Applying DevSecOps Approach in Legacy Computing Infrastructures: A Case Study in Public Sector of Brazil

Resumo

Legacy computing environments in the public sector present significant cybersecurity challenges due to outdated systems, technological heterogeneity and complex operational demands. In this context, this paper presents an initial study within a real-world case at a Brazilian governmental institution that applies the DevSecOps methodology in the CI/CD pipeline with two distinct security tools: Static Application Security Testing (SAST) and Vulnerability Management (VM). SAST was applied to assess application security at code level, while VM targeted infrastructure-level risks using metrics such as CVSS and EPSS. The results demonstrate the value of each approach in improving risk visibility and mitigation and the possibility of integrating both tools into a unified DevSecOps workflow, aiming for continuous security and greater operational resilience. This work provides practical insights for public institutions seeking to modernize their cybersecurity posture while addressing the constraints inherent to legacy systems, in alignment with frameworks such as NIST CSF and CIS Controls.