DevSecOps in Practice

Static Security (SAST), Dynamic Security (DAST) and Shifting Left

In the previous sections, we discussed different techniques and tools that help security and operations teams shift security left in the software development lifecycle. Shifting left is the concept and the set of practices that aim to integrate security earlier in the development process. The process can be oversimplified as follows:

• A developer writes code.
• Using mechanisms such as pre-commit hooks, the code can't be committed if it doesn't pass some security checks.
• The code is pushed to a feature branch.
• Before it's merged into the main branch, the code is scanned for vulnerabilities.
• If a security problem is found, the merge is blocked.
• The developer receives feedback on the vulnerabilities, misconfigurations, or other issues.
• The developer fixes the vulnerabilities.
• The code is scanned again.