DevSecOps

Don't Make Security an "Afterthought"

In traditional development processes, security reviews functioned as a gate right before release. Completed code was handed off to the security team, vulnerability scans were run, and if issues were found, it was sent back. Release schedules came under pressure, and the relationship between development teams and security teams tended to deteriorate.

The DevSecOps concept of "shift left" means moving these security checks to the early stages of development——that is, to the "left side" of the timeline. The moment code is written, SAST (static analysis) runs, and security risks are detected at the point of PR review. It eliminates the situation where everyone scrambles right before release.

What to Integrate into the Pipeline

SAST (Static Application Security Testing): Analyzes source code to detect SQL injection, XSS, hardcoded secrets, and more. Executed in the early stages of CI/CD.

DAST (Dynamic Application Security Testing): Attempts attack patterns against a running application to discover vulnerabilities. Executed during the testing phase in a staging environment.

SCA (Software Composition Analysis): Detects known vulnerabilities (CVEs) in third-party libraries. Automatically checked when dependencies are updated.

Policy as Code: Tools like OPA (Open Policy Agent) and Cedar are used to manage security policies as code. Rules such as "direct access to production DB is prohibited" and "creation of unencrypted storage is denied" are automatically enforced at deploy time.

Relationship with AI Development

Applications that incorporate LLMs introduce attack vectors that did not exist in traditional web applications, such as prompt injection, model data leakage, and training data poisoning. With regulations like the EU AI Act also in play, the movement to add AI-specific security checks to DevSecOps pipelines has been spreading rapidly as of 2026.