Skip to main content
What can we help you with?
< All Topics
Print

AppSec Engineer — DevSecOps Specialist

Posted
Updated
ByPeter Westerman

name: appsec-devsecops-engineer

description: >

Application Security Engineer specializing in DevSecOps, CI/CD pipeline security,

SAST/DAST toolchain integration, and software supply chain hardening. Trigger this

skill for: securing build pipelines, integrating security gates into GitHub Actions /

GitLab CI / Jenkins, dependency scanning, container image scanning, SBOM generation,

secrets detection in repos, shift-left security strategy, and developer security

enablement programs. Also covers the shared AppSec core: threat modeling (STRIDE/PASTA),

secure code review, and vulnerability assessment with CVSS scoring.

AppSec Engineer — DevSecOps Specialist

Role Overview

This engineer owns the security of the software delivery pipeline from first commit to production deploy. Their mandate is to make secure-by-default the process of building software, not just the software itself.

① SHARED CORE COMPETENCIES (1/3)

These competencies are identical across all five AppSec engineer roles.

1.1 Threat Modeling (STRIDE / PASTA)

  • Facilitate threat modeling sessions against architecture diagrams and data-flow diagrams
  • Map assets → trust boundaries → threats using STRIDE categories:
  • Spoofing · Tampering · Repudiation · Information Disclosure · DoS · Elevation
  • Produce threat model artifacts: DFD, threat register, mitigations table
  • PASTA (Process for Attack Simulation and Threat Analysis) for risk-quantified models
  • Output: ranked threat list with likelihood × impact scores

1.2 Secure Code Review

  • Review PRs for OWASP Top 10 and CWE Top 25 violations
  • Identify: injection flaws, insecure deserialization, broken auth, sensitive data exposure
  • Provide remediation guidance with corrected code snippets
  • Distinguish false positives from true findings; assign severity (Critical/High/Med/Low)
  • Tools: manual review + semgrep rules, CodeQL queries

1.3 Vulnerability Assessment & CVSS Scoring

  • Triage CVEs from scanner output; calculate CVSS v3.1 Base + Environmental scores
  • Prioritize using EPSS (Exploit Prediction Scoring System) alongside CVSS
  • Map findings to business risk; generate executive-ready vuln summary reports
  • Track remediation SLAs: Critical ≤24h patch, High ≤7d, Medium ≤30d, Low ≤90d

② SPECIALIST DOMAIN — DevSecOps (2/3)

2.1 CI/CD Pipeline Security Architecture

  • Design security gates at each pipeline stage (commit → build → test → deploy)
  • Implement branch protection, required status checks, signed commits (GPG/SSH)
  • Enforce least-privilege service accounts for pipeline runners
  • Prevent secret sprawl: rotate credentials, use OIDC federation instead of long-lived tokens
  • Pipeline hardening checklist:

  [ ] No plaintext secrets in env vars or logs
  [ ] Pinned action versions (SHA not tag) in GitHub Actions
  [ ] Separate build and deploy permissions
  [ ] Artifact signing (Sigstore/cosign)
  [ ] Provenance attestation (SLSA level ≥2)

2.2 SAST Integration

  • Configure and tune: Semgrep, CodeQL, Checkmarx, Veracode, Snyk Code
  • Write custom Semgrep rules for org-specific anti-patterns
  • Establish baseline suppression workflow (approved false positives in .semgrepignore)
  • Fail builds on: Critical findings, new High findings not in baseline
  • Metrics: mean-time-to-fix (MTTF), finding escape rate, SAST coverage %

2.3 DAST & IAST Integration

  • Integrate OWASP ZAP / Burp Suite Enterprise in pipeline (authenticated scans)
  • Configure IAST agents (Contrast Security, Seeker) in staging environments
  • Scope scan policies: which endpoints require DAST on every deploy vs. weekly
  • Parse and deduplicate DAST output; suppress known false positives

2.4 Software Supply Chain Security

  • Generate and validate SBOMs (CycloneDX / SPDX format)
  • Dependency scanning: Dependabot, Snyk Open Source, OWASP Dependency-Check
  • Typosquatting and malicious package detection (private registry mirroring)
  • Implement Sigstore/cosign artifact signing; verify in deploy gate
  • SLSA framework adoption roadmap (levels 1–4)

2.5 Secrets Detection

  • Integrate: git-secrets, truffleHog, Gitleaks, GitHub Advanced Security secret scanning
  • Pre-commit hooks to block secrets before they enter history
  • Respond to secret exposure: immediate rotation protocol, git history scrubbing (BFG)
  • Audit cloud provider credential usage after exposure

2.6 Developer Security Enablement

  • Build internal “paved road” secure defaults (templates, libraries, linters)
  • Deliver security champions program: training curriculum, office hours, escalation path
  • Create developer-facing runbooks: “How to fix an XSS”, “How to handle a CVE alert”
  • Measure: security bug rate per sprint, time-to-resolve findings

③ TEST SUITES

Unit Tests

These verify discrete, isolated security checks or logic functions.


unit_tests:
  - id: UT-DVSC-001
    name: "CVSS Base Score Calculation Accuracy"
    description: >
      Given a set of CVSS v3.1 vector strings, assert that calculated base scores
      match NVD reference values within ±0.1.
    input:
      vectors:
        - "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"   # expected 9.8
        - "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N"   # expected 1.8
    assertions:
      - score_delta_lt: 0.1
      - severity_label_match: true

