Tencent Cloud’s DevSecOps Practices and Open‑Source Governance – Conference Presentation

The presentation, delivered at the CIS2021 DevSecOps session in Shanghai by Zhang Zuyou, head of product security at Tencent Cloud, shares Tencent Cloud’s practical experience with DevSecOps and open‑source governance.

Key challenges include a fragmented infrastructure with over 300 product lines, inconsistent DevOps platforms across departments, and the difficulty of embedding security into both development and operations, which initially relied on manual vulnerability defense before shifting to a full‑lifecycle convergence model.

The risk‑introduction process is organized into four dimensions—risk introduction, risk discovery & protection, response & remediation, and closed‑loop improvement—forming the backbone of the security workflow.

Implementation progressed through four stages: Stage 0 (boundary control for external assets), Stage 1 (building basic security capabilities), Stage 2 (fine‑grained operation tailored to product types such as third‑party, OEM, and private‑cloud offerings), and Stage 3 (enhancing efficiency by embedding DevSecOps practices to shift security left).

DevSecOps’s core comprises process, technology, and culture, with the most difficult aspect being cultural adoption. Critical technical pillars are a robust toolchain, automated testing (IAST, SCA), CI/CD security integration, and emerging concerns like container and API security.

Practically, Tencent Cloud first unified disparate DevOps and code‑analysis platforms by encapsulating security tools for multi‑platform use and later consolidated them under a single DevOps platform, embedding security functions across development, testing, and artifact management phases. Specific capabilities include SAST, SCA, sensitive‑information checks, DAST, IAST (including a trial of XMirror’s LingMai IAST), container‑image scanning, binary analysis, and malware detection.

Tool wrapping is essential because many legacy security engines are too slow for pipeline execution; therefore, tools are repackaged for efficiency, and commercial solutions are adopted when internal capabilities fall short.

In the code‑analysis stage, security checks (SAST, SCA, sensitive‑info scanning) are applied both locally and in CI/CD pipelines, while automated testing incorporates DAST and IAST via traffic‑forwarding techniques.

Artifact security is enforced through a centralized artifact repository where every produced artifact undergoes security scanning; future plans include blocking unsafe artifacts during the CD phase.

Threat modeling employs a semi‑automated approach combining questionnaires, API calls, and manual review for high‑risk products, enabling rapid risk assessment and mitigation.

Secure coding standards are maintained via two versions: an open‑source, language‑specific set and a vulnerability‑focused set.

Framework security examples include a one‑stop SDK for mitigating SSRF vulnerabilities.

A security view is added to the DevOps platform, providing a unified dashboard for security status; DevSecOps maturity is graded from level 1 to 4, with metrics covering product security and the effectiveness of DevSecOps adoption.

Open‑source governance is addressed through component identification (SCA, network probing, host probing), governance roles (business security liaison, security team, QA), and a risk‑handling platform. The lifecycle includes introduction‑stage checks, a blacklist (e.g., Struts2), and usage‑stage controls.

The speaker concludes by thanking the audience.