AzureDevSecOps -Digital Lending

Anand Nerurkar
3 days ago
2 min read

“We shift-left with Veracode SAST & SCA in the build; block on policy.
We secure containers before pushing to ACR.
We deploy to AKS-Test and run Veracode DAST on the live endpoints, plus IAST for deep runtime findings.
Pre-prod adds canary and full DAST, then promote to active-active AKS prod behind Front Door → App Gateway → APIM.
Azure Policy/Blueprints enforce private endpoints and zero-trust.
All results feed back into work items with MTTR and risk score dashboards.”

┌─────────────────────────────────────────────────────────────────────────────┐

│ DIGITAL LENDING – DEVSECOPS (AZURE) │

│ Microservices: KYC | CreditScore | LoanEval | Disbursement │

└─────────────────────────────────────────────────────────────────────────────┘

Developers

│ (Git push)

▼

┌────────────────────────┐ Pre-commit/PR checks

│ Source Repos (Git) │─── Secret Scan (git-secrets/trufflehog)

│ (Azure Repos/GitHub) │ Lint + Unit Tests (fast)

└────────────────────────┘ SonarQube Quality Gate

│

▼ CI trigger

│ CI / BUILD STAGE │

├─────────────────────────────────────────────────────────────────────────────┤

│ Compile + Unit Tests + Coverage │

│ Veracode SAST ──► static code analysis (block on High/Critical) │

│ Veracode SCA ──► third-party/CVE scan (policy gate) │

│ SBOM Generate ──► CycloneDX (artifact attach) │

│ (Policy Gate: fail on violations)

▼

│ CONTAINERIZATION STAGE │

│ Docker Build (each svc) → Tag │

│ Container Scan (Trivy/Veracode Container Security) → block on Critical │

│ Push signed images → Azure Container Registry (ACR) (ADO task + cosign) │

│

▼

│ DEPLOY TO TEST (AKS-TEST) │

│ Helm/Kustomize deploy → AKS (private subnet) │

│ Istio/Linkerd (mTLS) + Pod Security │

│ OPA/Gatekeeper (admission policy) │

│ Secrets via Key Vault + Workload Identity │

│

├──────────────► Runtime Tests: Smoke + Integration + Contract (PACT)

│

├──────────────► Veracode DAST (against API endpoints via APIM/test URL)

│ - OWASP Top 10, auth, headers, SSRF/XSS/SQLi

│

├──────────────► Veracode IAST Agent (optional) observes real test traffic

│ - finds deep runtime vulns/dataflows in services

│

├──────────────► Infra-as-Code Scan (Terraform/Bicep → Checkov/Terraform-validate)

│

└──────────────► Compliance Bundle: SAST+SCA+DAST+IAST+Container reports

(publish to Azure DevOps + ticket auto-create on fail)

│ (Manual/Automated Approval Gate: Security + QA sign-off)

▼

│ STAGE / PRE-PROD (AKS-STAGE) │

│ Blue/Green or Canary with Istio traffic split │

│ Repeat: DAST (full) + Performance/Soak + Chaos tests │

│ Policy Gate: Only proceed if risk score ≤ threshold │

│

▼

│ PROD DEPLOY (AKS-PROD – ACTIVE/ACTIVE) │

│ Regions: South India & West India │

│ Ingress: Front Door (WAF) → App Gateway (WAF) → APIM (private) → AKS │

│ Data: SQL MI (private EP), Cosmos DB (multi-region), Kafka/Event Hubs, Redis│

│ Post-deploy: App Insights/Log Analytics, Defender for Cloud, WAF logs │

│ Optional: Veracode RASP for runtime protection │

│

▼

│ FEEDBACK / GOVERNANCE / CONTINUOUS IMPROVEMENT │

│ Azure Policy + Blueprints: enforce private endpoints, tags, NSGs │

│ CVE/Vuln tickets auto-created (ADO Boards/Jira) │

│ Mean Time to Remediate (MTTR) & Risk burn-down dashboards │

AzureDevSecOps -Digital Lending

Recent Posts

Comments