APIOps and DevSecOps Automating API Deployment and Security Scanning in Cloud Environments

This thesis presents the development and implementation of an APIOps and DevSecOps platform for automated API release and security analysis in cloud environments. The research was conducted at Cloud9 Reply to address a key enterprise challenge: securing and managing APIs effectively. The first part reviews different API types and styles, the maturity of current API platforms, and key concepts such as DevOps principles, enterprise workflows, and API management. It also compares solutions such as Kong API Gateway, Azure API Management, Tyk API Gateway, and Layer7 API Management Platform. The main contribution of this work is the design and implementation of an integrated APIOps platform built on Azure cloud infrastructure. It integrates with Azure API Management and Azure DevOps to create a workflow that streamlines and improves API management. The platform includes six core components: The Extractor Pipeline retrieves API specifications and configurations from a running APIM instance. The Static Security Analysis Pipeline performs static security testing on API code before deployment. The Publisher Pipeline handles the automated deployment of APIs to different environments. The Reachability and Rollback Pipeline ensures APIs are accessible and provides rollback capabilities when issues arise. The Dynamic Security Analysis Pipeline performs dynamic security analysis on running APIs after deployment. Finally, the Master Orchestrator Pipeline coordinates all the pipelines and manages the overall workflow. Together, these components automate API versioning, multi-environment deployment, public availability, and security testing. After deployment, the platform was assessed against relevant security standards, regulations, directives, and frameworks such as ISO/IEC 27001:2022, PCI DSS, NIST SP 800‑92, HIPAA, NIS2, and GDPR  to determine which requirements had been effectively implemented. Results show that the integrated APIOps approach improves API security, maintains development speed and operational efficiency, and provides detailed audit trails to support compliance. Long-term analysis demonstrates substantial improvements in enterprise API management capabilities. This work contributes to the field by demonstrating how modern APIOps and DevSecOps practices can be effectively applied to enterprise API management, providing a practical framework for organizations adopting digital transformation and cloud migration. Introducing security checks earlier in the development workflow streamlines processes and reduces long-term maintenance costs. Thanks to its modular design, the platform provides a flexible foundation that can evolve with emerging technologies and integrate advanced security tools.