DevSecOps
Overview
DevSecOps is the practice of integrating security into every phase of the Software Development Lifecycle (SDLC). Rather than treating security as a separate activity performed after development, DevSecOps incorporates security controls into planning, development, testing, deployment, and maintenance activities.
The Secure Controlled Guns and Ammunition Inventory Management System (SCGAIMS) was developed using DevSecOps principles to ensure that security, accountability, traceability, and governance considerations remain embedded throughout the development process.
Given the nature of the system and its focus on controlled firearms and ammunition accountability, secure development practices are a critical component of the overall solution.
DevSecOps Objectives
The DevSecOps strategy implemented for SCGAIMS focuses on:
- Secure software development
- Source code accountability
- Secure configuration management
- Vulnerability identification
- Security automation
- Continuous validation
- Secure deployment practices
DevSecOps Lifecycle
The SCGAIMS DevSecOps lifecycle consists of:
Plan
|
v
Develop
|
v
Build
|
v
Test
|
v
Secure
|
v
Deploy
|
v
Monitor
Security considerations are incorporated throughout all phases of this lifecycle.
Source Code Management
Git
Git was selected as the version control platform for SCGAIMS.
Benefits include:
- Source code versioning
- Change tracking
- Rollback capability
- Branching and merging
- Configuration management
Version Control Benefits
Git provides:
Traceability
Accountability
Change History
Collaboration
Recovery Capability
Repository Management
GitHub
SCGAIMS source code is maintained within a GitHub repository.
Repository Functions:
Source Code Storage
Version Control
Documentation Storage
Collaboration
Future CI/CD Integration
Repository Structure
The repository contains:
backend/
inventory/
docs/
manage.py
.env.example
.gitignore
README.md
Security Benefits
GitHub provides:
Change Auditing
Commit History
Centralized Storage
Developer Accountability
Secure Configuration Management
Overview
One of the most important security improvements implemented during development was the removal of sensitive credentials from application source code.
Environment Variables
Sensitive configuration values are stored using environment variables.
Examples include:
DB_NAME
DB_USER
DB_PASSWORD
DB_HOST
DB_PORT
AUTH0_CLIENT_ID
AUTH0_CLIENT_SECRET
AUTH0_DOMAIN
AUTH0_CALLBACK_URL
Benefits
Reduced Credential Exposure
Improved Security
Improved Maintainability
Separation of Configuration and Code
Environment Template Management
.env.example
SCGAIMS includes a:
.env.example
file to document required environment variables without exposing sensitive values.
Example:
DB_NAME=
DB_USER=
DB_PASSWORD=
DB_HOST=
DB_PORT=
AUTH0_CLIENT_ID=
AUTH0_CLIENT_SECRET=
AUTH0_DOMAIN=
AUTH0_CALLBACK_URL=
Security Benefits
The template approach allows developers to:
- Configure environments consistently
- Avoid committing secrets
- Improve deployment repeatability
Secret Management
Current Approach
Secrets are managed using:
Environment Variables
and excluded from source control through:
.gitignore
Protected Secrets
Examples include:
Auth0 Client Secret
Database Passwords
Future API Keys
Future Access Tokens
Future Enhancements
Production deployments may leverage:
Azure Key Vault
AWS Secrets Manager
HashiCorp Vault
for enterprise-grade secret management.
Secure Development Practices
Input Validation
SCGAIMS validates:
- Inventory quantities
- Issue requests
- Return requests
- Investigation updates
before processing transactions.
Business Rule Enforcement
Business logic validation prevents:
Negative Quantities
Invalid Inventory Transactions
Invalid Investigation Updates
Unauthorized Operations
Auditability
All major business operations create audit records.
Examples include:
Inventory Issuance
Inventory Returns
Investigation Resolution
Inventory Updates
Security by Design
SCGAIMS incorporates security requirements directly into system design.
Examples include:
Accountability
Every transaction is traceable.
Auditability
Critical operations generate audit logs.
Authorization
Access is controlled through RBAC design.
Investigation Workflows
Discrepancies require formal review.
Database Security Practices
PostgreSQL
The SCGAIMS database utilizes PostgreSQL hosted through Supabase.
