeoman, Proton (AWS), JFrog Artifactory (artifact store)
⚡ Self-Service Actions
One-click operations: provision a database, spin up a staging environment, create a Kubernetes namespace, request cloud resources — all behind policy guardrails. No more Jira tickets to DevOps and 3-day wait times.
Tools: Port Self-Service Actions, Backstage Scaffolder, Humanitec Score, Terraform Modules
📊 Developer Portal & Scorecards
Unified dashboard showing service health, security compliance, DORA metrics, ownership, on-call schedules, and production readiness. Scorecards grade each service against standards — driving continuous improvement.
Tools: Backstage TechDocs, Port Scorecards, Cortex Scorecards, OpsLevel Rubrics
🔐 Security & Compliance Layer
Enforces security guardrails across all platform actions: RBAC for self-service, policy-as-code (OPA/Kyverno), secrets injection, vulnerability gate integration, and audit trails. Security is invisible but always present.
Tools: OPA/Rego, Kyverno, HashiCorp Sentinel, Backstage RBAC, JFrog Xray (binary SCA), Cloud IAM Policies
🔧 IDP Tools Comparison
| Platform | Type | Catalog | Templates | Self-Service | Scorecards | Best For |
|---|---|---|---|---|---|---|
| Backstage (Spotify) | Open-source | ✅ Deep | ✅ Scaffolder | ⚠️ Plugin-based | ⚠️ Community | Large orgs with eng capacity to customize |
| Port.io | SaaS | ✅ Deep | ✅ Built-in | ✅ Native | ✅ Native | Fast setup, no-code self-service actions |
| Cortex.io | SaaS | ✅ Good | ⚠️ Basic | ⚠️ Limited | ✅ Best-in-class | Service maturity tracking & standards |
| Humanitec | SaaS | ✅ Good | ✅ Score files | ✅ Dynamic | ⚠️ Basic | Dynamic environment provisioning |
| OpsLevel | SaaS | ✅ Deep | ⚠️ Basic | ⚠️ Limited | ✅ Rubrics | Ownership tracking & service maturity |
| Kratix | Open-source | ⚠️ Basic | ✅ Promises | ✅ K8s-native | ❌ | K8s-native, GitOps-first platform teams |
📈 IDP Maturity Model — Where Is Your Org?
| Level | Stage | Characteristics | Developer Experience |
|---|---|---|---|
| L0 | No Platform | Jira tickets to DevOps for every infra request. Manual provisioning. Tribal knowledge. | 😤 Days to deploy |
| L1 | Standardized CI/CD | Shared CI/CD pipelines (Jenkins/GitHub Actions). Standard Dockerfiles. Basic Terraform modules. | 😐 Hours to deploy |
| L2 | Self-Service Portal | Developer portal (Backstage/Port). Service catalog. Golden path templates. Self-service infra. | 🙂 Minutes to deploy |
| L3 | Fully Automated | Dynamic env provisioning. Scorecards enforce standards. DORA metrics tracked. Security baked in. | 😊 One-click deploy |
| L4 | AI-Augmented | AI-powered recommendations. Auto-remediation. Predictive scaling. Autonomous security ops. | 🚀 Intent-based deploy |
🛡️ IDP + Security Integration — How Security Fits In
Secure-by-Default via IDP
Every service created through the platform inherits security controls automatically — “paved road” security
📊 Key IDP Metrics — DORA + SPACE Framework
| Category | Metric | Without IDP | With IDP | Why It Matters |
|---|---|---|---|---|
| DORA | Deployment Frequency | Weekly / Monthly | Multiple per day | Faster feature delivery |
| DORA | Lead Time for Changes | Days – Weeks | Hours – Minutes | Reduced time-to-market |
| DORA | Change Failure Rate | 15–30% | <5% | Golden paths prevent misconfig |
| DORA | MTTR (Recovery) | Hours – Days | Minutes | Standardized rollback paths |
| SPACE | Developer Satisfaction | Low (ticket fatigue) | High (self-service) | Retention & productivity |
| SPACE | Cognitive Load | High (learn infra) | Low (abstracted) | Focus on business logic |
| Security | % Services with Security Scanning | 40–60% | 100% | Built into every golden path |
📦 Software Catalog — The Brain of the IDP
The Software Catalog is a centralized, searchable registry of every entity in your engineering org — services, APIs, teams, environments, artifacts, docs, and health metrics. Think of it as the “patient registry” for your engineering org: every service is a patient with an owner (doctor), health score (SLOs), medications (dependencies), and medical history (deployment logs). Without it, you get the “who owns this?” problem at 2 AM.
