Case Study: Design and Deployment of an AppSec Pipeline PoC (DevSecOps)
I led the design and rollout of an automated DevSecOps pipeline based on the OWASP blueprint. The goal? Stop security from being a bottleneck, bridge the gap between Dev and Sec, and make vulnerability management actually manageable.
My Role: Project Manager / Cybersecurity Engineer
Methodologies & Frameworks: OWASP AppSec Pipeline, Rugged DevOps, Agile/Scrum
Technologies: AVC (Application Vulnerability Correlators), SAST/DAST, Jira, GRC Tools
The Context
Traditional security processes and DevOps velocity don't usually get along. Security teams often slow things down, and developers get overwhelmed by automated reports full of false positives.
My mission with this Proof of Concept (PoC) was to prove we could automate security scans without driving the engineering teams crazy.
Pipeline Architecture
Instead of reinventing the wheel, I structured the pipeline into 4 logical phases to keep things lean and automated:
Intake: A single, clean entry point for all security requests via a standardized service catalog.
Triage: Automatically profiling the app to apply the right scanning rules (no wasted resources scanning things that don't need it).
Test: Running SAST and DAST scanners concurrently, pulling all raw data into one place.
Deliver: This is where the magic happens—turning raw vulnerabilities into actionable Jira tickets for devs, and sending high-level metrics to the GRC tools for the leadership team.
Key Focus Areas & Value Delivered
1. Killing the Noise with AVC (Application Vulnerability Correlation)
SAST and DAST scanners generate a massive amount of noise. To protect the developers' focus, I focused heavily on integrating an AVC tool.
The strategy was simple: deduplicate and correlate. If a static code scanner found a theoretical flaw, and a dynamic scanner proved it could actually be exploited in live tests, the tool flagged it as a high priority. No more alert fatigue; devs only worked on what was genuinely broken.
2. Driving "Shift Left" via Threat Modeling
"Shift Left" is a buzzword, but we made it practical by bringing Threat Modeling into the initial design phase. By catching potential flaws during early technical spec reviews, we could write counter-measures straight into the Jira backlog before a single line of code was even written.
Leadership & Project Impact
As the DevSecOps Delivery Lead on this project, my job wasn't just about connecting APIs or tools; it was about managing people and expectations:
Cross-Team Collaboration: I sat between Product, Security, and Engineering—three teams that speak different languages—and made sure everyone was aligned on the roadmap and milestones.
Hands-on Advisory: I helped the DevOps team integrate these new security guardrails into their existing CI/CD pipelines smoothly, making sure we didn't add friction to their daily deployments.
Vendor & ROI Management: I handled the business side too—talking to software vendors, evaluating tool capabilities, and making sure the tech choices aligned with our actual budget and ROI.
Change Management: Tech is only 20% of the problem; culture is the other 80%. I ran the post-mortems and final retrospectives with stakeholders to show the value we created and pitch the plan for scaling this company-wide.
The Takeaway :
This project is a good reflection of how I work: I look at security through a product and engineering lens, focusing on automation, pragmatism, and building processes that people actually enjoy using.