DevSecOps overview
DevSecOps here means baking security and auditability into how you build, ship, and run software — without a separate “big bang” audit at the end. This page is a router: it points to deep guides elsewhere; it does not replace them.
Nothing here is legal or compliance advice. Align with your GRC, security, and legal owners.
If you own policy and automation (security engineering)
Section titled “If you own policy and automation (security engineering)”Start where you encode rules and fail bad changes early:
- Security scanning (DevSecOps) — SAST, SCA (dependency/CVE), DAST, container and IaC scanning, secrets in pipeline, shift-left patterns.
- Policy as code — Conftest, Kyverno,
kubectl apply --dry-run=server, admission webhooks; complements scanning for Kubernetes and cloud shape. - Supply chain security — SBOM, SLSA framing, image signing and verification.
- Vulnerability management in CI/CD — After-SCA triage, gates, waivers, noise.
- Pod Security Standards and Admission controllers — Namespace policy and admission chain.
- RBAC, Network policies — Who can do what; traffic allowlists.
If you run production and audits (operations)
Section titled “If you run production and audits (operations)”Start where you observe, prove, and recover:
- Observability overview — Metrics, logs, traces, alerts; ties to runtime risk and incidents.
- Compliance quick reference for SREs — Matrix + checklists by framework (SOC 2, ISO, HIPAA, PCI, CIS pointer) so you know what to open first.
- Compliance and audit — CI/CD audit trails, separation of duties, signed commits, change evidence.
- Audit fieldwork and evidence for engineers — Walkthroughs, sampling, SOC 2 / ISO themes from an engineer’s seat.
- Production platform checklist — Layered checks before and during incidents.
- Incident response and on-call — Rotations and escalation when controls fail.
Cross-cutting reads
Section titled “Cross-cutting reads”- CIS controls and cloud benchmarks — CIS program vs AWS / Azure Foundations benchmarks, mapped into this library.
- SOC 2 for platform teams — Thin “if you need X, read Y” hub (optional shortcut to the same destinations as the compliance quick reference).
- Cloud hubs: AWS security services, Azure security, AWS IAM, AWS secrets.
Related
Section titled “Related”- Security overview
- CI/CD overview
- Service readiness checklist — Operational readiness; pair with Compliance quick reference for SREs for a compliance lens.