Khirawdhi Ray

Systems. Security. Thoughts.

DevSecOps Is Not About Installing Security Tools

by

khirawdhi

If I joined a company today as a DevSecOps Engineer, the first thing I would not do is install more security tools.

I would not begin with:

  • buying platforms
  • blocking deployments
  • adding 47 scanners into CI/CD
  • or creating a giant spreadsheet of vulnerabilities nobody will ever fix

Because most security problems in engineering organizations are not caused by lack of tools.

They are caused by:

  • invisible trust assumptions
  • weak delivery visibility
  • broken ownership
  • excessive operational friction
  • and controls nobody actually validates

Real DevSecOps starts somewhere much simpler: Understanding how software actually moves through the organization.

Not how people think it works. How it really works.

WEEKS 1-2: Discovery and Reality Check

The first two weeks are not about fixing. They are about building a mental model of the system.

Most environments already have:

  • CI/CD pipelines
  • scanners
  • cloud controls
  • dashboards
  • policies
  • alerts

But very few teams fully understand:

  • where trust actually exists
  • where code can bypass controls
  • how secrets move
  • who has production access
  • or which systems would cause the biggest blast radius if compromised

So before touching anything, I would map the environment.

Step 1: Understand the SDLC

I want to answer basic operational questions:

  • Where does code start?
  • How does it get reviewed?
  • How does it get tested?
  • How does it reach production?
  • Who can approve deployments?
  • What can bypass the process?

At this stage, I am not judging. I am observing.

Because the difference between: “our process” and: “what engineers actually do at 2AM during an outage”, is usually where the real risk lives.

Step 2: Understand the Stack

Next, I want infrastructure visibility. Not every detail. Just enough to understand the attack surface.

Questions I would ask:

  • What CI/CD platform is used?
  • Which cloud provider?
  • Kubernetes or VMs?
  • How are secrets managed?
  • Are runners isolated?
  • How is logging handled?
  • What monitoring already exists?
  • How are production credentials accessed?

This immediately reveals maturity gaps.

For example:

  • shared admin accounts
  • long-lived credentials
  • production access through Slack messages
  • CI runners with excessive permissions
  • secrets stored in repositories
  • “temporary” exceptions that became permanent

These are usually more dangerous than missing scanners.

Step 3: Identify High-Risk Systems

At this point, I start thinking like an attacker. Not abstractly. Operationally.

If I compromised one system:

  • where could I move next?
  • what trusts what?
  • what exposes customer data?
  • what reaches production?
  • what could impact revenue?

I usually prioritize:

  • public APIs
  • authentication systems
  • CI/CD infrastructure
  • admin panels
  • customer data stores
  • Kubernetes control planes
  • internal developer tooling

Because not every vulnerability matters equally.

A reflected XSS on a low-value internal dashboard is not the same as:

  • compromising a CI runner
  • leaking signing credentials
  • or obtaining production cloud access

Security maturity starts when teams understand blast radius.

Step 4: Find Engineering Allies

This part is massively underestimated. Security teams that operate in isolation almost always fail.

So early on, I would build relationships with:

  • developers
  • SREs
  • platform engineers
  • infrastructure teams
  • compliance teams

Not to “enforce security.” But to understand operational pain.

Because the best security improvements are usually the ones that:

  • remove friction
  • automate repetitive work
  • reduce cognitive load
  • and make the secure path the easiest path

If developers hate your controls, they will route around them. Every time.

WEEKS 3-4: Add Security Into the Delivery Flow

Only after understanding the environment would I begin introducing controls. And even then, lightweight first.

The fastest way to destroy DevSecOps adoption is to break engineering velocity during the first month.

So instead of aiming for “maximum coverage,” I would aim for:

  • visibility
  • fast feedback
  • and low operational drama

Step 1: Map the CI/CD Pipeline

I would literally draw the pipeline.

From:

  • commit
  • to build
  • to artifact
  • to deployment
  • to production

Then I would ask:

  • where can security checks fit naturally?
  • where are failures already happening?
  • where do developers already tolerate feedback?

This matters because security controls that align with existing engineering workflows survive. The ones that fight engineering workflows usually get bypassed.

Step 2: Add Lightweight Controls

I would start with high-value, low-friction controls such as:

Secrets Scanning

This catches:

  • exposed API keys
  • cloud credentials
  • tokens
  • accidental secrets in commits

One leaked credential can become a production incident. This is usually one of the highest ROI controls you can deploy early.

Dependency Scanning

Most applications today depend heavily on third-party libraries.

