2022 DevSecOps Pipeline, Framework, and Best Practices

DevSecOps is a practical, goal‑oriented approach that ensures system security by embedding key security principles into the standard DevOps cycle through collaboration among IT security teams, software developers, and operations.

Table of Contents

What is DevSecOps?

How does the DevSecOps pipeline work?

Understanding the DevSecOps framework

Top 5 DevSecOps best practices for 2022

What is DevSecOps?

DevSecOps extends the DevOps concept by making every department responsible for integrating security at each stage of the software development lifecycle, aiming to release new code quickly while maintaining strict security protocols.

How does the DevSecOps pipeline work?

The pipeline follows the traditional SDLC phases—planning, coding, building, testing, release, and deployment—each reinforced with specific security activities:

Planning: Conduct primary security analysis and define testing strategies.

Coding: Use Git controls and tools to protect sensitive information such as API keys and passwords.

Building: Apply static application security testing (SAST) to ensure code quality.

Testing: Employ dynamic application security testing (DAST) to detect vulnerabilities like SQL injection.

Release: Perform security analysis during penetration testing and vulnerability scanning.

Deployment: Implement appropriate security protocols before production rollout.

DevSecOps Stages

The process is divided into five key stages:

Threat Modeling: Identify potential attack scenarios, data flows, and mitigation strategies.

Scanning: Evaluate code for vulnerabilities using both manual and automated reviews (SAST, DAST).

Analysis: Analyze collected data to prioritize and classify security issues.

Remediation: Address identified vulnerabilities with recommended fixes.

Monitoring: Continuously track and assess security posture, integrating security unit tests into CI pipelines.

Understanding the DevSecOps Framework

DevSecOps integrates security tools—such as SAST, DAST, IAST, and SCA—into the CI/CD pipeline, supporting both monolithic and micro‑service architectures. A modular, micro‑service‑based engine enables easier maintenance, higher reliability, and independent scaling of security components.

3.1 Security Scanning

Security scanning can be agent‑based or agent‑less; the latter collects project data via a web dashboard or API and forwards results to a security service for further analysis.

3.2 Getting Source Code

Source code is obtained either through version‑control system integration or file upload, allowing incremental scans, stricter authentication, and streamlined project management.

3.3 Project Organization

Projects are grouped by teams and departments, with users belonging to multiple groups. The framework’s engine, built on micro‑services, supports separate security functions such as scanning, reporting, and credential management.

2022 Top 5 DevSecOps Best Practices

4.1 Use Secure Coding Techniques: Follow secure coding standards and involve experienced developers to prevent data leaks and attacks.

4.2 Integrate the Right Tools: Deploy leading application security tools (SAST, DAST, IAST, SCA) and ensure they work across containers and micro‑services.

4.3 Automate Processes: Automate security checks throughout the CI/CD pipeline to reduce human error and enable scalable, repeatable security enforcement.

4.4 Adopt Security‑as‑Code: Encode, scan, and validate security policies as code to ensure consistent enforcement and faster deployments.

4.5 Shift Security Left: Incorporate security early in the planning, analysis, and design phases of the SDLC to detect and fix issues sooner, improving quality and reducing remediation costs.

Event Promotion

The article concludes with an invitation to a live online session on July 5‑6, 2022, featuring Huawei Cloud SDL and DevSecOps expert Liu Hao, offering a three‑hour deep‑dive into DevSecOps security practices.