FILE: materi-28.module

DevSecOps - Security Integration

Shift left security. Security di setiap tahap CI/CD, bukan after-thought.

RUNTIME: 26m LEVEL: advanced STATUS: ACTIVE

1. Shift Left Security

Tradisional: security review di akhir, lambat dan mahal kalau bug ditemukan. Shift left: security di setiap tahap. Dev tahu security risk dari awal. Cheaper dan faster.

2. Tools di Pipeline

SAST (Static Application Security Testing): SonarQube, Semgrep. DAST (Dynamic): OWASP ZAP. SCA (Software Composition Analysis): Snyk, Dependabot. Container scan: Trivy. Secret scan: GitGuardian.

3. Compliance as Code

Security policy dalam code, bukan dokumen. Open Policy Agent (OPA). InSpec. Setiap deploy auto check compliance. Catat: SOC 2, PCI DSS auditor seneng.

4. Threat Modeling Continuous

Bukan 1 kali saat design. Setiap fitur baru, threat model singkat. Tools: OWASP Threat Dragon. Integrate dengan ticket system.

5. Security Champions

Tidak semua dev jadi security expert. Identify dan train champion di setiap team. Bridge ke security team. Multiplier security culture organization wide.

Practical Mission

Add Snyk ke repo GitHub
Setup SonarQube cloud
Run OWASP ZAP di staging
Pelajari OPA Rego
Identifikasi security champion di team

Recap Module

Shift left: security di setiap tahap
SAST, DAST, SCA, container scan di pipeline
Compliance as code dengan OPA
Threat model continuous, bukan one-shot
Security champions di setiap team