TL;DR: DevSecOps moves security into planning, design, and CI/CD execution so teams can catch vulnerabilities, secret leakage, and certificate risks earlier, while the source article also cites Gartner’s finding that 60% of respondents consider the transition technically challenging. The governance change matters because speed without embedded controls turns delivery pipelines into exposure pipelines.
At a glance
What this is: This is a DevSecOps analysis that argues security must be embedded across CI/CD, secret detection, and PKI automation rather than added after development.
Why it matters: It matters because IAM, NHI, PAM, and workload identity teams increasingly have to govern certificates, secrets, and access controls inside delivery pipelines, not just in production.
By the numbers:
- Gartner found that 60% of respondents consider DevSecOps technically challenging.
👉 Read GlobalSign's analysis of DevSecOps, CI/CD security, and PKI automation
Context
DevSecOps is the practice of building security into software delivery from the start rather than treating it as a late-stage gate. In CI/CD environments, that shift matters because secrets, certificates, dependencies, and infrastructure definitions all carry identity and access risk that can be introduced long before code reaches production.
The article frames the problem correctly: fast delivery without embedded controls increases the chance that vulnerabilities, secret exposure, and certificate mismanagement will reach runtime. For identity programmes, the relevant question is not only whether code is secure, but whether the pipeline itself has governed access, rotation, and trust boundaries.
Key questions
Q: How should teams choose DevSecOps tools for CI/CD pipelines?
A: Start with the risk class you can catch earliest and with the least friction. Put IaC scanning in pull requests, dependency scanning in builds, container scanning in registries, and runtime detection in production. Then check whether each tool sends owner-ready findings into the workflow the engineering team already uses.
Q: Why do secrets and certificates create identity risk in delivery pipelines?
A: Secrets and certificates are machine identities that determine what a workload can prove and access. If they are hardcoded, copied across tools, or rotated manually, a pipeline can leak trusted credentials into production. That turns delivery infrastructure into an identity attack surface, not just a release mechanism.
Q: What do teams get wrong about shifting security left?
A: They often treat shift-left as a detection exercise instead of a governance change. Scanning is useful, but it does not fix over-permissioned builds, unmanaged secrets, or certificate lifecycles that are not owned end to end. Security only improves when controls are enforced in the workflow, not reported after the fact.
Q: How can organisations tell whether DevSecOps controls are actually working?
A: Look for fewer late-stage exceptions, faster remediation of found issues, and clear ownership for secrets, certificates, and pipeline permissions. If the team still depends on manual approvals or emergency fixes before deployment, security is still reactive. Effective DevSecOps produces traceable controls that keep pace with release frequency.
Technical breakdown
How security shifts left in CI/CD pipelines
Shifting security left means moving controls into design, code review, build, and deployment stages instead of waiting for a final audit. In practice, that includes threat modelling, secure coding requirements, dependency scanning, secret detection, policy checks, and automated certificate handling. The point is not to add friction, but to make security signals available while changes are still cheap to fix. That changes the operating model from reactive review to continuous verification inside the delivery flow.
Practical implication: security teams need enforceable pipeline gates, not end-of-cycle review queues.
Why secrets and certificate automation are identity problems
Secrets and certificates are identities in machine form. A service account token, API key, or certificate determines what a workload can access and how it proves itself to other systems. If those credentials are hardcoded, stored outside protected systems, or rotated manually, the pipeline becomes an identity-governance weakness. PKI automation reduces that risk by handling issuance, renewal, and revocation at machine speed, which is essential when containers, APIs, and microservices depend on short-lived trust.
Practical implication: treat pipeline secrets and certificates as governed identities with lifecycle controls, not static configuration.
What DevSecOps changes in the control plane
DevSecOps changes where control lives. Instead of relying on human checkpoints after development is complete, it embeds verification into tooling, policy, and automation. That makes access control, code integrity, build trust, and environment hygiene part of the same control plane. The article also hints at a common failure mode: teams adopt many point tools without a coherent security workflow, which creates blind spots even when individual checks exist.
Practical implication: map pipeline controls to a single policy model so identity, code, and runtime checks reinforce each other.
Threat narrative
Attacker objective: The attacker’s objective is to turn trusted delivery infrastructure into a path for code compromise, credential abuse, or production disruption.
- Entry occurs when vulnerable code, misconfigured cloud resources, exposed secrets, or weak access controls are introduced into the delivery pipeline before release.
- Escalation follows when leaked credentials, overly broad permissions, or unmanaged certificates allow an attacker or malicious insider to move from code access to environment access.
- Impact occurs when the pipeline pushes compromised artefacts, exposes sensitive data, or enables service disruption across production systems.
NHI Mgmt Group analysis
DevSecOps is now an identity governance issue, not just a software engineering practice. Once CI/CD pipelines issue, store, and validate machine credentials, they become part of the NHI control surface. That means IAM and PAM teams can no longer stop at human access reviews, because secrets, certificates, and service identities in delivery systems can create the same blast radius as privileged user accounts. Practitioners should govern the pipeline as an identity system, not an isolated engineering workflow.