Security Controls
Implemented controls include:
Relational Constraints
Foreign Keys
Referential Integrity
Managed Hosting
Benefits
Data Integrity
Improved Reliability
Reduced Data Corruption
Improved Governance
Testing within DevSecOps
Postman API Validation
Postman was used to validate:
Inventory APIs
Issue Workflows
Return Workflows
Investigation Workflows
Audit Logging
Security Validation
Security-related tests included:
Discrepancy Validation
Inventory Validation
Invalid Input Testing
Audit Log Verification
Continuous Integration (CI)
Current State
CI pipeline implementation is currently planned.
Proposed GitHub Actions Workflow
Future pushes to the repository will automatically trigger validation workflows.
Example:
Developer Commit
|
v
GitHub Push
|
v
GitHub Actions
|
v
Automated Validation
Proposed Validation Activities
Dependency Installation
Syntax Validation
Automated Testing
Security Scanning
Deployment Validation
Static Application Security Testing (SAST)
CodeQL
Planned implementation includes GitHub CodeQL.
Purpose:
Static Application Security Testing
Security Benefits
CodeQL can assist in identifying:
Injection Vulnerabilities
Coding Errors
Unsafe Logic
Potential Security Defects
Proposed CI Pipeline Integration
Push Code
|
v
GitHub Actions
|
v
CodeQL Scan
|
v
Security Results
Dependency Security
Dependabot
Planned implementation includes Dependabot.
Purpose
Monitor project dependencies for known vulnerabilities.
Example Components
Django
Django REST Framework
Authlib
Python Packages
Benefits
Early Vulnerability Detection
Automated Update Recommendations
Supply Chain Risk Reduction
Supply Chain Security
Overview
Third-party software introduces potential security risks.
SCGAIMS addresses this by:
- Monitoring dependencies
- Utilizing reputable frameworks
- Planning dependency scanning
Current Libraries
Examples include:
Django
Django REST Framework
psycopg2
Authlib
Identity Security
Auth0
Auth0 serves as the centralized Identity Provider (IdP).
Configured components include:
Auth0 Tenant
SCGAIMS API
SCGAIMS Web Application
Roles
Permissions
Users
Planned IAM Enhancements
Future security enhancements include:
Multi-Factor Authentication (MFA)
Step-Up Authentication
Conditional Access Controls
Security Logging and Monitoring
Audit Logging
Audit logging provides continuous visibility into system activity.
Examples include:
Inventory Issued
Inventory Returned
Investigation Resolved
Inventory Modified
Benefits
Incident Investigation
Forensic Analysis
Operational Oversight
Compliance Review
DevSecOps Maturity Assessment
Implemented
✅ Git Source Control
✅ GitHub Repository
✅ Environment Variables
✅ .env.example
✅ Secrets Removed from Source Code
✅ PostgreSQL Integration
✅ Audit Logging
✅ Business Rule Validation
✅ Postman API Testing
✅ Auth0 Configuration
In Progress
🔄 Auth0 Login Flow
🔄 Auth0 Callback Processing
🔄 Auth0 Logout Processing
🔄 Documentation Development
Planned
📌 GitHub Actions
📌 CodeQL
📌 Dependabot
📌 MFA Enforcement
📌 Step-Up Authentication
📌 Automated Deployment Validation
📌 Security Monitoring Enhancements
Alignment with Project Objectives
The DevSecOps implementation directly supports the project objective of improving accountability, auditability, and security governance within firearms and ammunition inventory management.
Implemented controls contribute to:
- Improved transparency
- Improved change management
- Improved secret management
- Improved software security
- Improved operational accountability
Lessons Learned
Several important observations emerged during implementation:
- Source control should be established early in a project lifecycle.
- Environment variables significantly improve secret management.
- Audit logging provides valuable accountability capabilities.
- Security requirements are easier to implement when considered during design rather than after development.
- Automated security validation can further improve system quality.
Conclusion
DevSecOps principles have been integrated into the design and development of SCGAIMS through the adoption of Git-based source control, secure configuration management, audit logging, environment variable management, secure coding practices, and planned security automation initiatives. While additional maturity improvements such as GitHub Actions, CodeQL, and Dependabot remain planned enhancements, the current implementation establishes a strong foundation for secure software development and operational governance throughout the system lifecycle.