DevOps

What are the best practices for implementing DevSecOps in a cloud native environment?

RO Asked by Robert Wilson · 10-06-2025
0 upvotes 8,840 views 0 comments
The question

Our organization is moving toward a "Shift Left" security approach, but we are struggling to integrate security scanning without breaking the speed of our DevOps pipeline. We want to incorporate SAST and DAST tools directly into our GitLab CI, but the false positives are overwhelming our developers. How are you handling automated vulnerability management while maintaining a fast release cycle in 2025? 

3 answers

0
EM
Answered on 15-11-2023

Implementing DevSecOps effectively requires a tiered scanning strategy. You shouldn't run a full DAST scan on every single commit; instead, trigger lightweight SAST during the "Pre-commit" or "Build" phase to catch low-hanging fruit. Save the heavy-duty security audits for the staging environment or weekly scheduled jobs. To handle false positives, use an orchestration layer like DefectDojo to aggregate findings and suppress known non-issues. This keeps the developer's feedback loop tight and prevents "security fatigue" which often leads to teams bypassing critical checks. 

0
JA
Answered on 20-11-2023

Are you currently using "Policy as Code" tools like OPA (Open Policy Agent) to enforce compliance at the infrastructure level before the code even reaches the security scanning phase? 

RO 22-11-2023

James, we haven't looked into OPA yet. Does it work well with Terraform, and can it actually block a deployment if a developer accidentally opens a public S3 bucket? We need something that acts as a hard gate for critical misconfigurations without requiring a manual review for every single infrastructure change.

0
BA
Answered on 25-11-2023

The key is to focus on the "Top 10" vulnerabilities first. Don't try to fix everything at once. Start by blocking builds only on "Critical" and "High" alerts to build trust with the dev team.

EM 26-11-2023

Barbara's advice is spot on. We followed this incremental approach and it significantly reduced the friction between our security and engineering departments while improving our overall posture.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session