DevSecOps — Interview Questions.

DevSecOps integrates security into every stage of the software lifecycle rather than bolting it on at the end — security becomes a shared responsibility, automated into the pipeline. Shift left means moving security checks earlier (into coding, commit, and build) where issues are cheaper and faster to fix, instead of discovering them in production or a late pen-test. Practically: IDE/pre-commit linting, SAST and dependency scanning in CI, image scanning before push, policy gates before deploy.

SAST (Static Application Security Testing) analyzes source code/bytecode without running it — finds insecure patterns (injection, hardcoded secrets) early; can be noisy. DAST (Dynamic) tests the running application from the outside (like an attacker) — finds runtime/config issues, fewer false positives but later in the cycle. SCA (Software Composition Analysis) scans third-party dependencies for known vulnerabilities (CVEs) and license issues. You use all three: SAST + SCA in CI, DAST against staging.

Give every user, service, and process only the minimum permissions needed to do its job, and no more — and ideally only for as long as needed. It limits the blast radius of a compromise: a leaked credential or hacked service can only touch what it was scoped to. In practice: scoped IAM roles per workload, no wildcard permissions, short-lived/dynamic credentials, and regular access reviews to remove unused grants.

Anything in a repo lives in its history forever (even after deletion) and is visible to everyone with access; anything in an image can be extracted by anyone who can pull it (layers are not encrypted). Leaked secrets are a top breach cause. Instead, inject secrets at runtime from a secrets manager (Vault, AWS Secrets Manager), use short-lived credentials/workload identity, and scan commits/images to catch accidental leaks.

A widely-referenced list of the most critical web application security risks, published by OWASP and updated periodically. Recent entries include Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable/Outdated Components, Identification & Authentication Failures, Software/Data Integrity Failures, Logging & Monitoring Failures, and SSRF. It's a baseline checklist for what to test and design against.

Moving security earlier (design, IDE, CI) so issues are caught and fixed cheaply, not in production.

SAST scans source, DAST tests the running app externally, SCA finds vulnerable/licensed dependencies.

Software Bill of Materials — a full component inventory so you instantly find exposure when a CVE drops.

Encoding security/compliance rules as code (OPA/Rego, Kyverno) enforced automatically in pipelines/clusters.

Granting only the minimum permissions needed, shrinking blast radius if compromised.

A tool (gitleaks/trufflehog) detecting credentials in code/history, ideally pre-commit and in CI.

Minimal base, non-root user, dropped capabilities, read-only FS, no baked secrets, regular patching.

Never trust by network location; authenticate+authorize every request, assume breach, verify explicitly.

A CVE is a catalogued vuln; CVSS scores severity — but real risk also depends on exploitability and exposure.

Cryptographically signing builds (Sigstore/cosign) so consumers verify provenance/integrity, blocking tampered images.

Layered gates: pre-commit — secret scanning, linting. Build/CI — SAST on code, SCA/dependency scanning (and license check), IaC scanning (tfsec/checkov), secret scanning again. Image — container image vulnerability scan (Trivy/Grype) + generate an SBOM, sign the image (cosign). Pre-deploy — policy-as-code gate (OPA/Kyverno) verifying image is signed, scanned, no critical CVEs, follows config rules. Post-deploy — DAST against staging, runtime monitoring. Gates should fail builds on critical findings but be tuned to avoid alert fatigue (risk-based thresholds).

Start from a minimal base (distroless/slim) to shrink the attack surface; use multi-stage builds so no build tools ship. Run as a non-root user, read-only root filesystem, drop Linux capabilities, no setuid binaries. Pin base image digests and dependency versions. Scan for CVEs in CI and continuously (new CVEs appear for old images). Don't bake in secrets. Sign images (cosign) and verify signatures at deploy. Generate and store an SBOM. Keep images small and rebuilt/patched regularly.

Expressing security/compliance rules as version-controlled, automatically-enforced code instead of wiki guidelines. Tools: OPA/Rego (general, Gatekeeper for k8s admission), Kyverno (k8s-native), Conftest (config/IaC), Sentinel (Terraform). It fits as a gate: at CI (reject non-compliant IaC/manifests), at the k8s admission controller (reject pods running as root, without resource limits, pulling unsigned images), and at deploy. Benefits: consistent, testable, auditable enforcement that scales beyond manual review.

Native k8s Secrets are only base64-encoded, so: enable encryption at rest for etcd, restrict access with tight RBAC (and disable broad get secrets), and prefer pulling from an external manager via the External Secrets Operator or the Secrets Store CSI driver (mount from Vault/AWS/GCP). Use workload identity (IRSA on EKS, Workload Identity on GKE) so pods assume roles instead of holding static keys. For GitOps, use sealed-secrets or SOPS so only the cluster can decrypt what's in Git. Rotate regularly and audit access.

An attacker compromises something upstream of your app — a dependency (typosquatting, malicious update), a build tool, or the CI system — so the malware ships through your trusted pipeline (e.g. SolarWinds, the xz backdoor). Defenses: pin and verify dependencies (lockfiles, checksums), use SCA to catch known-bad packages, generate and verify an SBOM, sign artifacts and verify signatures (cosign/Sigstore), enforce provenance/attestations (SLSA framework, in-toto) so you can prove how an artifact was built, harden and isolate CI runners (ephemeral, least-privilege, no long-lived creds), and require reviewed, protected branches.