So visibility into:

  • vulnerable dependencies
  • outdated packages
  • exposed transitive dependencies

becomes important quickly.

But I would avoid:

  • failing builds for every medium CVE
  • overwhelming teams with noise
  • generating thousands of tickets nobody triages

Signal matters more than raw volume.

Basic SAST

Not across everything initially.

Only:

  • critical services
  • internet-facing systems
  • authentication flows
  • high-risk APIs

The goal early is credibility. If the first rollout creates endless false positives, engineering trust collapses immediately.

Step 3: Define Clear Security Policies

One of the biggest causes of DevSecOps chaos is ambiguity.

Teams need to know:

  • what blocks deployments
  • what generates warnings
  • who can approve exceptions
  • how long exceptions live
  • and who owns remediation

Without this, security becomes inconsistent and political. Good security programs reduce uncertainty.

Step 4: Give Developers Practical Guidance

Most developers do not ignore security because they are careless.

They ignore it because:

  • guidance is vague
  • tooling is noisy
  • or expectations are unclear

So instead of giant policy documents, I would create: a short secure PR checklist.

Something practical:

  • input validation
  • authentication checks
  • authorization logic
  • logging
  • secret handling
  • dependency review
  • basic threat thinking

Simple. Repeatable. Usable during real development.

WEEKS 5-8: Identity, Secrets, and Runtime Reality

At this stage, I would shift focus toward:

  • trust boundaries
  • permissions
  • runtime visibility
  • and validation

Because many environments look secure on paper but fail operationally.

Identity and Access Review

I would review:

  • production access
  • service accounts
  • IAM roles
  • Kubernetes RBAC
  • CI/CD permissions
  • cloud privilege boundaries

What I look for most:

  • excessive permissions
  • shared accounts
  • long-lived credentials
  • implicit trust between systems

Identity failures are often more damaging than application vulnerabilities.

Secrets Management Review

Questions I would ask:

  • Where are secrets stored?
  • How are they rotated?
  • Who can access them?
  • Are they encrypted?
  • Are they logged accidentally?
  • Are CI pipelines exposing them?

Many “mature” systems still rely on:

  • manually shared credentials
  • plaintext secrets
  • copied environment variables
  • or over-permissioned vault access

This becomes critical during incidents.

Runtime Detection and Logging

This is where theory meets reality. Because a control that exists but is never validated is just documentation.

So I would verify:

  • can incidents actually be investigated?
  • do logs contain enough context?
  • are alerts actionable?
  • does anyone respond to them?
  • what alerts are ignored completely?

Then I would run controlled validation tests:

  • suspicious authentication activity
  • abnormal API behavior
  • privilege escalation attempts
  • unexpected outbound traffic

Not to “hack the company.” To verify assumptions. A surprising number of controls fail the first real test.

WEEKS 9-12: Threat Modeling and Long-Term Security Engineering

By now, enough visibility exists to think strategically. Not just tactically.

This is where DevSecOps becomes less about scanners and more about architecture.

Threat Model Critical Systems

I would choose 1-2 important systems:

  • authentication platform
  • payment flow
  • customer data service
  • deployment pipeline
  • internal admin tooling

Then map:

  • trust boundaries
  • attack paths
  • privilege escalation routes
  • lateral movement possibilities
  • supply chain exposure
  • implicit trust assumptions

This usually reveals architectural risks that vulnerability scanners completely miss.

Create Reusable Secure Patterns

The goal now is scale. Not manual review forever.

So I would begin building:

  • hardened CI templates
  • secure Terraform modules
  • secure Kubernetes baselines
  • reusable IAM patterns
  • hardened container images
  • standardized logging pipelines

Security maturity increases when teams stop reinventing insecure defaults.

Define Metrics That Actually Matter

Not vanity metrics. Not: “We scanned 14 million lines of code.”

I care more about:

  • mean remediation time
  • secrets exposure trend
  • privileged access reduction
  • critical dependency aging
  • percentage of protected pipelines
  • incident detection coverage

Good metrics help engineering teams make decisions. Bad metrics create theater.

What Success Looks Like After 90 Days

After 90 days, the goal is not: “We are perfectly secure.”

That is fantasy.

The real goal is:

  • we understand our environment
  • we know our major risks
  • we have visibility into delivery
  • we reduced obvious exposure
  • we improved developer trust
  • we introduced practical controls
  • and we have a realistic roadmap forward

That is real progress.

Because effective DevSecOps is not about installing more security tools. It is about understanding how trust moves through engineering systems and reducing the probability that a failure becomes a catastrophe.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *