This repository contains structured and interview-ready notes covering DevSecOps concepts, tools, CI/CD security integration, and real-world scenarios.
DevOps is a culture and set of practices that integrates development and operations teams to enable faster and reliable software delivery through automation and CI/CD pipelines.
DevSecOps extends DevOps by integrating security into every stage of the Software Development Life Cycle (SDLC).
- Security is a shared responsibility
- Security is automated in CI/CD pipelines
- Focus on early detection of vulnerabilities
| DevOps | DevSecOps |
|---|---|
| Focus on speed and delivery | Focus on speed and security |
| Security handled later | Security integrated early |
| Separate security team | Shared responsibility |
| Reactive approach | Proactive approach |
Shift-left security means integrating security early in the development lifecycle instead of testing at the end.
Example:
- SAST during coding
- SCA during build
Static Application Security Testing scans source code without executing it.
- Finds issues like SQL Injection, XSS, hardcoded secrets
- Runs during coding or build stage
Dynamic Application Security Testing scans a running application.
- Finds runtime vulnerabilities
- Simulates real-world attacks
- Runs after deployment
Software Composition Analysis scans third-party dependencies for known vulnerabilities.
| Feature | SAST | DAST | SCA |
|---|---|---|---|
| Target | Source code | Running application | Dependencies |
| Stage | Early | Late | Build |
| Type | White-box | Black-box | Component analysis |
CodeQL is a SAST tool that analyzes source code using queries to detect vulnerabilities and security issues.
| CodeQL | SonarQube |
|---|---|
| Security-focused | Code quality with security |
| Query-based analysis | Rule-based analysis |
| Deep vulnerability detection | Easier to use |
CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to publicly known security vulnerabilities.
Example: CVE-2021-44228
- Scan dependency files such as pom.xml, package.json, or requirements.txt
- Compare versions with vulnerability databases
- Use tools like Snyk or OWASP Dependency-Check
DAST is slower because:
- It runs on a live application
- Sends HTTP requests
- Waits for responses
SAST only analyzes code, so it is faster.
No. DAST requires a running application, typically deployed in a staging or test environment.
- Unauthorized access
- Data breaches
- Financial loss due to misuse
- Use secret scanning tools
- Avoid hardcoding secrets
- Use environment variables
- Use secret managers
- Rotate keys regularly
trivy image my-app:latest- Scans OS packages and dependencies
- Reports vulnerabilities based on known databases
A base image vulnerability is a security issue present in the underlying image (such as Ubuntu or Alpine) that affects all derived container images.
- Pre-commit stage (optional)
- Pull request stage
- Build stage (most common)
Code Commit → Secrets Scan → SAST → SCA → Build → Container Scan → Deploy (Dev) → DAST → Approval → Production
-
Fail for:
- Critical and High vulnerabilities
- Secrets detected
-
Allow Medium and Low (log and monitor)
| Severity | Action |
|---|---|
| Critical | Fail |
| High | Fail |
| Medium | Warn |
| Low | Ignore |
- Validate findings manually
- Suppress with proper justification
- Maintain allowlist
- Tune scanning rules
- Identify severity using CVSS
- Analyze impact
- Fix vulnerability or update dependency
- Rebuild artifact or Docker image
- Redeploy through pipeline
- Monitor logs and systems
- Run scans in parallel
- Use incremental scanning
- Scan only changed code
- Cache dependencies
- Run heavy scans separately
- Define severity thresholds
- Allow temporary exceptions
- Educate developers on secure coding
- Implement shift-left security
CIS Benchmarks are security best practices for systems, cloud platforms, and applications provided by the Center for Internet Security.
OWASP Top 10 is a list of the most critical web application security risks, such as:
- Injection
- Broken Authentication
- Security Misconfiguration
The least privilege principle means giving only the minimum access required to users or systems to perform their tasks.
- Use RBAC for access control
- Implement network policies
- Apply pod security standards
- Scan container images before deployment
- Scan configurations using security tools
- Avoid hardcoding secrets
- Use secure defaults and configurations
Secrets management is the practice of securely storing and accessing sensitive data such as API keys and passwords using tools like Vault or cloud secret managers.
Image signing ensures that container images are trusted and have not been tampered with.
Zero Trust is a security model where every request is authenticated and authorized, and no entity is trusted by default.
name: Secure CI/CD Pipeline
on: [push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Run SAST
run: codeql analyze
- name: Run SCA
run: snyk test
- name: Build Docker Image
run: docker build -t my-app .
- name: Scan Docker Image
run: trivy image my-app
- name: Run DAST
run: zap-baseline.py -t http://test-appAnswer:
Secure-by-design means integrating security practices from the beginning of the Software Development Life Cycle instead of adding them at the end. It includes defining security requirements, performing threat modeling during design, enforcing secure coding practices, and automating security testing in CI/CD pipelines.
Answer:
In the requirement phase, I define security requirements such as authentication, authorization, and encryption. In the design phase, I perform threat modeling using tools like Microsoft Threat Modeling Tool. During development, I enforce secure coding practices and use SAST tools. In testing, I integrate SAST, DAST, and SCA scans. In deployment, I ensure secure configurations and proper secrets management.
Answer:
I collaborate by integrating security tools directly into the developer workflow, providing secure coding guidelines, and conducting awareness sessions. I also ensure developers receive early feedback through CI/CD pipelines so they can fix issues quickly.
Answer:
I automate security checks in CI/CD pipelines and set severity thresholds so only critical issues block builds. I also shift security earlier in the process to reduce rework and provide faster feedback.
Answer:
Threat modeling is the process of identifying potential security threats during the design phase. It helps proactively address vulnerabilities before development begins, reducing both risk and cost.
Answer:
STRIDE is a threat modeling framework that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It is used to categorize and identify potential threats in a system.
Answer:
I provide secure coding standards, enforce code reviews, and integrate tools like SonarQube into CI pipelines to detect vulnerabilities early.
Answer:
I avoid hardcoding secrets in source code and use secure storage solutions like HashiCorp Vault. Secrets are injected at runtime and rotated regularly.
Answer:
I work with platform teams to secure CI/CD pipelines, enforce Infrastructure-as-Code security practices, implement proper access controls, and ensure monitoring and logging are in place.
Answer:
I first identify the challenges faced by the team, then provide training and simplify security processes. I introduce automated checks and make security part of the Definition of Done to ensure compliance.
Answer:
I begin with a risk assessment, then introduce SAST and SCA into CI/CD pipelines. I implement threat modeling in the design phase and gradually enforce policies and automation without disrupting development speed.
Answer:
Security gates are checkpoints in the pipeline where builds fail if vulnerabilities exceed a defined severity threshold. This ensures that only secure code progresses to deployment.
Answer:
It means a feature is considered complete only after passing all security checks, including code scans, dependency checks, and adherence to secure coding standards.
Answer:
By automating security processes, shifting security earlier in the lifecycle, running scans in parallel, and focusing on high-risk vulnerabilities, I ensure strong security without slowing down delivery.
Answer:
In my project, I integrated SAST and SCA tools into CI/CD pipelines, conducted threat modeling during the design phase, enforced secure coding practices, and implemented container scanning before deployment. I collaborated with developers through regular feedback and training, ensuring security became an integral part of the development lifecycle.
Answer:
Infrastructure-as-Code is the practice of provisioning and managing infrastructure using code instead of manual processes. Tools like Terraform, AWS CloudFormation, and Azure Bicep allow consistent, repeatable, and automated infrastructure deployment.
Answer:
IaC templates define infrastructure configurations. If they contain misconfigurations such as open ports or excessive permissions, they can introduce vulnerabilities at scale. Securing IaC ensures infrastructure is compliant, consistent, and protected from the beginning.
Answer:
- Hardcoded secrets (API keys, passwords)
- Open security groups (e.g., 0.0.0.0/0)
- Overly permissive IAM roles
- Unencrypted storage (S3, databases)
- Lack of logging and monitoring
Answer:
- Avoid hardcoding secrets; use secure storage solutions
- Enforce least privilege IAM roles
- Use remote state with encryption enabled
- Validate configurations using tools like Checkov
- Perform code reviews and policy checks before deployment
Answer:
Terraform state stores the current infrastructure configuration and may contain sensitive data. It should be secured using remote backends (e.g., S3) with encryption enabled and restricted access using IAM policies.
Answer:
- Use policy-as-code tools
- Integrate compliance checks in CI/CD pipelines
- Follow standards like CIS benchmarks
- Validate configurations before deployment
Answer:
Policy-as-code is the practice of defining and enforcing infrastructure rules using code. It ensures all deployments follow organizational security and compliance standards automatically.
Answer:
- Do not hardcode secrets in templates
- Use secret management tools like HashiCorp Vault
- Store secrets in environment variables or secure services
- Rotate secrets regularly
Answer:
- Add IaC scanning tools (e.g., Checkov) in pipeline stages
- Enforce policy validation before deployment
- Fail builds if violations exceed defined thresholds
Answer:
Least privilege means granting only the minimum permissions required for a resource or user to function, reducing the risk of misuse or compromise.
Answer:
- Detect using automated scanning tools
- Fix issues in the code
- Enforce policies to prevent recurrence
- Use code reviews and CI/CD validation
Answer:
- Enable encryption for storage and databases
- Use IAM roles with least privilege
- Avoid hardcoded secrets
- Enable logging and monitoring
- Use parameterization instead of static values
Answer:
- Restrict public access immediately
- Update Terraform code to enforce private access
- Enable bucket policies and encryption
- Add validation rules to prevent future issues
Answer:
- Implement policy-as-code
- Integrate IaC scanning tools in CI/CD pipelines
- Enforce security gates
- Conduct regular audits against compliance standards
Answer:
- Review IaC templates
- Integrate security tools into pipelines
- Provide secure configuration guidelines
- Automate compliance checks
Answer:
In a real-world setup, IaC security is implemented by integrating scanning tools like Checkov into CI/CD pipelines, enforcing policies using policy-as-code tools, securely managing secrets, and ensuring all infrastructure follows least privilege and encryption standards. Continuous collaboration with development and DevOps teams ensures security is maintained throughout the lifecycle.
Answer:
Vulnerability management is the continuous process of identifying, assessing, prioritizing, and remediating security vulnerabilities across systems, applications, and infrastructure.
Answer:
- Use cloud-native security tools (e.g., AWS Security Hub, Azure Defender)
- Enable logging and monitoring (CloudWatch, Azure Monitor)
- Continuously scan resources for misconfigurations
- Integrate alerts with monitoring systems
Answer:
- Use SAST tools during development
- Use DAST tools after deployment
- Perform dependency scanning (SCA)
- Integrate scanning into CI/CD pipelines
Answer:
- Scan container images using tools like Trivy or Clair
- Monitor running containers for vulnerabilities
- Use secure base images
- Continuously update and patch images
Answer:
CVE (Common Vulnerabilities and Exposures) is a standardized identifier for publicly known security vulnerabilities.
Answer:
CVSS (Common Vulnerability Scoring System) is used to measure the severity of vulnerabilities, helping prioritize remediation efforts.
Answer:
- Based on CVSS score (Critical, High, Medium, Low)
- Exploitability and impact
- Business criticality of the affected system
- Exposure (public-facing vs internal)
Answer:
- Fix code issues identified by SAST
- Update vulnerable dependencies
- Apply patches
- Retest after remediation
Answer:
- Update base images
- Remove unnecessary packages
- Rebuild and redeploy images
- Use minimal and secure images (e.g., Alpine)
Answer:
- Fix misconfigurations (e.g., open ports, public access)
- Apply patches and updates
- Enforce IAM least privilege
- Enable encryption and logging
Answer:
- Integrate scanning tools into CI/CD pipelines
- Schedule regular scans
- Use alerts and dashboards for monitoring
- Automatically fail builds for critical vulnerabilities
Answer:
- SAST: CodeQL, SonarQube
- SCA: Snyk, OWASP Dependency-Check
- DAST: OWASP ZAP
- Container: Trivy, Clair
Answer:
Patch management is the process of applying updates to software or systems to fix vulnerabilities and improve security.
Answer:
- Identify severity and impact
- Isolate affected systems if needed
- Apply patch or fix immediately
- Rebuild and redeploy
- Verify and monitor
Answer:
- Prioritize based on severity and risk
- Focus on critical and high issues first
- Reduce false positives
- Create a remediation plan
Answer:
- Enable real-time monitoring and alerts
- Integrate with SIEM tools
- Perform regular scans
- Continuously update security tools and policies
Answer:
- Share vulnerability reports with developers
- Provide clear remediation steps
- Track fixes through tickets
- Ensure timely resolution through follow-ups
Answer:
In a real-world workflow, vulnerabilities are detected using automated scanning tools integrated into CI/CD pipelines and cloud monitoring systems. They are prioritized based on severity and business impact, assigned to relevant teams, fixed through patches or code changes, and verified through re-scanning. Continuous monitoring ensures new vulnerabilities are identified and addressed promptly.
Answer:
An artifact repository is a storage system used to manage and store build artifacts such as binaries, libraries, and packages. It ensures version control, traceability, and secure distribution of artifacts.
Answer:
- Nexus Repository
- JFrog Artifactory
- AWS CodeArtifact
Answer:
A container registry is a service used to store, manage, and distribute container images. It allows teams to version, scan, and securely access Docker images.
Answer:
- Docker Hub
- AWS Elastic Container Registry (ECR)
- Azure Container Registry (ACR)
- Google Container Registry (GCR)
Answer:
- Enable authentication and role-based access control (RBAC)
- Enforce least privilege access
- Scan artifacts for vulnerabilities
- Enable audit logging and monitoring
- Use HTTPS for secure communication
Answer:
- Restrict access using IAM/RBAC
- Enable image scanning for vulnerabilities
- Use private repositories instead of public
- Enforce image signing and verification
- Regularly remove unused or outdated images
Answer:
Image scanning is the process of analyzing container images for vulnerabilities, outdated packages, and misconfigurations before deployment.
Answer:
- Trivy
- Clair
- Anchore
Answer:
- Add scanning stages in the pipeline after build
- Scan artifacts and container images before pushing to registry
- Fail builds if critical vulnerabilities are found
- Generate reports for developers
Answer:
Artifact versioning ensures each build is uniquely identifiable. It helps track changes, roll back to previous versions, and maintain consistency across environments.
Answer:
Immutability means once an artifact or image is stored, it cannot be modified. This ensures integrity and prevents tampering.
Answer:
- Use role-based access control (RBAC)
- Enforce least privilege principle
- Integrate with identity providers (IAM/SSO)
- Rotate credentials regularly
Answer:
- Continuously scan artifacts and images
- Identify vulnerable versions
- Rebuild with updated dependencies
- Replace old versions in registry
- Notify teams for remediation
Answer:
Retention policy defines how long artifacts or images are stored before being deleted. It helps manage storage and remove outdated or unused artifacts.
Answer:
- Identify affected image versions
- Prevent further usage (block or deprecate)
- Fix vulnerabilities and rebuild image
- Push updated image to registry
- Update deployments
Answer:
- Revoke access immediately
- Investigate logs and identify impact
- Rotate credentials
- Strengthen access controls and policies
Answer:
- Enforce access control policies
- Enable logging and auditing
- Integrate vulnerability scanning
- Follow organizational and regulatory standards
Answer:
- Provide guidelines for artifact and image usage
- Integrate tools into CI/CD pipelines
- Share vulnerability reports
- Support teams in resolving issues
Answer:
In a real-world setup, artifact repositories and container registries are secured with RBAC and integrated with CI/CD pipelines. All artifacts and images are scanned before storage and deployment. Policies such as immutability and retention are enforced. Continuous monitoring and collaboration with development and DevOps teams ensure secure and efficient operations.
Answer:
I provide guidance by establishing secure coding standards, conducting training sessions, integrating security tools into developer workflows, and offering continuous feedback through CI/CD pipelines. I also collaborate closely with teams to ensure security is embedded without affecting development speed.