Fail only on high/critical + fixable + reachable, baseline existing debt, suppress false positives with justification, surface issues in IDE/PR.

A framework of build provenance/integrity levels; with SBOM, signing, pinned deps, and hermetic builds it defends against tampered builds/deps.

External Secrets Operator/CSI from a manager, etcd encryption-at-rest, tight RBAC, workload identity over static keys, never plaintext in manifests.

PSA restricted, drop caps/non-root/read-only FS, network policies, and runtime detection (Falco) for anomalous syscalls.

Risk-rank by exploitability + reachability + exposure + data sensitivity, not raw CVSS; fix exploitable+exposed first.

CI exchanges a short-lived OIDC token for cloud creds per run, removing long-lived static secrets from the CI system.

Diagram data flows/trust boundaries, enumerate Spoofing/Tampering/Repudiation/Info-disclosure/DoS/Elevation per element, rate, mitigate.

Security across the whole lifecycle: design (threat model), code (SAST/secret), build (SCA/SBOM/sign), deploy (policy), runtime (detection) — not one gate.

Filters HTTP attacks (SQLi/XSS) at the edge — a useful stopgap/defense-in-depth, but not a substitute for fixing the underlying vulnerability.

Mutual TLS authenticates both client and server with certs — used in service meshes/zero-trust for encrypted, authenticated service-to-service traffic.

Zero trust = "never trust, always verify"; drop the idea of a trusted internal network. Every request is authenticated, authorized, and encrypted regardless of origin. Components: strong identity for users (MFA, SSO) and services (mTLS, SPIFFE/SPIRE workload identity); least-privilege, context-aware authorization on every call (not just at the perimeter); micro-segmentation (k8s NetworkPolicies, service mesh mTLS) so services can only reach what they need; encrypt everything in transit and at rest; continuous verification and logging of device/posture; and short-lived credentials. In practice a service mesh (Istio/Linkerd) provides mTLS + policy between services, an identity-aware proxy fronts apps, and policy-as-code enforces the rules. The mindset: assume breach, verify every hop, minimize blast radius.

(1) Assess: confirm severity/exploitability and whether you're actually affected (which versions, is the vulnerable code path reachable, is it internet-facing). (2) Inventory: use your SBOM/SCA to find every service and image using the library — this is why you maintain an SBOM. (3) Mitigate now: apply the vendor mitigation/WAF rule/flag to buy time if you can't patch instantly; prioritize internet-facing and high-value systems. (4) Remediate: bump the dependency, rebuild, scan, and roll out through the pipeline (canary where possible). (5) Detect: check logs/IDS for exploitation attempts during the exposure window; assume compromise on exposed systems and investigate. (6) Communicate with stakeholders, and (7) postmortem: how fast could you find affected systems and ship a fix? Improve SBOM coverage, patch automation, and mean-time-to-remediate.

The failure mode is gates so noisy/slow that teams bypass or ignore them. Principles: risk-based enforcement — block on critical/high with known exploits and on internet-facing services; warn (don't block) on low/medium and tune out false positives so signal stays high. Make security fast and self-service — pre-commit/IDE feedback, paved-road templates that are secure by default, fast scans. Give developers context and fixes, not just findings (auto-PRs for dep bumps, links to remediation). Track mean-time-to-remediate and false-positive rate as first-class metrics, have an exception process with expiry and owner, and embed security champions in teams. Security that's frictionless gets adopted; security that's a wall gets routed around.

SLSA (Supply-chain Levels for Software Artifacts) is a framework of increasing assurance levels for build integrity. Provenance is verifiable, tamper-evident metadata describing how an artifact was built — what source commit, which builder, what inputs — generated by the build system and signed. It matters because it lets you prove an artifact came from your trusted pipeline and wasn't swapped or built from unreviewed code. Higher SLSA levels require an isolated, hosted build service, non-falsifiable provenance, and hermetic/reproducible builds. Combined with signing (Sigstore/cosign) and admission policies that verify provenance before deploy, it closes the gap a supply-chain attacker would exploit.

Defense in depth across layers. Cluster/control plane: restrict API server access, RBAC least-privilege, audit logging, encrypt etcd, keep versions patched, CIS benchmark. Workloads: Pod Security Standards / admission policies (no root, no privileged, drop caps, read-only FS, resource limits), verify signed images, scan images. Network: default-deny NetworkPolicies + segmentation, service mesh mTLS for east-west encryption, restrict egress. Identity/secrets: workload identity (IRSA), external secrets, no static cloud keys. Supply chain: admission gate requiring scanned + signed images with provenance. Runtime: detection (Falco) for anomalous syscalls, drift detection. Multi-tenancy: namespaces + quotas + policies, or separate clusters for strong isolation. Continuously assess with kube-bench/kube-hunter.

