Jet Mariano

DevSecOps Comeback: A Beginner-Friendly 30-Day Guided Lab

Written by

jetnmariano

in

DevSecOps at Payforward. AWS pipelines. Security built into every deployment.

DevSecOps may sound complex, but at its core it is simple:

  • Write code
  • Store it in Git
  • Automate build and test
  • Scan for vulnerabilities
  • Deploy securely

This guide walks step by step, assuming only basic familiarity with Git, Azure, YAML, and Python.

No assumptions. No shortcuts.

Before Starting: Required Foundations

1. Basic Git Understanding

Git is version control.

Think of it as a time machine for code.

Common commands:

git init
git add .
git commit -m "Initial commit"
git push

What this means:

  • git init creates a repository
  • git add . stages changes
  • git commit saves a snapshot
  • git push sends changes to Azure DevOps or GitHub

In DevSecOps, Git is the source of truth.

If it’s not in Git, it doesn’t exist.

2. Basic Azure Comfort

In Azure DevOps, there are:

  • Repos (code lives here)
  • Pipelines (automation runs here)
  • Artifacts (build output stored here)

The workflow:

Code → Push → Pipeline Runs → Security Checks → Artifact Produced

No manual deployments.

3. Understanding YAML (Very Important)

YAML is just structured configuration.

Example:

trigger:
  branches:
    include:
      - main

This simply means:

“When code is pushed to main branch, run the pipeline.”

Another example:

pool:
  vmImage: windows-latest

This means:

“Use a Microsoft-hosted Windows machine to run tasks.”

YAML is not programming.
It is instructions.

Indentation matters.
Spacing matters.
No tabs.

4. Light Python Example

Create a simple app.

app/app.py

from flask import Flask

app = Flask(__name__)

@app.get("/")
def home():
    return "Secure automation is running"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8080)

requirements.txt

flask==3.0.3

Simple. Clean. Testable.

The DevSecOps Analogy: Snake and Eagle

In nature, a snake can overpower an eagle by wrapping tightly and applying controlled pressure.

In DevSecOps:

  • The eagle represents risk, exposure, and vulnerabilities.
  • The snake represents automation, discipline, and enforcement.

Manual processes allow risk to fly freely.

Automated pipelines wrap around code changes, applying consistent pressure:

  • Tests must pass.
  • Vulnerabilities must be scanned.
  • Secrets must not leak.

Automation constrains risk.

That is DevSecOps.

Week 1: Build and Test Pipeline

azure-pipelines.yml

trigger:
  branches:
    include:
      - main

pool:
  vmImage: windows-latest

variables:
  PythonVersion: "3.11"

steps:
- task: UsePythonVersion@0
  inputs:
    versionSpec: "$(PythonVersion)"
    addToPath: true

- powershell: |
    python -m pip install --upgrade pip
    pip install -r app/requirements.txt
    pip install pytest
  displayName: Install dependencies

- powershell: |
    pytest -q
  displayName: Run tests

- powershell: |
    pip install pip-audit
    pip-audit -r app/requirements.txt
  displayName: Dependency vulnerability scan

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: "$(Build.SourcesDirectory)"
    ArtifactName: "drop"

What this does:

  1. Installs Python
  2. Installs dependencies
  3. Runs tests
  4. Scans for vulnerabilities
  5. Publishes artifact

That is secure automation.

Week 2: Secrets and Azure Key Vault

Never store passwords in code.

Instead:

  • Create Azure Key Vault
  • Store secret there
  • Use service connection
  • Pull secret during pipeline run

This ensures:

No plaintext secrets.
No hardcoded credentials.
No manual copy-paste errors.

Week 3: Infrastructure as Code

Choose Bicep.

Example:

resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'devsecopslabstorage'
  location: resourceGroup().location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

Infrastructure becomes code.
Code becomes version-controlled.
Version-controlled systems become predictable.

Week 4: Containerization

Dockerfile example:

FROM python:3.11-slim
WORKDIR /app
COPY app/requirements.txt .
RUN pip install -r requirements.txt
COPY app .
CMD ["python", "app.py"]

Push image to Azure Container Registry.
Deploy through pipeline.

Now the system is portable, secure, and repeatable.

Final Perspective

DevSecOps is not about complexity.

It is about control.

Manual deployment allows risk to fly.
Automation constrains risk.

The snake does not move randomly.
It moves deliberately.

Secure pipelines do the same.

Begin small.
Automate consistently.
Enforce security early.

Edge returns with repetition.

© 2012–2026 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

More posts

error: Content is protected !!