SecOps Overview
SecOps (Security Operations) integrates security practices into the entire software development lifecycle, enabling teams to deliver secure software at velocity without sacrificing agility for protection.
DevSecOps Principles
DevSecOps represents the cultural and technical evolution of embedding security into every phase of the software development lifecycle. The shift-left security philosophy moves security checks earlier in the pipeline, where vulnerabilities are exponentially cheaper to fix.
Shift-Left Security
Traditional security models perform assessments late in the lifecycle โ often just before production. Shift-left security inverts this model:
| Phase | Security Activity | Tools |
|---|---|---|
| Planning | Threat modeling, security requirements | Microsoft Threat Modeling Tool, OWASP Threat Dragon |
| Development | Secure coding standards, SAST, secrets scanning | SonarQube, GitLeaks, ESLint Security |
| Build | Dependency scanning, SCA, license compliance | Snyk, OWASP Dependency-Check, FOSSA |
| Test | DAST, fuzzing, penetration testing | OWASP ZAP, Burp Suite, AFL++ |
| Deploy | Container scanning, IaC scanning | Trivy, Checkov, tfsec |
| Operate | Runtime protection, EDR, SIEM | Wazuh, Falco, Splunk |
Core Principles
- Security as Code โ Security policies expressed as version-controlled code (Open Policy Agent, Sentinel)
- Automated Security Gates โ Pipeline-enforced quality gates that block on critical findings
- Continuous Monitoring โ Real-time visibility into security posture across all environments
- Shared Responsibility โ Security is everyone's responsibility, not a siloed team
- Rapid Feedback โ Developers receive security feedback within minutes, not weeks
Security in CI/CD Pipeline Stages
A secure CI/CD pipeline implements multiple verification layers. Each stage must fail the pipeline when critical security issues are detected:
# Example: Secure CI/CD Pipeline Structure
# .github/workflows/secure-pipeline.yml
stages:
- precommit # Git hooks, linting
- build # SAST, SCA, secrets scan
- test # Unit tests, DAST
- container # Image scanning, SBOM generation
- deploy # IaC scanning, compliance checks
- monitor # Runtime security, anomaly detection
security-gates:
sast-critical: block-on > 0 critical findings
secrets-scan: block-on any leaked secret
dependency-cvss: block-on CVSS >= 7.0
container-cve: block-on CVE severity = CRITICAL
compliance-drift: block-on policy violation
Pipeline Security Controls
| Control | Implementation | Gate Criteria |
|---|---|---|
| Branch Protection | Required PR reviews, signed commits | 2+ approvals, all checks pass |
| Secrets Detection | GitLeaks + TruffleHog in CI | Zero leaked secrets |
| SAST | SonarQube, Semgrep | 0 critical, <5 high per PR |
| SCA | Snyk, Dependabot | No CVE >= 7.0 unremediated |
| Container Scan | Trivy, Clair | 0 critical CVEs in base image |
| IaC Scan | Checkov, tfsec | 0 high-severity misconfigurations |
Defense in Depth Strategy
Defense in depth is a layered security architecture where multiple independent controls protect assets. If one layer fails, subsequent layers provide continued protection:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Layer 7: Data Encryption (at rest/transit) โ
โ Layer 6: Application Security (WAF, RASP) โ
โ Layer 5: Endpoint Protection (EDR, FIM) โ
โ Layer 4: Network Security (SG, NACL, IDS) โ
โ Layer 3: Compute Security (Hardened AMIs) โ
โ Layer 2: Access Control (IAM, RBAC, MFA) โ
โ Layer 1: Perimeter (CDN, DDoS protection) โ
โ Layer 0: Physical/Cloud Provider Security โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Layer Implementation
Cloud-Native Defense in Depth
Each cloud provider offers native controls for every layer. The key is implementing all layers with automation โ manual security configuration drifts and fails.