| Entity Type | What Gets Cataloged | Example | Why It Matters |
|---|---|---|---|
| Services | Every microservice, API, app | payment-service, user-auth-api | Instant lookup during incidents |
| Owners | Which team owns what | Team Checkout → payment-service | Know who to page at 2 AM |
| Dependencies | What talks to what | payment → Stripe API → PostgreSQL | Blast radius analysis |
| Artifacts | Built binaries, Docker images | payment-service:v2.3.1 in JFrog | Track what's deployed where |
| Security Posture | Scan results, compliance | Xray: 0 critical, 3 medium CVEs | Real-time attack surface view |
| Health & SLOs | Uptime, incidents, scorecards | 99.95% uptime, 2 open P2s | Production readiness tracking |
⚙️ IDP Pipeline — Where Security Tools Fit at Each Stage
Key insight: SAST/DAST/SCA are the tools. The IDP is the delivery mechanism. Without an IDP, you chase 50 teams to adopt scanning. With an IDP, scanning is baked into golden paths — teams can't opt out.
| Stage | What Happens | Security Tools | IDP Role |
|---|---|---|---|
| 1. IDE (Plan) | Developer writes code | JFrog IDE Plugin (SCA), Snyk IDE, Semgrep LSP, GitHub Copilot (secure suggestions) | Golden Path scaffolds project with security configs pre-loaded |
| 2. CODE (Commit) | Code pushed to Git | Pre-commit hooks, GitLeaks/TruffleHog (secrets), SAST (Semgrep, SonarQube, Checkmarx) | Catalog tracks repo → service → team ownership |
| 3. BUILD (Artifact) | CI compiles, packages, images | SCA (Snyk, JFrog Xray), SBOM (CycloneDX), Container Scan (Trivy), JFrog Artifactory (store) | Golden Path template auto-includes all pipeline stages |
| 4. TEST (Validate) | Runs in staging/QA | DAST (Burp Suite, ZAP, Nuclei), IAST (Contrast), IaC Scan (Checkov, tfsec), API Fuzz | Self-service spins up ephemeral staging env for testing |
| 5. DEPLOY (Release) | Push to production | Image Signing (Cosign), Admission Control (OPA Gatekeeper, Kyverno), JFrog Release Bundle | Policy engine blocks non-compliant deploys automatically |
| 6. RUN (Operate) | Live in production | RASP, WAF (Cloudflare, AWS WAF), CSPM (Prisma), SIEM (Splunk), JFrog Xray Watch | Scorecards monitor runtime health, auto-page correct team |
🔌 How Security Tools Integrate with Port.io IDP
Port.io doesn't RUN security tools — it orchestrates and visualizes them. Tools run in your CI/CD (GitHub Actions, Jenkins, GitLab CI). Port.io ingests results, scores services, and triggers actions. The integration follows a 3-layer pattern:
Port.io 3-Layer Integration Pattern
Ingest scan results → Score services via Scorecards → Trigger automated or self-service actions
🔨 SAST Integration (Build Stage)
CI pipeline runs Semgrep/Checkmarx → parses JSON results → sends to Port.io via port-labs/port-github-action. Port.io updates the service entity with sast_status, critical/high/medium counts, and scan timestamp. Scorecards auto-grade the service.
