DevOps at the Limit: How DevSecOps protects against Cyber Risks

DevOps has long since become widespread, but the security dimension is not keeping pace with this development. According to the latest "DevOps in Switzerland Report 2025" by VSHN and Zühlke, a third of companies using DevOps for software development are already using AI to automate repetitive tasks or improve code quality. Although DevOps practices are enthusiastically embraced in the tech scene, security is a crucial factor that is often overlooked.

DevOps practices are used by almost 88% of the companies surveyed. An impressive figure that illustrates how deeply embedded this way of working already is. According to the authors of the study, IT companies currently hold a 45% share. Other sectors have expanded their market share: 20% of DevOps companies are active in consulting, 16% in banking and finance. DevOps is also becoming increasingly popular in the public sector.

What is DevSecOps? Two definitions, from NIST and the US Department of Defense (DoD)

1. The NIST definition states that DevSecOps helps ensure that security is considered as part of all DevOps practices through the integration of security practices and the automated creation of security and compliance artifacts across processes and environments.
2. A much more detailed definition is provided by the US Department of Defense (DoD): DevSecOps is a conglomerate of software engineering techniques, procedures and tools that integrate software development (Dev), security (Sec) and operations (Ops).

At the heart of the DevSecOps paradigm is security by design - the aspiration not to tack on security, but to build it into every phase of the development process.

What DevSecOps means:

• Shift-left security: security tests during the development phase.
• CI/CD: Inclusion of automated security checks in CI/CD pipelines.
• Continuous compliance: Code-based regulatory requirements.
• Shared responsibility: Each team member is responsible for maintaining security.
• Zero trust architecture: Zero trust must be the target security model for cybersecurity in DevSecOps software factories and platforms.

The big challenge: the software supply chain

The success of DevSecOps requires an understanding of the software supply chain. All hardware, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), tools and processes that are combined to deliver specific software functions are part of the software supply chain, which is a logistical route.

The particular challenge in the financial sector: innovation and compliance

DevSecOps is a necessity rather than a luxury, especially in Switzerland with its robust financial sector and strict data protection regulations. The problem: How can a balance be found between the need for innovation and regulatory requirements?

According to the study cited, platform engineering teams are now present in 54% of Swiss companies. These groups are essential for the development of secure platforms that enable agility and compliance.

AI as a revolution in DevSecOps

The integration of artificial intelligence is fundamentally changing the rules of the game. AI is most commonly used by DevOps teams to automate repetitive tasks (22%), prevent incidents and improve code quality (around 19% each).

AI opens up completely new possibilities for DevSecOps:

1. Meaningful identification of vulnerabilities
   AI systems are not only able to identify security vulnerabilities, but also to assess their severity and offer possible solutions. Real-time code reviews have replaced the hours-long process previously required.
2. Detecting anomalies in production environments
   Machine learning algorithms capture the "normal" behavior of an application and immediately sound the alarm on suspicious activity, often before a human operator even notices that something is wrong.
3. Automated vulnerability remediation
   AI is used by 28% of teams for code review and analysis. AI that not only detects problems but also fixes them automatically is the next stage of development.
   

CI/CD pipeline security: the heart of DevSecOps

Malicious cyber actors (MCAs) view software supply chains and CI/CD environments as attractive targets, according to NSA and CISA guidance. The threats are numerous and complex:

Three typical risks to CI/CD security are:

1. Insecure code: Integrating third-party code and failing to scan source code components can introduce vulnerabilities into a CI/CD pipeline.
2. Execution of poisoned pipelines: MCAs use this technique to contaminate the CI pipeline. With this method, MCAs can manipulate the build process by abusing permissions in source code management repositories.
3. Disclosure of secrets: To gain access to a variety of sensitive resources, including databases and codebases, cloud-native CI/CD tools use a number of secrets.

Three important security measures for CI/CD pipelines:

1. Zero Trust in CI/CD: This technique helps identify and prevent successful compromises of the environment by ensuring that no user, endpoint or process is fully trusted.
2. Integrate a static code analysis tool into the build process to check code for common security vulnerabilities and compliance issues.
3. Implement SBOM: By helping to track all open-source and third-party components within the codebase, SBOM and SCA can be beneficial to both DevSecOps and the software development lifecycle (SDLC).
   

Platform engineering as an enabler for security

A collection of resources and capabilities that serve as a foundation for the development and operation of additional functions or services within the same technical framework is called a DevSecOps platform.

Platform engineering allows development teams to work independently in standardized, secure environments. This includes:

• Security safeguards: Automatically enforced, predefined security policies
• Compliance as code: The platform integrates regulatory requirements
• Self-service security: Developers can use security tools independently.

The state known as Continuous Authorization or cATO is achieved when the company creating, protecting and operating a system is demonstrably mature enough to maintain a robust cybersecurity posture.

Graf's method: From FHNW theory to practice

According to Prof. Dr. Sebastian Graf from the University of Applied Sciences and Arts Northwestern Switzerland FHNW, "DevOps does not think in terms of projects, but in terms of products". The key to the success of DevSecOps lies precisely in this product orientation - and in a methodical approach that consistently combines technology, processes and mindset.

A key element of Zero Trust is DevSecOps: development and engineering teams work closely together, supported by a clear vision and a structured strategy.

