CampusFlow
DevOpsDevSecOps

DevSecOps

Integrate security into every phase of the DevOps lifecycle. Shift-left security, SAST/DAST/SCA, secrets management, and compliance as code.

SAST

Static analysis of source code. Finds vulns before compiling.

DAST

Dynamic analysis of running apps. Finds runtime vulns.

SCA

Open-source dependency scanning for CVEs.

Secrets Mgmt

Vault, dynamic secrets, encryption as a service.

Security Tooling Categories

SAST (Static Analysis)

Semgrep, SonarQube, Checkmarx, Fortify, CodeQL

Analyze source code for vulnerabilities without executing it. Finds SQL injection, XSS, hardcoded secrets, and insecure patterns.

DAST (Dynamic Analysis)

OWASP ZAP, Burp Suite, Acunetix, Nessus

Test running applications for vulnerabilities by simulating attacks. Finds runtime issues like CSRF, authentication bypass, and misconfigurations.

SCA (Software Composition)

Snyk, Dependabot, Renovate, Black Duck, Trivy

Scan open-source dependencies for known CVEs. Monitors transitive dependencies and suggests version updates with patches.

Secret Scanning

truffleHog, GitLeaks, GitGuardian, Talisman

Scan repositories, commits, and CI outputs for leaked secrets, API keys, tokens, and credentials.

Shell
# Enable KV secrets engine
vault secrets enable -path=secret kv-v2

# Write a secret
vault kv put secret/api KEY=sk-abc123 SECRET=supersecret

# Read a secret
vault kv get secret/api

# Enable database secrets engine
vault secrets enable database

# Configure dynamic DB credentials
vault write database/config/my-db \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@host:5432/db"

Hashicorp Vault

  • Static Secrets: Encrypted key-value storage with versioning
  • Dynamic Secrets: On-demand, short-lived credentials (DB, cloud)
  • Encryption as Service: Encrypt/decrypt data via API without managing keys
  • PKI: Internal CA for automated certificate issuance and renewal
  • Auth Methods: Token, Kubernetes, LDAP, OIDC, AWS IAM, GitHub

Compliance as Code

Open Policy Agent (OPA)

Policy engine for cloud-native stacks. Write Rego policies to enforce rules on Kubernetes admission, Terraform plans, and API requests.

InSpec

Audit and testing framework for infrastructure. Write compliance tests in Ruby DSL. Checks OS config, package versions, and security settings.

Sentinel

HashiCorp's policy framework for Terraform Enterprise. Enforces policies before terraform apply executes.

Secure SDLC Pipeline

Plan

Threat modeling

Code

SAST, secrets scan

Build

SCA, container scan

Test

DAST, integration

Deploy

Compliance check

Interview Questions

Q1: What is shift-left security and why is it important?
Shift-left security means integrating security early in the software development lifecycle (design → code → build → test → deploy). Instead of scanning only at the end, you add SAST during coding, SCA during dependency resolution, secret scanning on commit, and container scanning during build. This catches vulnerabilities earlier when they are cheaper to fix.
Q2: How does Hashicorp Vault handle dynamic secrets?
Vault generates secrets on demand with lease durations and automatic revocation. For databases, Vault creates temporary credentials with limited privileges. For AWS, it generates STS tokens. Dynamic secrets eliminate the risk of credential leakage since they are short-lived, rotated frequently, and automatically expire.
Q3: What is the difference between SAST and DAST?
SAST (Static Application Security Testing) analyzes source code without execution — it finds vulnerabilities early in development. DAST (Dynamic Application Security Testing) tests running applications — it finds runtime vulnerabilities that SAST cannot detect (auth issues, config errors). SAST is white-box, DAST is black-box. Both complement each other.
Q4: Explain compliance as code and how it's implemented.
Compliance as code codifies regulatory requirements (PCI-DSS, HIPAA, SOC2) into automated checks. Tools like InSpec, Open Policy Agent (OPA), and Sentinel evaluate infrastructure and application state against rules. Policies are version-controlled, tested like code, and enforced in CI/CD pipelines. Example: OPA policy ensuring S3 buckets are not public.