| Layer | AWS Controls | Azure Controls | GCP Controls |
|---|---|---|---|
| Perimeter | CloudFront, Shield Advanced | Front Door, DDoS Protection | Cloud CDN, Cloud Armor |
| Access Control | IAM, Organizations SCPs | Azure AD RBAC, Policies | IAM, Organization Policies |
| Compute | Systems Manager, Inspector | Defender for Cloud | OS Login, Shielded VMs |
| Network | VPC, Security Groups, NACLs | NSGs, ASGs, Firewall | VPC Firewall, Cloud NAT |
| Endpoint | Wazuh, CrowdStrike | Microsoft Defender | Chronicle, Wazuh |
| Application | WAF v2, AWS RUM | Application Gateway WAF | Cloud Armor reCAPTCHA |
| Data | KMS, Macie | Key Vault, Purview | CMEK, DLP API |
Security Frameworks
NIST Cybersecurity Framework
The NIST CSF organizes cybersecurity activities into five core functions:
- Identify โ Asset management, risk assessment, governance
- Protect โ Access control, awareness training, data security
- Detect โ Anomaly detection, continuous monitoring
- Respond โ Response planning, communications, analysis
- Recover โ Recovery planning, improvements, communications
CIS Controls
The CIS Controls (v8) provide 18 prioritized safeguards:
| Control | Title | Implementation Group 1 |
|---|---|---|
| CIS 1 | Inventory and Control of Enterprise Assets | Required |
| CIS 2 | Inventory and Control of Software Assets | Required |
| CIS 3 | Data Protection | Required |
| CIS 4 | Secure Configuration of Enterprise Assets | Required |
| CIS 5 | Account Management | Required |
| CIS 6 | Access Control Management | Required |
| CIS 7 | Continuous Vulnerability Management | Required |
| CIS 8 | Audit Log Management | Required |
| CIS 9 | Email and Web Browser Protections | Required |
| CIS 10 | Malware Defenses | Required |
OWASP Top 10 (2021)
| Rank | Vulnerability | Mitigation Strategy |
|---|---|---|
| A01 | Broken Access Control | RBAC enforcement, principle of least privilege |
| A02 | Cryptographic Failures | Encryption at rest/transit, key rotation |
| A03 | Injection (SQL, NoSQL, Command) | Parameterized queries, input validation |
| A04 | Insecure Design | Threat modeling, secure design patterns |
| A05 | Security Misconfiguration | Hardened images, IaC scanning, drift detection |
| A06 | Vulnerable Components | Dependency scanning, SBOM, automated patching |
| A07 | Identification and Authentication Failures | MFA, session management, password policy |
| A08 | Software and Data Integrity Failures | Code signing, supply chain verification |
| A09 | Security Logging Failures | Centralized logging, tamper-proof audit trails |
| A10 | Server-Side Request Forgery | URL validation, network segmentation |
Threat Modeling Basics
STRIDE Methodology
STRIDE is a threat classification framework developed by Microsoft. Each letter represents a category of threat:
| Threat | Property Violated | Example | Mitigation |
|---|---|---|---|
| Spoofing | Authentication | Stolen credentials, session hijacking | MFA, token binding, rate limiting |
| Tampering | Integrity | Data modification in transit/storage | Digital signatures, HMAC, TLS |
| Repudiation | Non-repudiation | User denies performing an action | Audit logging, signed logs |
| Information Disclosure | Confidentiality | Data breach, error message leakage | Encryption, access controls |
| Denial of Service | Availability | DDoS, resource exhaustion | Rate limiting, WAF, auto-scaling |
| Elevation of Privilege | Authorization | Horizontal/vertical privilege escalation | RBAC, input validation, least privilege |
Threat Modeling Process
- Define Scope โ Identify the application, data flows, and trust boundaries
- Decompose Application โ Create Data Flow Diagrams (DFDs) showing processes, data stores, external entities
- Identify Threats โ Apply STRIDE to each element in the DFD
- Assess Risks โ Rate likelihood and impact for each identified threat
- Plan Mitigations โ Design and implement controls for high-risk threats
- Validate โ Re-assess after mitigations are implemented
# threat_model_risk_calculator.py
# Risk scoring for identified threats
def calculate_risk(likelihood: int, impact: int) -> str:
"""
Calculate risk level based on 1-5 likelihood and impact scores.
Returns: CRITICAL, HIGH, MEDIUM, LOW
"""
score = likelihood * impact
if score >= 15:
return "CRITICAL"
elif score >= 10:
return "HIGH"
elif score >= 5:
return "MEDIUM"
else:
return "LOW"
# Example: SQL injection in authentication endpoint
likelihood = 4 # Easily exploitable with known tools
impact = 5 # Full database compromise
risk = calculate_risk(likelihood, impact)
print(f"SQL Injection Risk Level: {risk}") # CRITICAL
# Example: Information disclosure via verbose error messages
likelihood = 3 # Requires some reconnaissance
impact = 2 # Limited information leakage
risk = calculate_risk(likelihood, impact)
print(f"Info Disclosure Risk Level: {risk}") # MEDIUM
Security Tools Landscape
| Category | Open Source | Commercial | Cloud Native |
|---|---|---|---|
| Secrets Management | HashiCorp Vault, Mozilla SOPS | 1Password, CyberArk | AWS Secrets Manager, Azure Key Vault |
| SAST | SonarQube Community, Semgrep, Bandit | Checkmarx, Veracode, SonarQube Enterprise | Amazon CodeGuru, Azure DevOps Security |
| DAST | OWASP ZAP, Nikto | Burp Suite, Netsparker | AWS Inspector (agentless) |
| SCA | OWASP Dependency-Check, Snyk (free tier) | Snyk, Black Duck, Mend | AWS Inspector + Amazon Inspector |
| Container Scanning | Trivy, Clair, Grype | Aqua, Prisma Cloud | Amazon ECR scanning, Azure Defender |
| EDR/XDR | Wazuh, Osquery | CrowdStrike, SentinelOne | Amazon GuardDuty, Azure Sentinel |
| IaC Scanning | Checkov, tfsec, terrascan | Prisma Cloud, Snyk IaC | AWS Config, Azure Policy |
| SIEM | Wazuh, Elastic SIEM, Graylog | Splunk, QRadar, Sentinel | Amazon Security Lake, Chronicle |
| CSPM | Prowler, ScoutSuite, CloudSploit | Dome9, Prisma Cloud | AWS Security Hub, Azure Security Center |
| Secrets Scanning | GitLeaks, TruffleHog, detect-secrets | GitGuardian, Nightfall | GitHub secret scanning, AWS CodeCommit |
Vulnerability Management Lifecycle
Vulnerability management is a continuous cyclical process:
- Discover โ Asset inventory, network scanning, agent-based detection
- Assess โ Vulnerability scanning with authenticated and unauthenticated tests
- Prioritize โ Risk-based scoring using CVSS, threat intelligence, asset criticality
- Remediate โ Patching, configuration hardening, compensating controls
- Verify โ Rescanning to confirm remediation, regression testing
- Report โ Executive dashboards, compliance evidence, trend analysis
# vulnerability-management-sla.yaml
# SLA targets by severity
severities:
critical:
cvss_range: "9.0 - 10.0"
remediation_sla: "24 hours"
approval_required: false # Emergency patching
auto_create_ticket: true
high:
cvss_range: "7.0 - 8.9"
remediation_sla: "7 days"
approval_required: true
auto_create_ticket: true
medium:
cvss_range: "4.0 - 6.9"
remediation_sla: "30 days"
approval_required: true
auto_create_ticket: true
low:
cvss_range: "0.1 - 3.9"
remediation_sla: "90 days"
approval_required: false
auto_create_ticket: false
exemptions:
process: "CISO approval required for >30 day extensions"
max_extension: "90 days"
review_frequency: "Monthly"
Security Metrics and KPIs
Effective SecOps programs measure leading indicators (process metrics) and lagging indicators (outcome metrics):
| Metric | Type | Target | Measurement |
|---|---|---|---|
| Mean Time to Remediate (MTTR) | Lagging | < 24h critical, < 7d high | Vulnerability scanner data |
| Security Test Coverage | Leading | > 90% of repos | CI/CD pipeline instrumentation |
| Secrets Leaked in Production | Lagging | 0 | Secrets scanner + incident tracking |
| Deployment Frequency with Security Gates | Leading | 100% | Pipeline configuration audit |
| Phishing Click Rate | Lagging | < 5% | Phishing simulation platform |
| Mean Time to Detect (MTTD) | Lagging | < 1 hour | SIEM alert metrics |
| Code Review Security Comments | Leading | > 10% of reviews | PR analysis |
| Container Image Scan Pass Rate | Leading | > 95% | Container scanner reports |
Security Champion Program
A Security Champion program embeds security expertise within development teams without requiring dedicated security headcount per team.