Answer:
Secure coding practices include:
- Input validation and sanitization
- Proper authentication and authorization
- Avoiding hardcoded secrets
- Using encryption for sensitive data
- Handling exceptions securely
- Preventing common vulnerabilities like SQL injection and XSS
Answer:
- Provide secure coding guidelines and documentation
- Conduct regular code reviews
- Integrate SAST tools into CI/CD pipelines
- Share feedback and remediation steps
- Conduct secure coding training sessions
Answer:
- Design secure CI/CD pipelines with integrated security checks
- Automate SAST, SCA, DAST, and container scanning
- Implement security gates to block vulnerable builds
- Use role-based access control (RBAC) for pipeline access
- Ensure secrets are securely managed
Answer:
- SAST (Static Application Security Testing)
- SCA (Software Composition Analysis)
- DAST (Dynamic Application Security Testing)
- Secrets scanning
- Container image scanning
Answer:
- Avoid hardcoding secrets in code
- Use secure tools like HashiCorp Vault
- Store secrets in environment variables or secret managers
- Rotate secrets regularly
- Restrict access using least privilege
Answer:
Cloud security patterns are best practices used to design secure cloud architectures. They ensure systems are resilient, compliant, and protected against threats.
Answer:
- Least privilege access (IAM roles and policies)
- Network segmentation (VPCs, subnets)
- Encryption at rest and in transit
- Logging and monitoring (CloudWatch, Azure Monitor)
- Zero Trust architecture
Answer:
- Provide reference architectures and best practices
- Enforce IAM policies with least privilege
- Ensure encryption and secure networking
- Integrate security checks in IaC templates
- Monitor and audit cloud resources continuously
Answer:
- Share clear vulnerability reports
- Provide step-by-step remediation guidance
- Work together to fix issues quickly
- Track progress through tickets
- Re-validate fixes after implementation
Answer:
- Identify gaps in the current process
- Provide training and documentation
- Simplify CI/CD workflows
- Automate processes to reduce manual effort
- Enforce policies and checks
Answer:
- Prioritize vulnerabilities based on severity
- Provide clear remediation steps
- Help fix critical issues first
- Integrate automated scans to prevent recurrence
- Educate developers on secure coding practices
Answer:
I balance guidance and enforcement by educating teams first, providing easy-to-use tools, and then enforcing policies through automation. This ensures adoption without resistance.
Answer:
Documentation provides clear guidelines, best practices, and reference architectures. It ensures consistency and helps teams follow secure development and deployment processes.
Answer:
- Conduct regular training and workshops
- Review and update security policies
- Analyze incidents and improve processes
- Gather feedback from teams
- Continuously enhance automation and tooling
Answer:
In a real-world setup, I provide secure coding guidelines, integrate security tools into CI/CD pipelines, and define cloud security best practices. I collaborate closely with development teams, provide continuous feedback, and enforce policies through automation to ensure secure and efficient application delivery.
Answer:
Documentation ensures consistency, clarity, and knowledge sharing across teams. It helps developers and DevOps engineers follow standardized processes, reduces onboarding time, and improves overall engineering efficiency.
Answer:
- Secure coding guidelines
- CI/CD pipeline documentation
- Infrastructure-as-Code (IaC) standards
- Security policies and procedures
- Runbooks and troubleshooting guides
- Architecture diagrams
Answer:
Engineering standards are predefined guidelines and best practices that teams follow to ensure consistency, quality, security, and compliance across development and operations.
Answer:
- Align with industry standards (e.g., OWASP, CIS benchmarks)
- Define secure coding practices
- Enforce IAM and access control policies
- Standardize encryption and logging requirements
- Document and share guidelines across teams
Answer:
Reusable modules are pre-built, standardized components (such as Terraform modules or CI/CD templates) that can be reused across multiple projects to ensure consistency and reduce development effort.
Answer:
- Reduce duplication of effort
- Ensure consistency across environments
- Minimize errors and misconfigurations
- Speed up development and deployment
Answer:
- Follow least privilege principles
- Enable encryption by default
- Avoid hardcoded values and secrets
- Include logging and monitoring
- Validate modules using security scanning tools
Answer:
- Provide clear documentation and examples
- Conduct training sessions
- Integrate standards into CI/CD pipelines
- Enforce policies through automation
- Offer support and feedback
Answer:
A runbook is a documented set of procedures that guides teams on how to handle operational tasks, incidents, or troubleshooting steps.
