Skip to main content

DevSecOps

Overview

DevSecOps is the practice of integrating security into every phase of the Software Development Lifecycle (SDLC). Rather than treating security as a separate activity performed after development, DevSecOps incorporates security controls into planning, development, testing, deployment, and maintenance activities.

The Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS) was developed using DevSecOps principles to ensure that security, accountability, traceability, and governance considerations remain embedded throughout the development process.

Given the nature of the system and its focus on controlled firearms and ammunition accountability, secure development practices are a critical component of the overall solution.


DevSecOps Objectives

The DevSecOps strategy implemented for SCGAIMS focuses on:

  • Secure software development
  • Source code accountability
  • Secure configuration management
  • Vulnerability identification
  • Security automation
  • Continuous validation
  • Secure deployment practices

DevSecOps Lifecycle

The SCGAIMS DevSecOps lifecycle consists of:

Plan
|
v
Develop
|
v
Build
|
v
Test
|
v
Secure
|
v
Deploy
|
v
Monitor

Security considerations are incorporated throughout all phases of this lifecycle.


Source Code Management

Git

Git was selected as the version control platform for SCGAIMS.

Benefits include:

  • Source code versioning
  • Change tracking
  • Rollback capability
  • Branching and merging
  • Configuration management

Version Control Benefits

Git provides:

Traceability

Accountability

Change History

Collaboration

Recovery Capability

Repository Management

GitHub

SCGAIMS source code is maintained within a GitHub repository.

Repository Functions:

Source Code Storage

Version Control

Documentation Storage

Collaboration

Future CI/CD Integration

Repository Structure

The repository contains:

backend/

inventory/

docs/

manage.py

.env.example

.gitignore

README.md

Security Benefits

GitHub provides:

Change Auditing

Commit History

Centralized Storage

Developer Accountability

Secure Configuration Management

Overview

One of the most important security improvements implemented during development was the removal of sensitive credentials from application source code.


Environment Variables

Sensitive configuration values are stored using environment variables.

Examples include:

DB_NAME

DB_USER

DB_PASSWORD

DB_HOST

DB_PORT

AUTH0_CLIENT_ID

AUTH0_CLIENT_SECRET

AUTH0_DOMAIN

AUTH0_CALLBACK_URL

Benefits

Reduced Credential Exposure

Improved Security

Improved Maintainability

Separation of Configuration and Code

Environment Template Management

.env.example

SCGAIMS includes a:

.env.example

file to document required environment variables without exposing sensitive values.

Example:

DB_NAME=
DB_USER=
DB_PASSWORD=
DB_HOST=
DB_PORT=

AUTH0_CLIENT_ID=
AUTH0_CLIENT_SECRET=
AUTH0_DOMAIN=
AUTH0_CALLBACK_URL=

Security Benefits

The template approach allows developers to:

  • Configure environments consistently
  • Avoid committing secrets
  • Improve deployment repeatability

Secret Management

Current Approach

Secrets are managed using:

Environment Variables

and excluded from source control through:

.gitignore

Protected Secrets

Examples include:

Auth0 Client Secret

Database Passwords

Future API Keys

Future Access Tokens

Future Enhancements

Production deployments may leverage:

Azure Key Vault

AWS Secrets Manager

HashiCorp Vault

for enterprise-grade secret management.


Secure Development Practices

Input Validation

SCGAIMS validates:

  • Inventory quantities
  • Issue requests
  • Return requests
  • Investigation updates

before processing transactions.


Business Rule Enforcement

Business logic validation prevents:

Negative Quantities

Invalid Inventory Transactions

Invalid Investigation Updates

Unauthorized Operations

Auditability

All major business operations create audit records.

Examples include:

Inventory Issuance

Inventory Returns

Investigation Resolution

Inventory Updates

Security by Design

SCGAIMS incorporates security requirements directly into system design.

Examples include:

Accountability

Every transaction is traceable.


Auditability

Critical operations generate audit logs.


Authorization

Access is controlled through RBAC design.


Investigation Workflows

Discrepancies require formal review.


Database Security Practices

PostgreSQL

The SCGAIMS database utilizes PostgreSQL hosted through Supabase.