Pinned+verified deps, SBOM, signed commits, hermetic reproducible builds, signed artifacts+provenance, admission control allowing only signed images, least-privilege CI.

SBOM to find exposure, assess exploitability, patch or mitigate (WAF/disable/network-isolate), rebuild+redeploy, rotate exposed secrets, rescan.

Policy-as-code gates, automated evidence collection, immutable audit trails, separation of duties, continuous control monitoring vs point-in-time audits.

Central vault, runtime injection, per-service workload identity, short-lived/dynamic creds, rotation, audit, per-env isolation, encryption everywhere, repo/CI scanning.

Role-based + attribute-based access, JIT/temporary elevation, regular access reviews/recertification, automated detection of over-permissioning, and default-deny.

Paved-road golden paths with security built in (signed base images, scanned pipelines, policy guardrails), self-service within guardrails, and least-privilege by default.

Runtime sensors (Falco/eBPF) on syscalls/network, EDR, SIEM correlation, anomaly detection, automated containment playbooks, and tested IR runbooks.

Centralized SBOM inventory, continuous scanning, risk-based SLAs by severity+exposure, automated dependency PRs (Dependabot/Renovate), and dashboards/ownership.

A signed statement about how an artifact was built (provenance); verified at deploy via policy (cosign/Rekor transparency log) so only attested artifacts run.

Scan IaC (tfsec/Checkov) in CI, policy-as-code (OPA/Sentinel) on plans, least-privilege state access, no secrets in code/state, and reviewed+gated applies.

Don't panic-patch blindly. Assess exploitability + exposure: is the vulnerable component actually reachable/used, is the service internet-facing, is there a known exploit? That sets urgency. If exploitable and exposed → mitigate (WAF rule, disable feature, network-restrict) and patch (bump base image / dependency, rebuild, redeploy through the pipeline). If low exploitability, schedule it. Track it, communicate, and verify with a rescan. Have an SBOM so you instantly know if/where you're affected.

Tune the gate, don't remove it. Fail the build only on high/critical + fixable + reachable findings; warn (non-blocking) on the rest. Establish a baseline so existing debt doesn't block new work, and triage/suppress false positives with justification. Shift left — surface issues in IDE/PR so they're fixed early, not at the gate. Give devs clear remediation guidance. Security that's pure noise gets ignored or bypassed; make it signal.

Rotate immediately — assume it's compromised. Revoke the old credential, remove it from code + history, and move it to a secrets manager injected at runtime. Then add pre-commit secret scanning and a CI gate so it can't happen again, and check access logs for misuse during exposure. Prevention > cleanup.

Use your SBOM to find every place that dependency (and version) is used. Isolate: pin to a known-good version or remove it, rebuild, and verify artifact signatures/provenance (SLSA, Sigstore). Check for indicators of compromise (unexpected network calls, postinstall scripts), rotate any secrets the build had access to, and audit what shipped. Long-term: pin + verify dependencies, lock files, signed artifacts, and restrict build-time network/permissions.

Least-privilege runners and OIDC/workload identity instead of long-lived static cloud creds. Secrets from a vault, never in repo/env files. Scan gates: SAST, dependency/SCA, secret scan, image scan — tuned to fail on real risk. Sign artifacts and track provenance (build once, promote the same signed image). Policy-as-code (OPA/Kyverno) for deploy rules. Branch protection + required reviews, immutable tags, and an audit trail. Separate build (push) from deploy (GitOps pull).

Root in the container + a container escape = root on the node — much bigger blast radius. Fix: run as a non-root user (USER in Dockerfile, runAsNonRoot), drop capabilities (drop ALL, add only what's needed), read-only root filesystem, no privilege escalation, and enforce it cluster-wide with Pod Security Admission (restricted) or a policy engine so non-compliant pods are rejected. Defense in depth — assume the app can be compromised.

Stopgap: validate/block outbound + WAF. Fix: allowlist destinations, block redirects to internal IPs/metadata, enforce IMDSv2; audit data accessed.

Switch to minimal/distroless (kills most), patch the rest, suppress non-reachable/non-fixable with justification, gate only on exploitable high/critical.

Rotate/revoke now, scrub logs, move to OIDC short-lived creds + masked secrets, audit usage, add secret scanning.

Make the gate fast + low-noise, enforce via branch protection (can't bypass), and educate — it must earn trust, not get circumvented.

SBOM to find usages, pin safe/remove, rebuild, rotate build secrets, check IOCs (postinstall/network), add provenance verification + lockfiles.

Identify need (usually none), refactor to non-root + dropped caps + read-only FS, test in staging, enforce restricted PSA so new privileged pods are rejected.

Least privilege + JIT access, DLP + anomaly detection on access volume/egress, audit logging, separation of duties — assume creds can be misused.

History-wide secret scanning across all repos, rotate any found, add pre-commit + CI gates, centralize in a manager.

Risk-based: if exploitable+exposed, mitigate now (WAF/isolate/disable) while testing the fix; if low risk, schedule the patch.

Minimal distroless, non-root, pinned, signed; pipeline with SAST/SCA/secret/image scans, SBOM, artifact signing, OIDC creds, admission control for signed-only.