Flow: Semgrep scan → JSON results → Port GitHub Action → Catalog entity updated → Scorecard re-evaluated
🧪 DAST Integration (Test Stage)
After deploying to staging, pipeline runs OWASP ZAP full scan → parses alerts → sends to Port.io. ZAP report URL is stored as a property. If high alerts > 0, scorecard blocks prod promotion via self-service action rules.
Flow: Deploy staging → ZAP scan → Port API POST → dast_status + alert counts → Prod gate enforced
📦 JFrog Xray Integration (Build + Deploy)
JFrog Artifactory stores the built artifact (Docker image, npm package). Xray scans for CVEs and license violations. Webhook sends results to Port.io. Xray policy gates block deployment of images with critical vulnerabilities. Port.io shows artifact version + scan status in the catalog.
Flow: Build → Push to Artifactory → Xray scan → Webhook to Port.io → Catalog shows artifact health
📊 Scorecards (Across All Stages)
Port.io Scorecards define rules across all security data: "SAST passed?" (Gold tier), "No critical DAST findings?" (Gold), "JFrog Xray clean?" (Silver), "Secrets scan passed?" (Bronze). Services are graded continuously. Below-threshold services are flagged and visible to leadership.
Flow: All scan data → Scorecard rules engine → A/B/C/F grade → Prod promotion gate + leadership dashboards
💡 IDP Interview Preparation
What is an Internal Developer Platform (IDP) and why are organizations adopting them?
An IDP is a self-service layer built by platform engineering teams that abstracts infrastructure complexity so developers can provision, deploy, and manage services without filing DevOps tickets. It consists of 5 pillars:
1Software Catalog — central registry of all services, APIs, owners, and dependencies.
2Golden Path Templates — pre-built scaffolding with CI/CD, security scanning, monitoring, and compliance baked in.
3Self-Service Actions — one-click operations for infra provisioning behind policy guardrails.
4Developer Portal & Scorecards — unified dashboard with DORA metrics, security posture, and production readiness.
5Security & Compliance Layer — RBAC, policy-as-code (OPA/Kyverno), secrets injection, and audit trails. Why organizations adopt IDPs: Reduce cognitive load on developers (they focus on business logic, not infra). Eliminate DevOps ticket bottlenecks (self-service vs 3-day wait). Enforce security-by-default (every service gets scanning, encryption, RBAC). Improve DORA metrics — deployment frequency goes from weekly to multiple per day. Standardize operations — golden paths prevent configuration drift and tribal knowledge. Key tools: Backstage (Spotify, open-source), Port.io (SaaS), Cortex (scorecards), Humanitec (dynamic provisioning), OpsLevel (service maturity). The platform engineering team is NOT another ops team — they build products for developers, treating developers as their customers.
How does an IDP integrate with DevSecOps to ensure security is built into every service?
The IDP is the enforcement mechanism for DevSecOps at scale — it makes the 'secure path' the 'easy path.' Integration points:
- Every template auto-includes SAST pipeline stages, secrets management integration (Vault/AWS Secrets Manager), security headers, dependency scanning (SCA), and container image scanning
- Developers don't opt-in to security — it's impossible to opt-out
- When a developer provisions infrastructure through the portal, policy-as-code (OPA/Kyverno) validates EVERY action: no public S3 buckets, no root containers, encryption-at-rest enabled, network policies enforced
- Violations are blocked before provisioning, not detected after
- Automated scorecards grade every service on security metrics: SAST/DAST scan freshness, dependency vulnerability count, secrets rotation status, TLS certificate expiry, production readiness checklist
- Services below threshold are flagged and tracked
4SOFTWARE CATALOG + SECURITY POSTURE: The catalog shows real-time security posture per service — last scan results, open CVEs, compliance status, ownership (who to page for incidents). This enables security teams to see the entire attack surface in one place.
