DevSecOps Series – Part 1: IAC and DevSecOps

Table of Contents:


As you know, we at Soeldner Consult have been dealing with IaC und pipelines a long time. Reason enough to start a series about this topic. While we have a lot of content about Supply Chains for  container, we still did not write too much about Terraform and IaC in our blog. Now, this is the first blog post in a new IaC DevSecOps series, where we dive in into those topics.


Implementing DevSecOps in an Infrastructure-as-Code (IaC) pipeline is a crucial step towards creating a secure, scalable, and reliable IT infrastructure. DevSecOps integrates DevOps principles with security measures to cover the entire lifecycle of applications and systems, identifying and addressing potential security vulnerabilities early in the development process. The IaC pipeline plays a significant role by providing an automated method for managing infrastructure changes. This blog post explains the fundamentals of DevOps, Continuous Integration/Continuous Deployment (CI/CD), and IaC, and outlines the steps necessary to implement DevSecOps in an IaC pipeline. The goal is to enhance an existing DevOps environment by securing the IaC pipelines with security tools, thereby ensuring a safe integration and deployment process.

Introduction to DevOps

DevOps, a mix of Development (Dev) and Operations (Ops), bridges the gap between software developers and IT teams to increase an organization’s ability to deliver applications and services at high velocity. It fosters a collaborative culture aimed at building trust, automating workflows, and delivering high-quality, reliable software quickly. DevOps is not just a set of processes but a cultural philosophy that emphasizes collaboration, automation, lean practices, measurement, and information sharing. The primary goal of DevOps is to accelerate the development and release cycle, from planning to deployment, ensuring that the software meets high standards of reliability and quality.

John Willis, in his DevOps handbook, outlines five core principles that are essential for effective collaboration: culture, automation, lean processes, measurement, and sharing. These principles are designed to significantly improve product quality and operational efficiency:

1. Culture: Building a collaborative and trust-based culture is fundamental. It involves creating an environment where developers and IT teams work closely, share responsibilities, and communicate openly.

2. Automation: Automating repetitive tasks reduces manual effort, speeds up processes, and minimizes human errors. Automation is crucial for achieving continuous integration and continuous delivery.

3. Lean Processes: Emphasizing lean principles helps in eliminating waste, optimizing processes, and ensuring that only valuable features are developed and deployed.

4. Measurement: Establishing standardized metrics allows teams to evaluate applications and components consistently. Regular measurement and monitoring help in identifying bottlenecks and improving processes.

5. Sharing: Encouraging a culture of sharing knowledge and information across teams enhances learning, facilitates problem-solving, and ensures that everyone is aligned with the project goals.

Continuous Integration and Continuous Delivery (CI/CD)

CI/CD automates many tasks that developers traditionally handle manually. These practices are essential for maintaining a streamlined and efficient development pipeline:

1. Continuous Integration (CI):

    – Developers frequently integrate code changes into a shared repository, ensuring that the main codebase is always up-to-date.

    – Automated build and test processes run with each integration, catching errors early and ensuring that the code works under real-world conditions.

    – CI helps in identifying and resolving conflicts early, improving software quality and stability.

2. Continuous Delivery (CD):

    – CD automates the deployment process, ensuring that code changes are consistently and reliably released to production.

    – After passing CI, code changes are validated in production-like environments before deployment. This step ensures that the new code does not introduce errors or regressions.

    – CD allows for small, incremental releases, reducing the risk of significant issues and making rollbacks easier if problems arise.

A version control system (VCS) like Git is integral to CI/CD, providing a centralized code repository that tracks changes and supports seamless integration. Git’s features, such as commit messages and issue tracking, enhance collaboration and traceability, making it easier to identify and resolve issues.

Additional: Continuous Testing and Continuous Operations

To further ensure the reliability and performance of applications, DevOps incorporates Continuous Testing and Continuous Operations:

1. Continuous Testing:

    – Tests are conducted at every stage of the pipeline, covering both functional and non-functional aspects such as performance, security, and scalability.

    – Continuous testing helps in early detection of errors and ensures that code changes meet quality standards and compliance requirements.

    – Automated testing reduces the risk of errors in production and provides quick feedback to developers, enabling faster iterations.

2. Continuous Operations:

    – This practice focuses on maintaining maximum application availability and quickly responding to issues.

    – It involves continuous monitoring, diagnosis, and recovery processes to ensure that applications run smoothly and reliably.

    – By monitoring application performance and health, teams can proactively address issues before they impact end-users, ensuring a seamless user experience.

Continuous Operations and Continuous Testing together help maintain high standards of quality and reliability, aligning with DevOps‘ goal of rapid and dependable software delivery. These practices also support compliance with industry standards and regulations, ensuring that the software is not only functional but also secure and scalable. By implementing these comprehensive DevOps practices, organizations can achieve a robust, efficient, and high-quality development pipeline.

CI/CD Principles

To achieve maximum efficiency in the development lifecycle, a number of core principles must be followed in Continuous Integration/Continuous Delivery (CI/CD). These principles ensure seamless integration and delivery of code changes:

1. Source Code Management (SCM): All necessary files, scripts, source code, database infrastructure, libraries, and configuration files must be included in the SCM. This also includes files and scripts needed for the testing phase.

2. Frequent and Early Code Integration: Developers should create or modify small code segments or individual functions and integrate them into the main branch regularly. This frequent merging minimizes conflicts and keeps the main branch up-to-date.

3. Automated Builds: Automating the build process reduces manual effort and ensures that all necessary files are included. Scripts handle tasks like HTML generation, SQL script execution, and application building.

4. Automated Testing: Before builds are created, they must be tested to ensure error-free execution. Scripts perform error checks, integrity checks, quality assessments, and security tests.

5. Small and Frequent Code Changes: Keeping code changes small and frequent makes it easier to revert to previous versions if needed and reduces the risk of major issues. This principle relies heavily on automated builds.

6. Testing in Cloned Production Environments: To avoid downtime and protect critical data, tests should be run in environments cloned from production. This ensures that any errors are caught before deployment to the live environment.

7. Reliable CI/CD Testing and Verification Processes: Developers should feel confident that their changes can be deployed at any time. Reliable CI/CD processes encourage frequent code updates, knowing that the pipeline will handle testing and verification effectively.


This blog post introduced DevOps and explained why we should use it. In addition, we covered CI/CD and its core principles. That’s enough for this post. In the next blog post, we will introduce IaC.


Dr. Guido Söldner


Guido Söldner ist Geschäftsführer und Principal Consultant bei Söldner Consult. Sein Themenfeld umfasst Cloud Infrastruktur, Automatisierung und DevOps, Kubernetes, Machine Learning und Enterprise Programmierung mit Spring.