XenonStack Recommends


A Guide to DevSecOps Security Checklist

Parveen Bhandari | 31 May 2023

Introduction to DevSecOps

DevSecOps basically originated from the word DevOps, which means Development Operations, and adding security to it gave rise to DevSecOps Security or simply DevSecOps, which means Development, Security, Operations. It plans to make everyone accountable for implementing security measures at the same pace as development and operations. So DevSecOps is injecting security into the DevOps lifecycle.

During the implementation of security into your DevSecOps pipeline, it's essential to conduct some activities with purpose. Below are two sets of checklists that a DevSecOps pipeline goes through. We can do more activities earlier or later within the development process to suit our life cycle operations.

A software development philosophy that encourages security adoption across the software development lifecycle. Taken From Article, DevSecOps Framework and Tools

Checklist Guide To DevSecOps Journey

  1. Pre-commit checks
  2. Commit-time checks
  3. Build-time checks
  4. Test-time checks
  5. Deploy-time checks

Pre-Commit Checks

It is the first step in the DevSecOps security checklist. Pre-commit checks are done to fix minor security issues before committing changes to source code repositories.


Pre-commit checks can help a team automate manual tasks, thus leading to an increase in their productivity.

Use Case:

The pre-commit checks help the development team to run scans using code sights. This tool provides just-in-time security guidance to developers whenever he writes a code. Therefore before committing the code, Code Sight acts as a security expert and provides guidance automatically when a developer creates a legend, and there might be security flaws in it.

Commit-Time Checks

This activity is automatically triggered by check-in to a source code repository. These tests bring fast results to a developer who is pushing code to the shared storage.


It ensures that code is compilable and can build at all times. They also focus on critical and high-security issues inside code.

Build Time Checks

Build time checks get automatically triggered on successful commit time checks. Performing advanced automated testing of applications requires security testing, open-source management, risk-based security tests, and storing artifacts in repositories.


Build-time checks break the build in case of any failure :

It includes:

  • An event when a unit test fails
  • In case a vulnerability is found.
  • Code not compiling on committing changes

Build time checks also look for dependencies and whether any vulnerabilities are publicly disclosed.

Use case:

This allows users to configure more comprehensive SAST rule sets, such as the OWASP Top 10 when dealing with web applications. Moreover, these checks help to set up jobs that identify risks in third-party codes by using tools such as Black Duck can be used.

A practice of implementing security at every step in the DevOps Lifecycle with DevSecOps Tools. Taken From Article, DevSecOps Tools and Continuous Security

Test-Time Checks

These are triggered automatically by successful build-time reviews. Here the latest good build is picked up and deployed to a staging or test environment. Then o the basis of this build, execution of all the tests such as functional, integration, and performance testing occur.


This testing phase takes place just before the release of a product into production. Here, the staging environment is the most representative of the production environment.

Use case:

Here, we include the tool's full security rule sets. Since we've already run SAST in the earlier checks, we ensure that tests that haven't yet been covered are run.

Deploy-Time Checks

After completing the previous steps successfully, the application is ready for deployment, and the deploy-time inspections involve additional pre-and post-deployment security checks to finish our DevSecOps pipeline. An appropriate strategy is to implement a process that periodically triggers security testing. Post-deployment gives an assurance that changes made to the production environment haven't led to security concerns.


These checks can help find bugs that may have been missed during pre-production testing activities. Continuous monitoring allows insight into the traffic that an application is receiving. Also, these metrics help to identify malicious users.

Use Case:


  • Automate configuration management
  • Automate provisioning of the runtime environment


  • Automate collection of application-level security metrics 
  • Schedule security scanning
  • Enable vulnerability scanning
  • Create an incident response plan
  • Provide insights to the DevSecOps team that will lead to the building of a threat intelligence program
Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent Source: Gartner, Inc

Five-Pointer DevSecOps Checklist

These five checklists ensure the best practices for DevSecOps:

  1. Embrace Automation
  2. Risk Management
  3. Security Management Process
  4. Integrating Bug Tracker
  5. Threat Modelling

Embrace Automation

The most crucial requirement for continuous testing and continuous integration is speed. Speed makes the automation process a fundamental requirement. Therefore having necessary security measures and triggers are essential. So it's better to have dynamic security testing rather than static. It means vulnerability scanning is in real-time, and it's crucial to have the necessary tools to enable the automation of security measures in our code configuration.

Risk Management in Third-party tools/ Open source Technologies

Since hacks and breaches in data have become regular news, security is cited as an essential concern. When infused in any project in the form of dependencies, codes belonging to open source projects can cause Vulnerability risks. Because these may be unmanaged codes with no security measures applied. Therefore code dependency checking is a must. Having an OWASP utility check will ensure the vulnerability is these codes from open source projects.

Security Management Process

DevSecOps have to maintain a Security Management Process. When a security team encounters any bug, it reports it in the repository. Sometimes developers don't have the resources to check those reports. It leads to functional testing over security testing. Therefore DevSecOps must have a uniform Security Management Process so that modification to code can be done at one place and notify the DevSecOps team of that. They can execute authentication testing protocol.

Integrating Bug Tracker in Application Security System

It will create a list of bug reports automatically. The information will complete actionable details about bugs such as their severity, facts, and treatment required. It made the security team advanced and prepared to fix the issues even before they land in a production and development environment.

Threat Modelling

The SANS Institute recommends risk management before DevSecOps implementation. Risk management will help you to identify threats in software components and measures to counter those threats.
15 metrics-for-devops-success
DevOps Management Services for platforms and applications enables organisations for faster delivery and cloud transformation journeys. DevOps Managed Services


With the increase in demand to reduce the development of a reliable application, DevOps as a practice is set to shoot. But as with power comes responsibilities. Security measure is a significant concern as the development of the end product is. Therefore, injecting security right from the early stages of development. Thus implementing development + security + Operations should be a standard plan for organizations right from the start, and the above set of checklists would help achieve that.