- Every self-service action is logged — who provisioned what, when, with what parameters
- Full audit trail for SOC 2, ISO 27001, PCI-DSS compliance
- Without IDP, security teams chase individual teams to adopt scanning
- With IDP, scanning is embedded in the platform — 100% coverage by default
- The result: security team shifts from enforcement ('you must add scanning') to enablement ('scanning is already there')
Compare Backstage vs Port.io vs Cortex for building an Internal Developer Platform. How would you choose?
The three leading IDP platforms serve different needs: BACKSTAGE (Spotify, Open-Source): Strengths — massive plugin ecosystem (700+), deep customization, strong community, fully open-source (no vendor lock-in). Weaknesses — requires significant engineering investment (3-6 months to production), needs dedicated platform team (2-5 engineers), plugin quality varies. Best for: Large enterprises (500+ engineers) with platform engineering capacity and desire for full control. Security: RBAC via plugin, integrates with any security tool via custom plugins. PORT.IO (SaaS): Strengths — fastest time-to-value (days not months), no-code self-service action builder, excellent API, strong security integrations out of the box, flexible data model for any entity type. Weaknesses — SaaS dependency, cost scales with number of entities. Best for: Mid-to-large teams wanting fast setup without dedicated platform engineers. Security: Built-in RBAC, audit logs, SSO integration, self-service actions with approval workflows. CORTEX (SaaS): Strengths — best-in-class scorecards and service maturity tracking, CTO/VP-level visibility dashboards, strong governance features. Template and self-service capabilities more limited. Best for: Organizations focused on service maturity, standards enforcement, and engineering leadership visibility. Security: Scorecards can track security compliance (scan freshness, CVE count, ownership). DECISION FRAMEWORK: Need full customization + have platform team? → Backstage. Need fast setup + strong self-service? → Port.io. Need maturity tracking + executive dashboards? → Cortex. Many organizations combine: Backstage for catalog + Port.io for self-service, or Backstage + Cortex scorecards. KEY INTERVIEW POINT: The platform is a PRODUCT, not a project — treat developers as customers, measure adoption, iterate based on feedback, and track DORA metrics improvement.
Azure DevOps (ADO) — Security Integration
ADO Security Extensions (Marketplace)
Microsoft Security DevOps (MSDo): Free, runs multiple open-source scanners in one task — Bandit, ESLint, Trivy, Terrascan, Template Analyzer. Results feed into Microsoft Defender for Cloud.
SonarQube / SonarCloud: Code quality + SAST. ADO extension provides PR decoration (findings as PR comments), quality gate enforcement, and dashboard widgets.
Mend (formerly WhiteSource) Bolt: Free SCA for ADO — scans open-source dependencies for known CVEs. Full Mend platform adds license compliance and auto-remediation PRs.
Checkmarx: Enterprise SAST + SCA. ADO task triggers scans, breaks builds on policy violations, results appear as pipeline artifacts.
OWASP ZAP: DAST task runs ZAP against staging URLs. Generates HTML report as pipeline artifact. Can fail pipeline on high-severity findings.
JFrog / Artifactory: JFrog CLI extension for artifact management. Push to Artifactory → trigger Xray scan → fail build on critical CVEs. Binary SCA in the build pipeline.
Defender for DevOps: Microsoft's CNAPP integration — connects ADO repos to Defender for Cloud, provides security posture visibility across all repos, surfaces IaC and code scanning findings in the Azure portal.
Azure DevOps — 5 Core Services
Azure DevOps (ADO) is Microsoft's end-to-end DevOps platform providing source control, CI/CD, work tracking, testing, and artifact management. For security teams, ADO is significant because many enterprises — especially those already invested in the Microsoft ecosystem (Azure, M365, Entra ID) — use ADO as their primary development platform.