Answer:
- Regularly review and update documents
- Version control documentation
- Collect feedback from teams
- Align updates with new tools and processes
Answer:
- Create reusable pipeline templates
- Define standard stages (build, test, scan, deploy)
- Integrate security checks by default
- Enforce pipeline policies
Answer:
- Identify gaps and reasons for non-compliance
- Simplify and improve standards if needed
- Provide training and support
- Enforce standards through automation and CI/CD checks
Answer:
- Create centralized reusable modules
- Encourage teams to adopt shared modules
- Maintain a version-controlled repository
- Provide documentation and examples
Answer:
- Perform code reviews
- Validate using automated testing and scanning
- Follow versioning practices
- Maintain clear documentation
Answer:
Versioning helps track changes in modules and ensures teams can use stable, tested versions. It also enables rollback if issues arise.
Answer:
- Create reusable templates and modules
- Automate repetitive tasks
- Standardize processes
- Provide clear documentation
- Continuously optimize workflows
Answer:
In a real-world setup, I create standardized documentation for CI/CD pipelines, security practices, and IaC modules. I build reusable templates for infrastructure and deployments, enforce standards through automation, and continuously update documentation based on feedback and evolving requirements. This ensures consistency, reduces errors, and improves overall engineering efficiency.
Answer:
Incident response is the process of identifying, analyzing, containing, and resolving security incidents such as breaches, vulnerabilities, or system compromises.
Answer:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Answer:
- Monitor and detect security incidents
- Analyze logs and alerts
- Assist in containment and remediation
- Collaborate with development and operations teams
- Provide root-cause analysis and preventive measures
Answer:
Root-cause analysis is the process of identifying the underlying cause of a security incident to prevent it from happening again.
Answer:
- Collect logs and evidence
- Identify what happened and when
- Trace the origin of the issue
- Determine the root cause
- Document findings and recommend fixes
Answer:
- SIEM tools (e.g., Splunk, ELK Stack)
- Monitoring tools (CloudWatch, Azure Monitor)
- Endpoint detection tools
- Log analysis tools
Answer:
- Monitor alerts from security tools
- Analyze logs and unusual activity
- Detect anomalies in system behavior
- Use automated monitoring and alerting systems
Answer:
- Isolate affected systems
- Block malicious traffic or access
- Disable compromised accounts
- Prevent further spread of the issue
Answer:
- Remove malicious components
- Patch vulnerabilities
- Update configurations
- Rebuild and redeploy affected systems
Answer:
Logging provides critical data for detecting, analyzing, and investigating incidents. It helps trace actions, identify attackers, and support root-cause analysis.
Answer:
- Identify and confirm the incident
- Isolate affected systems
- Analyze logs to understand impact
- Remove threats and patch vulnerabilities
- Restore services and monitor closely
- Perform root-cause analysis
Answer:
- Contain the exposure immediately
- Identify affected data and users
- Notify stakeholders
- Fix the vulnerability
- Rotate credentials and enforce security controls
- Conduct root-cause analysis
Answer:
- Fix root causes identified in RCA
- Improve monitoring and alerting
- Update security policies
- Enhance automation and controls
- Conduct training and awareness
Answer:
A post-incident report documents the incident details, impact, root cause, actions taken, and recommendations for prevention.
Answer:
- Work with DevOps, security, and development teams
- Communicate clearly and quickly
- Share updates and findings
- Coordinate remediation efforts
Answer:
Detection is identifying that an incident has occurred, while response involves taking actions to contain, fix, and recover from the incident.
Answer:
- Based on severity and impact
- Data sensitivity
- Affected systems and users
- Business criticality
Answer:
In a real-world scenario, incidents are detected through monitoring tools and alerts. The affected systems are isolated, logs are analyzed to understand the issue, and remediation steps are applied. After recovery, a root-cause analysis is conducted, and preventive measures are implemented to avoid recurrence.