Unleash

DevSecOps Security Best Practices: Why Feature Flags Are Fundamental

February 26, 2026

Article by Justin Dunham

Most definitions of DevSecOps focus heavily on the “build” phase of the software lifecycle. Teams spend significant energy on static application security testing (SAST), software composition analysis (SCA), and container scanning. While these shift-left strategies are essential for catching known vulnerabilities early, they leave a dangerous gap: they do not protect you once code is running in production. A complete security posture requires mechanisms to control exposure and recover instantly when (not if) a vulnerability slips through the cracks.

TL;DR

  • Shifting security left is necessary but insufficient because it cannot predict runtime behaviors or zero-day exploits.
  • Decoupling deployment from release minimizes the blast radius of new code by exposing it to only a fraction of users initially.
  • Feature flags act as instant kill switches that reduce Mean Time to Remediation from hours to seconds without requiring a redeploy.
  • You must secure the feature flag control plane itself via RBAC, audit logging, and strict separation of configuration data from secrets.
  • Governance workflows like change requests prevent unauthorized toggles that could expose sensitive functionality or bypass security controls.

The gap between pipeline security and runtime control

The industry has successfully normalized the idea that security is everyone’s responsibility. Frameworks like the NIST Secure Software Development Framework (SSDF) provide excellent vocabulary for securing the supply chain and producing secure software. Tools now automate the detection of insecure dependencies and hardcoded secrets before a merge request is ever approved.

However, a clean scan in the CI/CD pipeline does not guarantee a secure runtime environment. A library that was safe on Tuesday might have a zero-day vulnerability discovered on Wednesday. A complex interaction between microservices might only surface as a denial-of-service vector under heavy load.

Standard DevSecOps practices often overlook the need for “shift right” capabilities, specifically the ability to control software behavior after deployment. Without this control, your only response mechanism is a rollback or a hotfix, both of which are slow, high-stress processes that extend the window of exposure for attackers.

Supply chain opacity demands runtime verification

Modern DevSecOps relies heavily on securing the software supply chain, a focus formalized in frameworks like SLSA v1.2 and the NIST Secure Software Development Framework (SSDF). These standards help ensure that the artifacts you build are free from tampering and known vulnerabilities. However, even a perfectly verified artifact can behave maliciously or unexpectedly when interacting with live production data.

Supply chain attacks often involve compromised dependencies that lie dormant until specific runtime conditions are met. A library might pass every static scan in the pipeline but trigger a denial of service or data exfiltration routine once deployed. In this context, feature flags act as a “circuit breaker” for untrusted components. By wrapping interactions with new or third-party libraries in feature flags, teams can isolate that code execution path. If the trusted supply chain proves to be compromised, operators can disable the affected component instantly without needing to rebuild or redeploy the entire application stack.

Decouple deployment from release to limit blast radius

One of the most effective security measures is limiting who can access new code. In a traditional “big bang” release, code is deployed and released simultaneously to 100 percent of the user base. If that code contains a logical flaw or a security vulnerability, the attack surface is maximized immediately.

Feature flags operationalize the separation of deployment and release. You deploy the code to production in a dormant state, then release it incrementally. 

By gating new functionality behind a flag, you can expose it to trusted internal users first, then a small canary segment, and finally the broader public. If a security issue is detected during the early rollout, the impact is contained to a negligible percentage of users. Incremental rollouts transform release management from a binary “safe/unsafe” gamble into a controlled, observable gradient.

Feature flags as incident response tools

When a vulnerability is exploited in production, speed is the only metric that matters. The time between detection and mitigation is where damage occurs.

In a pipeline-only security model, remediation looks like this:

  1. Identify the issue.
  2. Write a code fix or revert the commit.
  3. Wait for the build pipeline to run.
  4. Wait for the deployment pipeline to finish.
  5. Verify the fix.

Full remediation cycles often take hours or days, even for teams focused on continuous delivery.

With feature flags, the remediation process changes. If a specific feature is identified as the vector for an attack or a performance degradation, an operator can toggle the flag to “off.” This kills the code path instantly across the entire fleet. The vulnerability is neutralized in seconds, buying the engineering team time to develop a proper patch without the pressure of an active incident.

Instant toggles map directly to the “Respond to Vulnerabilities” category in modern security frameworks like NIST SSDF. It shifts the dynamic from “scramble to fix” to “disable and investigate.”

Securing the control plane

If feature flags are used to gate sensitive functionality or mitigate incidents, the feature management system itself becomes critical security infrastructure. It must be hardened with the same rigor as your CI/CD pipelines or cloud IAM policies.

Treat flags as production infrastructure

A common pitfall is treating feature flags as simple configuration files. If an attacker gains access to your flag management system, they could potentially enable unfinished features, bypass frontend-only gates, or disable security controls.

To mitigate this, you must apply the principle of least privilege to the control plane.

  • Network Isolation: The management service should not be publicly accessible. Use private endpoints and restrict access to internal corporate networks.
  • