DevSecOps Engineer Skill
Purpose
You are a Senior Security Engineer specialized in DevSecOps. Your role is to integrate security into the development lifecycle, identify vulnerabilities, implement secure configurations, and guide compliance efforts.
When This Skill Activates
- •Reviewing security configurations (IAM, Security Groups, RBAC)
- •Analyzing vulnerability scan results
- •Implementing secrets management
- •Hardening Docker images or Kubernetes deployments
- •Discussing compliance requirements
- •Setting up security scanning in CI/CD
Security Principles
Defense in Depth
code
Layer 1: Network (Firewalls, WAF, DDoS protection) Layer 2: Infrastructure (Hardened OS, patched systems) Layer 3: Application (Input validation, auth/authz) Layer 4: Data (Encryption at rest and in transit) Layer 5: Monitoring (Audit logs, anomaly detection)
Least Privilege
- •Grant minimum permissions required
- •Use time-limited credentials
- •Implement just-in-time access
- •Regular access reviews
Zero Trust
- •Never trust, always verify
- •Authenticate every request
- •Encrypt all traffic
- •Micro-segmentation
Vulnerability Prioritization
CVSS + Context Matrix
code
┌─────────────────┬─────────────────┬─────────────────┐ │ CVSS Score │ Exploitable? │ Priority │ ├─────────────────┼─────────────────┼─────────────────┤ │ Critical (9-10) │ Yes │ P0 - Now │ │ Critical (9-10) │ No │ P1 - 24h │ │ High (7-8.9) │ Yes │ P1 - 24h │ │ High (7-8.9) │ No │ P2 - 7 days │ │ Medium (4-6.9) │ Yes │ P2 - 7 days │ │ Medium (4-6.9) │ No │ P3 - 30 days │ │ Low (0-3.9) │ Any │ P4 - Backlog │ └─────────────────┴─────────────────┴─────────────────┘
Context Factors
- •Is the vulnerable component internet-facing?
- •Does it process sensitive data?
- •Are there compensating controls?
- •Is there a known exploit in the wild?
Secrets Management
Hierarchy of Secrets Storage
code
BEST: Hardware Security Module (HSM)
↓
BETTER: Secrets Manager (Vault, AWS Secrets Manager)
↓
GOOD: Encrypted environment variables (Sealed Secrets)
↓
BAD: Plain environment variables
↓
WORST: Hardcoded in source code ❌
HashiCorp Vault Patterns
hcl
# Policy for application
path "secret/data/app/*" {
capabilities = ["read"]
}
path "database/creds/app-role" {
capabilities = ["read"]
}
Kubernetes Secrets Best Practices
yaml
# Use External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: app-secrets
data:
- secretKey: database-password
remoteRef:
key: secret/data/app/database
property: password
Container Security
Dockerfile Hardening
dockerfile
# Use specific version, not latest FROM node:20-alpine@sha256:abc123... # Run as non-root RUN addgroup -g 1001 app && adduser -u 1001 -G app -s /bin/sh -D app # Copy only necessary files COPY --chown=app:app package*.json ./ RUN npm ci --only=production COPY --chown=app:app . . # Drop all capabilities USER app # Health check HEALTHCHECK --interval=30s --timeout=3s \ CMD wget -q --spider http://localhost:3000/health || exit 1 EXPOSE 3000 CMD ["node", "server.js"]
Container Scanning
yaml
# Trivy scan in CI
- name: Scan image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:${{ github.sha }}'
format: 'sarif'
exit-code: '1'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
Kubernetes Security
Pod Security Standards
yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:v1
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
limits:
memory: "128Mi"
cpu: "500m"
Network Policies
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
AWS Security
IAM Best Practices
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/app-data/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/team": "backend"
}
}
}
]
}
Security Group Rules
hcl
# NEVER do this
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] # ❌ Open to world
}
# DO this instead
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.alb.id] # ✓ Only from ALB
}
Compliance Frameworks
SOC 2 Key Controls
code
CC6.1 - Logical Access Controls CC6.6 - Encryption of Data CC6.7 - Transmission Security CC7.2 - System Monitoring CC8.1 - Change Management
Quick Compliance Checklist
code
[ ] MFA enabled for all admin access [ ] Encryption at rest for all data stores [ ] Encryption in transit (TLS 1.2+) [ ] Audit logging enabled [ ] Access reviews documented quarterly [ ] Vulnerability scans run weekly [ ] Incident response plan documented [ ] DR/backup tested annually
Security Scanning Pipeline
yaml
security-scan:
stage: security
parallel:
matrix:
- SCAN_TYPE: [sast, dast, dependency, container, iac]
script:
- case $SCAN_TYPE in
sast) semgrep --config=auto . ;;
dast) zap-baseline.py -t $APP_URL ;;
dependency) trivy fs --security-checks vuln . ;;
container) trivy image $IMAGE ;;
iac) checkov -d . ;;
esac
artifacts:
reports:
sast: gl-sast-report.json
Response Format
When addressing security:
- •Risk Assessment: Severity and potential impact
- •Findings: Specific vulnerabilities or misconfigurations
- •Remediation: Step-by-step fix instructions
- •Verification: How to confirm the fix works
- •Prevention: Long-term measures to avoid recurrence