Table of Contents


In simple words, it is Development, Security, Operations. Its agenda is to make everyone accountable for implementing security measures simultaneously as development and operations. Here is a  DevSecOps Checklist you  should follow to while is injecting security into the DevOps lifecycle. But before we get started let us talk about the basics. 

What is DevSecOps?

Secure and quick code delivery may seem impossible to most businesses. But DevSecOps aims to do that. DevSecOps is approaching IT with a mindset of "security at every step." The goal of DevSecOps is to incorporate security into all stages of the software development workflow. With DevSecOps, it means teams dont keep security for the final stages of the SDLC.

Build Secure Business Enabling Pipelines with NexaStack 

The DevSecOps Security Checklist

Pre-commit checks

Pre-commit checks fix minor security issues before committing changes to source code repositories.


They can help a team automate manual tasks, thus leading to an increase in their productivity.

Use Case

The pre-commit checks help update a threat model when new controls are added to the application code. Manual code review is also provided, which can help review code when significant changes are made. And if found any security vulnerabilities, risk analysis gets triggered.

Commit-time checks

A check-in automatically triggers this activity to a source code repository. These tests bring fast results to a developer pushing code to the shared repository.


Commit-time checks ensure that code is compilable and can build at all times. They also focus on critical and high-security issues inside code.

Use Case

These checks help development teams rectify the high-security risks and provide them with QA security testing.

Build-Time Checks

Build time checks get automatically triggered on successful commit time checks.

Performing advanced automated application testing requires security testing, open-source management, risk-based security tests, and storing artifacts-07 in repositories.


Build-time checks break the build in case of any failure: It includes:

  1. Event when a unit test fails
  2. In case a vulnerability is found
  3. Code not compiling on committing changes

Build time checks also look for dependencies whether any vulnerabilities are publicly disclosed. 

Use case

Build-time checks allow users to configure more comprehensive SAST rule sets. Also, these checks are used to set up jobs that identify risks in third-party codes. These checks help in automating risk-based security testing.

Risk-Based Security Testing - Each test in a risk-based security test is intended to trigger a particular risk that has been previously identified during risk analysis. They also notify DevSecOps teams about critical risk values.

Test-Time checks

Successful build-time checks automatically trigger Test-time checks. Here the latest good build is picked up and deployed to a staging or test environment. Then all the tests such as functional, integration, performance testing are executed on this build.


Test-time checks are the last testing phase before a product is released into production. The staging environment almost represents the actual production environment.

Use case

Here we include the tool's complete security rule sets. Since we've already run SAST in the earlier checks, we ensure that tests that haven't yet been covered are run.

Deploy-Time checks

When all of the previous steps have been completed successfully, and the application is ready for deployment, deploy-time checks involve additional pre-and post-deployment security checks that will finish our DevSecOps pipeline.

Post-deployment assures that changes made to the production environment haven't led to security issues. A good strategy is to implement a process that periodically triggers security testing. 


Deploy-time checks can help find bugs that may have been missed during pre-production testing activities. Continuous monitoring allows insight into the traffic that an application is receiving. Also, these metrics help to identify malicious users. 

Use case


  1. Automate configuration management
  2. Automate provisioning of the runtime environment


  1. Automate collection of application-level security metrics 
  2. Schedule security scanning
  3. Enable vulnerability scanning
  4. Create an incident response plan
  5. Provide insights to the DevSecOps team that will lead to the building of a threat intelligence program

What are best practices for DevSecOps?

Embrace Automation

The most crucial requirement for continuous testing and continuous integration is speed. Speed makes the automation process a fundamental requirement. Therefore having necessary security measures and triggers is essential.

So organizations should adopt static testing and have dynamic security testing, which is equally important. This means vulnerability scanning will be done in real-time.

It is essential to have the necessary tools to automate security measures in our code configuration to achieve automation. Some of the static and dynamic security testing tools are:

SAST Tools

Coverity: It is a static analysis by Synopsys that helps development and security teams find and fix defects and security flaws in code as it's being written. 

Approx: It is an on-demand mobile application security platform that helps businesses detect and fix security vulnerabilities using an Automated Security Testing suite. 

Checkmarx: It is the Software Exposure Platform for the enterprise. Over 1,400 organizations around the globe rely on Checkmarx to measure and manage software risk at the speed of DevOps.

DAST Tools

Netsparker can identify vulnerabilities in all types of modern web applications, regardless of the underlying architecture or platform.

Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, empowers developers to fix security defects, and scales your program through best practices to achieve your desired outcomes.

Risk management in Open source technologies.

Since hacks and breaches in data have become regular news, security is cited as an essential concern. When infused in any project in dependencies, codes belonging to open source projects can cause vulnerability risks. Because these may be unmanaged code with no security measures applied. Therefore code dependency checking is a must. Having an OWASP utility check will ensure no vulnerability in these codes from open source projects.

Security Management process

When a security team encounters any bug, it reports it in the repository. Sometimes developers don't have the bandwidth to check those reports. This leads developers to prioritize functional testing and skip security vulnerabilities. Therefore DevSecOps team must have a uniform Security Management Process, and any changes done will also notify the security team, and they can execute authentication testing protocol.

Integrating Bug tracker in Application Security System

This will create a list of bug reports automatically. The report will create actionable details about bugs such as their severity, details and treatment required. This made the security team advanced and prepared to fix the issues even before landing in a production and development environment.

Threat Modelling

Threat modelling is a process that developers use to identify security risks or vulnerabilities in their code and assess the seriousness. They further plan to prioritize techniques to mitigate the attack and rectify their code based on these. The SANS Institute recommends risk management before DevSecOps implementation. Risk management will help you to identify threats in software components and measures to counter those threats. 


With the rise in demand to reduce the development of a reliable application. DevOps as a practice is set to shoot. But as with power comes responsibilities. Security measure is as important a concern as the end product's development. They are injecting security right from the early stages of development. Therefore implementing development + Security + Operations should be a standard agenda for organizations right from the start, and the above set of checklists would help achieve that.

What's Next?

  1. Take the DevSecOps Assessment and evaluate your  DevSecOps practices.
  2. Read how to Building DevSecOps Pipeline on AWS