Security Integration in Azure Pipelines
Azure Pipelines supports both YAML pipelines (recommended — pipeline-as-code, version-controlled) and Classic pipelines (GUI-based, legacy). Security scanning integrates as pipeline tasks:
Pre-Commit / PR Stage: Microsoft Security DevOps (MSDo) task — runs Bandit (Python), ESLint (JS), Trivy (containers), Terrascan (IaC) in a single task. Credential Scanner (CredScan) for secrets detection. SonarQube/SonarCloud task for code quality + security.
Build Stage: WhiteSource/Mend Bolt (free SCA for open-source). Snyk task for dependency scanning. JFrog CLI task → push artifacts to Artifactory, trigger Xray scan. SBOM generation via CycloneDX task.
Test/Staging Stage: OWASP ZAP task (DAST against staging URL). Burp Suite Enterprise integration via API. Checkmarx SAST full scan. Qualys/Nessus vulnerability scan tasks.
Deploy Stage: Azure Policy (built-in OPA alternative for Azure resources). Gate approvals with compliance checks. Service connection RBAC — least-privilege access to production subscriptions.
Key ADO Security Feature — Pipeline Permissions: Pipeline resources (service connections, environments, variable groups) require explicit permission grants. "Approvals and checks" on environments enforce manual approval, business hours, or template validation before production deploys. Variable groups can reference Azure Key Vault for secrets injection — no hardcoded secrets in YAML.
| Service | Purpose | Security Relevance |
|---|---|---|
| Azure Repos | Git repositories (or TFVC) for source control | Branch policies enforce PR reviews, build validation gates, credential scanning via Microsoft Security DevOps extension |
| Azure Pipelines | CI/CD build and release automation (YAML or classic) | Pipeline stages for SAST, SCA, DAST, container scanning. Service connections with RBAC. Pipeline-level permissions and approvals |
| Azure Boards | Agile work tracking (Epics → Stories → Tasks) | Security bug tracking with custom work item types. Vulnerability SLA dashboards. Integrates with Jira via connectors |
| Azure Test Plans | Manual and automated test management | Security test case tracking. Penetration test result management. Compliance evidence collection for audits |
| Azure Artifacts | Package feeds (npm, NuGet, Maven, Python, Universal) | Upstream source control (block malicious packages). Package provenance. License compliance. Pairs with JFrog Artifactory for binary SCA |
How does Azure DevOps handle security differently from GitHub Actions?
Key differences:
- ADO has granular resource-level permissions — service connections, environments, and variable groups each require explicit grants
- GitHub uses repository-level permissions with OIDC for cloud auth
- ADO has native 'Approvals and Checks' on environments — manual approval, business hours, template validation, branch control
- GitHub uses environment protection rules and required reviewers
- ADO integrates natively with Azure Key Vault via variable groups — secrets injected at runtime, never in YAML
- GitHub uses repository/org secrets with OIDC
- GitHub has CodeQL, Dependabot, secret scanning built-in
- ADO uses the Microsoft Security DevOps (MSDo) extension which bundles open-source tools (Bandit, Trivy, Terrascan)
- ADO is strongest in Microsoft-heavy enterprises (Entra ID SSO, Azure subscriptions, .NET)
- GitHub is preferred for open-source and cloud-native
- GitLab stands out with the most comprehensive built-in security scanning (SAST, DAST, SCA, secret detection all native)
- ADO provides audit logs, compliance reports, and integrates with Azure Policy for governance
- GitHub audit log + advanced security features require GitHub Enterprise
Interview Preparation
How would you implement DevSecOps in an organization?
Phased approach:
1Start with secrets scanning in pre-commit hooks (quick win).
2Add SAST and SCA to CI/CD with initially non-blocking alerts.
3Introduce IaC scanning for Terraform/K8s.
4Add container image scanning in registry.
5Implement DAST in staging pipelines.
6Graduate to blocking builds on critical/high findings.
7Establish security champion program.
8Measure with metrics: vulnerability escape rate, MTTR, developer adoption rate, pipeline failure false positive rate. Cultural change is harder than tooling.
What tools would you use in a DevSecOps pipeline?