Security Controls

Implemented controls include:

Relational Constraints

Foreign Keys

Referential Integrity

Managed Hosting

Benefits

Data Integrity

Improved Reliability

Reduced Data Corruption

Improved Governance

Testing within DevSecOps

Postman API Validation

Postman was used to validate:

Inventory APIs

Issue Workflows

Return Workflows

Investigation Workflows

Audit Logging

Security Validation

Security-related tests included:

Discrepancy Validation

Inventory Validation

Invalid Input Testing

Audit Log Verification

Continuous Integration (CI)

Current State

CI pipeline implementation is currently planned.


Proposed GitHub Actions Workflow

Future pushes to the repository will automatically trigger validation workflows.

Example:

Developer Commit
|
v
GitHub Push
|
v
GitHub Actions
|
v
Automated Validation

Proposed Validation Activities

Dependency Installation

Syntax Validation

Automated Testing

Security Scanning

Deployment Validation

Static Application Security Testing (SAST)

CodeQL

Planned implementation includes GitHub CodeQL.

Purpose:

Static Application Security Testing

Security Benefits

CodeQL can assist in identifying:

Injection Vulnerabilities

Coding Errors

Unsafe Logic

Potential Security Defects

Proposed CI Pipeline Integration

Push Code
|
v
GitHub Actions
|
v
CodeQL Scan
|
v
Security Results

Dependency Security

Dependabot

Planned implementation includes Dependabot.


Purpose

Monitor project dependencies for known vulnerabilities.


Example Components

Django

Django REST Framework

Authlib

Python Packages

Benefits

Early Vulnerability Detection

Automated Update Recommendations

Supply Chain Risk Reduction

Supply Chain Security

Overview

Third-party software introduces potential security risks.

SCGAIMS addresses this by:

  • Monitoring dependencies
  • Utilizing reputable frameworks
  • Planning dependency scanning

Current Libraries

Examples include:

Django

Django REST Framework

psycopg2

Authlib

Identity Security

Auth0

Auth0 serves as the centralized Identity Provider (IdP).

Configured components include:

Auth0 Tenant

SCGAIMS API

SCGAIMS Web Application

Roles

Permissions

Users

Planned IAM Enhancements

Future security enhancements include:

Multi-Factor Authentication (MFA)

Step-Up Authentication

Conditional Access Controls

Security Logging and Monitoring

Audit Logging

Audit logging provides continuous visibility into system activity.

Examples include:

Inventory Issued

Inventory Returned

Investigation Resolved

Inventory Modified

Benefits

Incident Investigation

Forensic Analysis

Operational Oversight

Compliance Review

DevSecOps Maturity Assessment

Implemented

✅ Git Source Control

✅ GitHub Repository

✅ Environment Variables

✅ .env.example

✅ Secrets Removed from Source Code

✅ PostgreSQL Integration

✅ Audit Logging

✅ Business Rule Validation

✅ Postman API Testing

✅ Auth0 Configuration


In Progress

🔄 Auth0 Login Flow

🔄 Auth0 Callback Processing

🔄 Auth0 Logout Processing

🔄 Documentation Development


Planned

📌 GitHub Actions

📌 CodeQL

📌 Dependabot

📌 MFA Enforcement

📌 Step-Up Authentication

📌 Automated Deployment Validation

📌 Security Monitoring Enhancements


Alignment with Project Objectives

The DevSecOps implementation directly supports the project objective of improving accountability, auditability, and security governance within firearms and ammunition inventory management.

Implemented controls contribute to:

  • Improved transparency
  • Improved change management
  • Improved secret management
  • Improved software security
  • Improved operational accountability

Lessons Learned

Several important observations emerged during implementation:

  • Source control should be established early in a project lifecycle.
  • Environment variables significantly improve secret management.
  • Audit logging provides valuable accountability capabilities.
  • Security requirements are easier to implement when considered during design rather than after development.
  • Automated security validation can further improve system quality.

Conclusion

DevSecOps principles have been integrated into the design and development of SCGAIMS through the adoption of Git-based source control, secure configuration management, audit logging, environment variable management, secure coding practices, and planned security automation initiatives. While additional maturity improvements such as GitHub Actions, CodeQL, and Dependabot remain planned enhancements, the current implementation establishes a strong foundation for secure software development and operational governance throughout the system lifecycle.