Secrets sprawl is the hidden cost centre inside fast delivery models. The article’s focus on secret detection reflects a wider pattern: delivery speed increases the number of places where credentials can appear, persist, and be forgotten. Our research shows that 88% of security professionals are concerned about secrets sprawl according to the [Akeyless survey](https://nhimg.org/the-2024-state-of-secrets-management-survey-report). The practical lesson is that a pipeline without inventory, rotation, and offboarding is already operating with unmanaged NHIs.
PKI automation is a trust-control problem, not merely an operations efficiency problem. The article correctly points to certificate issuance and renewal as essential at scale, because manual certificate handling cannot keep pace with modern release velocity. When certificate lifecycles lag deployment lifecycles, identity assurance breaks down quietly. Practitioners should align PKI automation with policy so trust material expires, renews, and revokes on schedule rather than by exception.
DevSecOps maturity depends on reducing governance latency, not only finding more vulnerabilities. Security findings are useful only if pipeline owners can act on them before deployment. The central weakness in traditional DevOps is the delay between detection and remediation, which turns known issues into production exposure. The better measure is whether security controls can keep pace with release cadence without creating unmanaged exceptions.
What this signals
Secrets lifecycle control is becoming a delivery-system requirement, not a back-office hygiene task. As CI/CD pipelines absorb more credential handling, teams need a single view of issuance, rotation, and revocation across build and runtime systems. The strongest programmes will treat service credentials as governed assets with owners, expiry, and auditability, not as opaque variables hidden in tooling.
The operational signal is clear: organisations that cannot explain where a secret lives, who can use it, and when it expires will continue to absorb avoidable exposure. Mapping delivery controls to a policy-led identity model gives security teams a practical way to reduce exception handling and cut down the time between detection and remediation.
PKI automation and secret management now sit in the same control conversation. When certificates and keys are both part of software delivery, one weak lifecycle breaks the trust chain for the whole pipeline. Teams that align with NIST SP 800-53 Rev 5 Security and Privacy Controls will be better placed to enforce access, integrity, and change control across build systems and deployment paths.
For practitioners
- Embed security requirements into pipeline design Define security acceptance criteria for every repository and build stage, including threat modelling, dependency review, and secret scanning before merge. Make those controls part of the delivery definition rather than post-release remediation.
- Automate secret detection and credential lifecycle controls Scan code, configuration, and CI/CD variables for exposed credentials, then rotate or revoke affected secrets through a governed workflow. Pair detection with ownership so each secret has a clear lifecycle and offboarding path.
- Treat certificates as managed machine identities Centralise issuance, renewal, and revocation for service certificates and tie them to workload ownership, expiration policy, and environment scope. Manual renewal should be the exception, not the operating model.
- Reduce tool sprawl in the delivery chain Rationalise point tools into a coherent policy model so build, scan, sign, and deploy controls produce one traceable security record. Fragmented tooling creates coverage gaps even when individual checks appear strong.
Key takeaways
- DevSecOps changes the security problem from post-build review to continuous control inside the delivery pipeline.
- Secrets, certificates, and service credentials are machine identities, so pipeline hygiene is identity governance as much as engineering practice.
- The practical test is whether teams can detect, rotate, and revoke trust material faster than the pipeline can propagate it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret handling and lifecycle control are central to the pipeline risk discussed here. |
| NIST CSF 2.0 | PR.AC-4 | Pipeline access and credential handling depend on least-privilege enforcement. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential and authenticator management directly applies to certificates and secrets. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle controls map to service identities and pipeline permissions. |
Inventory pipeline secrets and enforce rotation, revocation, and ownership checks before deployment.
Key terms
- DevSecOps: DevSecOps is the practice of building security into software delivery from the earliest planning stages through build and deployment. It combines engineering automation with governance so vulnerabilities, secrets, and trust issues are addressed before release, not after production exposure.
- Continuous Integration And Continuous Delivery: Continuous integration and continuous delivery, or CI/CD, are automated software release practices that merge, test, and deploy changes frequently. They create speed and consistency, but also concentrate risk because the same pipelines often handle code, secrets, certificates, and production permissions.
- Public Key Infrastructure: Public key infrastructure is the trust system used to issue, manage, and validate digital certificates and keys. In modern delivery environments it underpins service authentication, software signing, and encrypted communication, which makes certificate lifecycle management a core security control rather than a back-office task.
- Secrets Management: The discipline of securely storing, distributing, rotating, and auditing secrets across an organisation's systems and pipelines — typically implemented via a centralised secrets vault such as HashiCorp Vault, AWS Secrets Manager, or Akeyless.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on embedding security checks into DevOps workflows at design, build, and deployment stages
- Practical examples of certificate automation and PKI handling inside CI/CD environments
- A fuller explanation of how teams can build a security-first culture across development, operations, and security
- The article's discussion of adoption barriers, including skills gaps, tool proliferation, and change management
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It helps security and identity practitioners connect delivery workflows to the governance models their programmes already own.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org