Code: Semgrep (SAST), git-secrets (secrets). Build: Snyk/Dependabot (SCA), Syft (SBOM). Test: OWASP ZAP (DAST), Checkov (IaC scanning), Trivy (container scanning). Deploy: OPA/Kyverno (policy enforcement), Cosign (image signing). Runtime: Falco (container runtime), CloudGuard (CSPM). Orchestration: GitHub Actions/GitLab CI for pipeline, Defect Dojo for vulnerability aggregation. Key: Choose tools that integrate well, minimize developer friction, and provide actionable results.
How do you integrate security testing into CI/CD pipelines and DevOps workflows?
Integrating security into CI/CD makes it continuous and automated.
- SAST on every PR (Veracode Pipeline Scan ~90 sec, Semgrep), SCA on dependency changes, DAST against staging
- Break builds on Critical/High findings
- Pre-commit — secret scanning (truffleHog, GitLeaks)
- PR/Build — SAST, SCA, license checks, container scanning (Trivy)
- Staging — DAST (Burp Enterprise, ZAP), API security
- Pre-Prod — full Veracode Policy Scan
- Post-Deploy — RASP, WAF validation
- Jenkins (Veracode Plugin), GitHub Actions (CodeQL, Snyk), GitLab (built-in templates), Azure DevOps
- Aggregate in DefectDojo/ThreadFix
Fast PR scans (<5 min), annotate PR comments, auto-create Jira tickets, tune rules to reduce alert fatigue.
Policy-as-code (OPA/Rego), compliance tracking per release, audit trails for SOC 2/ISO 27001, exception workflows with expiration dates.
How do you work with security teams to deploy security tools as Infrastructure as Code (IaC)?
Deploying security tools as IaC ensures consistent, repeatable, auditable, and version-controlled infrastructure — no more snowflake security deployments that drift from baselines.
1WHY IaC FOR SECURITY TOOLS: Manual deployment leads to configuration drift, undocumented changes, and inconsistent coverage across environments. IaC treats security infrastructure the same as application infrastructure — declarative, version-controlled, peer-reviewed, and automatically deployed.
- WAF — Terraform modules for AWS WAF, Azure Front Door, Cloudflare WAF with rule sets defined as code
- SIEM — deploy Splunk forwarders, Elastic Security agents, or Sentinel connectors via Terraform/Ansible
- EDR — deploy CrowdStrike Falcon or Microsoft Defender via Ansible playbooks
- Vulnerability Scanners — Nessus agents, Qualys Cloud Agents via IaC
- CSPM — deploy Prisma Cloud, AWS SecurityHub, or Wiz connectors via Terraform
- Secrets Management — deploy HashiCorp Vault clusters or AWS Secrets Manager via Terraform
- Write reusable modules for each security tool
- Use Terraform workspaces or Terragrunt to deploy identical security stacks across dev, staging, and production
- Store state in remote backends with encryption
- Use OPA with Rego policies to enforce security standards on all IaC
- Use Checkov, tfsec, or Bridgecrew to scan Terraform plans for misconfigurations
- Block terraform apply if policies fail
- Git workflow — security team writes Terraform modules, submits PRs
- Pipeline stages — terraform plan, policy validation, approval gate, terraform apply
- Blue-green deployments for security tools to avoid coverage gaps
- Security architects define requirements, DevSecOps engineers translate into Terraform modules
- Joint code reviews — security reviews configurations, platform team reviews infrastructure patterns
- Run terraform plan on schedule to detect manual changes
- Alert on drift, auto-remediate by re-applying IaC definitions
- Full audit trail through Git history
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 SA-11 (Dev Testing), SA-15 (Dev Process), CM-3 (Config Change Control), SI-7 (SW Integrity) |
| OWASP | SAMM (Software Assurance Maturity Model), DevSecOps Guideline |
| MITRE | T1195 (Supply Chain Compromise), T1072 (Software Deployment Tools) |