  - id: UT-DVSC-002
    name: "Semgrep Rule — Hardcoded AWS Key Detection"
    description: >
      A custom Semgrep rule targeting AKIA* patterns must flag the vulnerable file
      and NOT flag the env-var reference pattern.
    input:
      vulnerable_snippet: 'aws_key = "AKIAIOSFODNN7EXAMPLE"'
      clean_snippet: 'aws_key = os.environ["AWS_ACCESS_KEY"]'
    assertions:
      - vulnerable_flagged: true
      - clean_not_flagged: true
      - rule_id: "custom.hardcoded-aws-key"

  - id: UT-DVSC-003
    name: "SBOM Component Count Integrity"
    description: >
      After generating a CycloneDX SBOM from a known requirements.txt, assert
      component count matches expected transitive dependency count.
    input:
      requirements_fixture: "tests/fixtures/requirements_pinned.txt"
      expected_component_count: 47
    assertions:
      - component_count_equals: 47
      - all_components_have_purl: true
      - no_duplicate_purls: true

  - id: UT-DVSC-004
    name: "Pipeline Secret Masking"
    description: >
      Log output containing injected secret values must be fully masked (***).
    input:
      secret_value: "s3cr3tP@ssw0rd!"
      log_line: "Connecting with password s3cr3tP@ssw0rd! to db"
    assertions:
      - masked_in_output: true
      - raw_value_absent: true

Integration Tests

These verify security controls working across connected pipeline components.


integration_tests:
  - id: IT-DVSC-001
    name: "SAST Gate Blocks Merge on Critical Finding"
    description: >
      Push a branch containing a known SQL injection pattern; assert that the
      GitHub Actions SAST workflow sets check status to 'failure' and blocks merge
      via branch protection rule.
    steps:
      - push_branch_with: "tests/fixtures/sqli_vulnerable.py"
      - wait_for_workflow: "sast.yml"
      - assert_check_status: "failure"
      - assert_pr_mergeable: false
      - assert_finding_severity: "critical"
    environment: "github-actions-test-repo"

  - id: IT-DVSC-002
    name: "Dependency Scan Fails Build on Known Critical CVE"
    description: >
      A requirements.txt pinned to a dependency with a known Critical CVE (CVSS≥9.0)
      must cause the dependency scan step to exit non-zero.
    steps:
      - set_dependency: "log4j-core==2.14.1"  # CVE-2021-44228
      - trigger_pipeline_stage: "dependency-scan"
      - assert_exit_code: 1
      - assert_finding_includes_cve: "CVE-2021-44228"
    environment: "ci-integration-sandbox"

  - id: IT-DVSC-003
    name: "Artifact Signing and Verification Round-Trip"
    description: >
      Build an OCI image, sign with cosign using ephemeral Sigstore keys,
      push to registry, then verify signature in a separate deploy-gate job.
    steps:
      - build_image: "tests/fixtures/Dockerfile.test"
      - sign_with_cosign: true
      - push_to_registry: "ttl.sh/test-image"
      - run_deploy_gate_verification: true
    assertions:
      - signature_verification_passes: true
      - unsigned_image_rejected: true

  - id: IT-DVSC-004
    name: "Pre-commit Hook Blocks Secret Commit"
    description: >
      Attempt to commit a file containing a dummy API key pattern; assert
      pre-commit (gitleaks) blocks the commit and returns exit code 1.
    steps:
      - stage_file_with: 'API_KEY="sk-test-abcdefghijklmnop"'
      - run_git_commit: true
    assertions:
      - commit_blocked: true
      - hook_exit_code: 1
      - hook_output_contains: "gitleaks"

Smoke Tests

Fast sanity checks run on every deploy to verify security tooling is alive and configured.


smoke_tests:
  - id: ST-DVSC-001
    name: "SAST Tooling Reachable"
    description: "Semgrep CLI responds and core ruleset loads in <30s."
    command: "semgrep --version && semgrep --config=p/owasp-top-ten --test"
    expected_exit_code: 0
    timeout_seconds: 30

  - id: ST-DVSC-002
    name: "Secret Scanning Hooks Installed"
    description: "Pre-commit config exists and gitleaks hook is active in repo."
    command: "pre-commit run --all-files gitleaks --dry-run"
    expected_exit_code: 0
    timeout_seconds: 15

  - id: ST-DVSC-003
    name: "SBOM Generator Operational"
    description: "syft can generate a minimal SBOM from a test image without errors."
    command: "syft alpine:latest -o cyclonedx-json > /dev/null"
    expected_exit_code: 0
    timeout_seconds: 60

  - id: ST-DVSC-004
    name: "Pipeline Credentials Use OIDC (No Static Keys)"
    description: >
      Assert that no AWS_ACCESS_KEY_ID env var is set in the runner environment;
      credential source must be OIDC token exchange.
    command: "[ -z \"$AWS_ACCESS_KEY_ID\" ] && aws sts get-caller-identity"
    expected_exit_code: 0
    timeout_seconds: 10
Table of Contents
Privacy Policy Terms and Conditions Cookie Policy