Program Structure
Security Champion Program
โ
โโโ Executive Sponsor (CISO / VP Engineering)
โ
โโโ Security Champion Lead (Security Team)
โ โโโ Onboarding curriculum
โ โโโ Monthly training sessions
โ โโโ Office hours support
โ
โโโ Champions (1 per dev team ~10:1 ratio)
โ โโโ Attend monthly meetings
โ โโโ Review security requirements
โ โโโ Escalate issues to security team
โ โโโ Advocate for secure practices
โ
โโโ Incentives
โโโ Conference attendance budget
โโโ Certification reimbursement (OSCP, CISSP)
โโโ Recognition in performance reviews
โโโ Dedicated learning time (10% allocation)
Champion Responsibilities
- Participate in threat modeling sessions for their team's features
- Review security-related pull requests
- Ensure team compliance with security policies
- Report security metrics to the security team monthly
- Drive adoption of security tools and practices within their team
Lean Six Sigma Application
Apply DMAIC (Define, Measure, Analyze, Improve, Control) to security processes. Measure baseline MTTR, analyze bottlenecks in the vulnerability remediation workflow, implement process improvements, and control with automated enforcement in CI/CD.
Compliance Mapping
Organizations often need to satisfy multiple compliance frameworks simultaneously. Cross-mapping controls reduces audit burden:
| Control Domain | SOC 2 CC | ISO 27001 | PCI-DSS v4 | CIS Control |
|---|---|---|---|---|
| Access Control | CC6.1, CC6.2 | A.9.1, A.9.2, A.9.4 | 7.1, 7.2, 8.2, 8.3 | CIS 5, CIS 6 |
| Change Management | CC8.1 | A.12.1.2, A.14.2.2 | 6.3, 6.5 | CIS 4 |
| Encryption | CC6.1, CC6.7 | A.10.1, A.10.2 | 4.1, 4.2 | CIS 3 |
| Logging & Monitoring | CC7.2, CC7.3 | A.12.4 | 10.2, 10.3, 11.4 | CIS 8 |
| Vulnerability Management | CC7.1, CC8.1 | A.12.6, A.18.2 | 6.3, 11.3 | CIS 7 |
| Incident Response | CC4.1, CC7.4, CC7.5 | A.16.1 | 12.10 | CIS 17, CIS 18 |
| Vendor Management | CC9.1, CC9.2 | A.15.1, A.15.2 | 12.8 | CIS 15 |
| Data Classification | CC6.1, CC6.7 | A.8.2, A.8.3 | 3.1, 3.2 | CIS 3 |
| Network Security | CC6.6, CC6.7 | A.13.1 | 1.2, 1.3, 2.1 | CIS 4, CIS 12, CIS 13 |
| Backup & Recovery | A1.2, A1.3 | A.12.3, A.17.1 | 12.3, 12.4 | CIS 11 |
Compliance is Not Security
Compliance frameworks establish minimum baselines. A fully compliant organization can still be breached. Use compliance as a foundation, not a ceiling. Continuous security monitoring and threat-informed defense go beyond checklist compliance.
Evidence Collection Automation
Automate evidence collection for compliance audits using infrastructure-as-code and continuous monitoring:
# terraform/compliance-evidence-collection.tf
# Automated evidence collection for SOC 2
# AWS Config Rule: Check for encrypted volumes
resource "aws_config_config_rule" "ec2_encrypted_volumes" {
name = "ec2-volumes-must-be-encrypted"
source {
owner = "AWS"
source_identifier = "EC2_VOLUME_INUSE_CHECK"
}
input_parameters = jsonencode({
volumeIds = ""
})
depends_on = [aws_config_configuration_recorder.compliance_recorder]
}
# AWS Config Rule: MFA enabled for root
resource "aws_config_config_rule" "root_account_mfa_enabled" {
name = "root-account-mfa-enabled"
source {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
depends_on = [aws_config_configuration_recorder.compliance_recorder]
}
# CloudWatch Log Group for audit trail
resource "aws_cloudwatch_log_group" "audit_logs" {
name = "/compliance/audit-trail"
retention_in_days = 2555 # 7 years for SOX/PCI-DSS
kms_key_id = aws_kms_key.audit_encryption.arn
}
Related Topics
- HashiCorp Vault โ Centralized secrets management
- Secrets Management โ Zero-hardcoded-secrets policy
- Vulnerability Scanning โ Continuous vulnerability assessment
- Code Security โ Supply chain security
- Compliance Frameworks โ SOC 2, ISO 27001, PCI-DSS implementation
- Wazuh EDR/XDR โ Endpoint detection and response
- IAM & RBAC โ Identity and access management