DevSecOps and Secure Development Lifecycle (SDL): Concepts, Practices, and Implementation

With the continuous evolution of Internet technologies, the field of information security has also been expanding, and security engineering is becoming increasingly important. The author, from Tencent Security Cloud‑Ding Lab, participated in the development of the "DevOps Capability Maturity Model" and shares insights on software security, DevSecOps, and practical experiences.

As cloud computing and micro‑service architectures mature, enterprises have moved from traditional waterfall development to agile and DevOps models to meet higher efficiency demands. Security models have followed this shift, with the core principle of embedding security earlier in the development lifecycle. Gartner introduced the term "DevSecOps" in 2012, emphasizing that everyone is responsible for security and that security should be integrated throughout the product lifecycle.

Two main defensive theories are discussed: vulnerability‑based defense (focused on known, fixable bugs) and threat‑based defense (identifying and mitigating potential threats throughout the software lifecycle). Vulnerability defense is simple and fast but limited, while threat defense is more comprehensive but requires more time and coordination.

The Secure Development Lifecycle (SDL), originally proposed by Microsoft, integrates security activities into every phase of software development—from requirements and design to coding, testing, and maintenance. SDL emphasizes security design principles such as attack‑surface reduction and secure‑by‑default configurations, and relies heavily on threat modeling (e.g., STRIDE) to identify spoofing, tampering, repudiation, information disclosure, denial‑of‑service, and elevation‑of‑privilege threats.

SDL and DevSecOps share the goal of "shifting left"—embedding security earlier to reduce remediation costs. However, DevSecOps extends beyond SDL by incorporating security into continuous integration/continuous delivery (CI/CD) pipelines, fostering a security‑first culture, and automating security checks.

Key technical components for DevSecOps include:

AST (Application Security Testing) and SCA (Software Composition Analysis) for static analysis and third‑party component security.

DAST (Dynamic Application Security Testing) tools such as AWVS and AppScan.

SAST (Static Application Security Testing) for code‑level vulnerability detection.

IAST (Interactive Application Security Testing) that combines static and dynamic analysis via instrumentation.

Practical implementations at Tencent Cloud involve building a comprehensive toolchain that integrates these testing methods into CI/CD pipelines, creating a "Golden Pipeline" that automates security checks, container image scanning, API security testing, and more.

Beyond tools, successful DevSecOps requires three pillars: people & culture, processes, and technology. Cultural adoption means everyone participates in security; process integration ensures security steps are embedded in development and operations workflows; and technology provides the automation needed for scalable security.

Various visual diagrams (omitted here) illustrate the evolution from waterfall to agile, DevOps, and DevSecOps, the comparison between SDL and DevSecOps, and the architecture of the security toolchain.

In summary, the article emphasizes that secure software development is a combination of early‑stage security design, continuous threat modeling, automated testing, and a collaborative culture that treats security as a shared responsibility across development, operations, and QA teams.