For DevSecOps to be fully implemented, the U.S. Department of Defense principles require that security and functional capabilities be developed, tested and tracked at every stage of the lifecycle - long before problems can even reach production.

Platforms, NIST, open standards: Key building blocks of modern software security

Use integrated platforms:

• Code management, pipelines, planning and security analysis are included in platforms such as GitLab, usually in higher/premium subscriptions.
• Cross-team collaboration is encouraged through an integrated process.
• Use consolidated solutions to prevent the proliferation of tools.
• Deploy thorough security scanners.

According to NIST SP 800-204D, the following are relevant:

• Code analysis with SAST (Static Application Security Testing.Use DAST (Dynamic Application Security Testing) for runtime testing.
• Software Composition Analysis (SCA) for dependency testing.
• Image security through container scanning.
• "Secret Scanning" to protect confidential credentials to protect confidential credentials.

Use open standards:

• Software Bill of Materials (SBOM) for CycloneDX: Transparency.
• SPDX: component tracking and license compliance.
  Supply Chain Security Framework (SLSA).
  Every company should be aware of these standards recommended by the OpenSSF (Open Source Security Foundation).
  

Cloud security in transition: the 6 biggest threats to DevSecOps

According to recent studies by the Cloud Security Alliance, DevSecOps must address the following critical threats.

• Unsecured software development: Due to the complexity of cloud computing, developers can inadvertently create insecure software with exploitable vulnerabilities.
• Inadequate change control and misconfigurations.
• Weaknesses in identity and access management.
• Insecure APIs and interfaces.
• Limited observability/visibility of the cloud.
• APTs (advanced persistent threats).

DevSecOps maturity: what companies need for a secure future

For DevSecOps, this means that while the tools and technologies are available, careful implementation will lead to success. In small and medium-sized companies, the introduction of DevOps goes particularly well. Larger companies, on the other hand, are struggling to grow.

"The secret to long-term security is complete independence from vendors."

Reducing vendor dependency and ensuring the freedom of system components are also important aspects when it comes to a secure software supply chain.

Why is DevSecOps open source?

Because vendors and components are more easily interchangeable, open source solutions offer greater flexibility. The open source landscape is developing positively despite obstacles such as license changes or funding problems for certain projects.

Suggestions for Swiss companies:

• Think about alternatives to established market leaders.
• Consider open infrastructure options.
• To be able to use security services, take out corporate subscriptions.
• Maintain the open source ecosystem in a sustainable way.

This approach improves visibility and control over your own security infrastructure while reducing vendor lock-in.

The 4-phase implementation: The business case for DevSecOps

DevSecOps is critical to minimizing vulnerabilities, malicious code and other security issues in software without delaying code development and releases, according to a NIST study. Building on this insight, a step-by-step development towards true DevSecOps maturity begins.

The path to DevSecOps maturity includes 4 key phases:

1. first use

• Start with pilot projects.
• Look for short-term wins.
• Create a network and security officers.

2. integration and scaling

• Increase the number of teams.
• Integrate safety tools into every pipeline.
• Establish KPIs and security metrics.

3. innovation and optimization

• Use ML and AI to improve security.
• Put predictive security analytics into practice.
• Achieve continuous authorization (cATO).

4. change of strategy

• Security becomes a business enabler.
• Complete alignment with business goals.
• Leading position in the industry for secure development.

DevSecOps as a competitive advantage: Why secure development makes you faster

DevSecOps turns security from an obstacle into a booster. Companies cannot afford to treat security as a secondary process in times of increasing cyberattacks and stricter regulations.

The good news is that the tech community is on the right track. With the increasing use of AI, the adoption of DevOps practices and the creation of platform engineering teams, the foundations are in place.

The current challenge is to consider security as an essential part of product development rather than an add-on. Companies are creating a secure and sustainable development environment by using integrated platforms, adopting open standards such as CycloneDX and SLSA, and carefully avoiding vendor lock-ins.

To reduce risk at every stage, DevSecOps leverages the combined experience and knowledge of the entire software supply chain, as the US Department of Defense points out.

Because in the digital economy, those who develop securely generally develop faster. And the fastest developers win, especially when it comes to open standards and vendor independence.

Protect your DevOps journey with InfoGuard as your partner

The first step is to understand DevSecOps; the real difficulty lies in successful implementation. We can support you if you are ready to change the security of your software development process but need professional advice.

The key benefits of your DevOps security assessment:

• Strengthen technical security: Thorough analysis of your platform, identification of critical vulnerabilities and clear recommendations for hardening to industry standards.
• Increase process maturity: Assessing your DevSecOps procedures, identifying gaps against best practices and a roadmap for optimization and scaling.
• Embed secure development: Audit your software development, integrate security measures along the entire SDLC and provide concrete shift-left recommendations.
• Reliably meet standards: Assessment based on CIS, CISA and NIST frameworks for a traceable, audit-proof and standards-compliant security architecture.

Are you ready to protect your DevOps pipeline? Don't let a security incident expose your DevSecOps practices. Proactively integrate security into your development lifecycle. Contact us to schedule your customized DevOps security assessment with InfoGuard now.

Caption: Image generated with AI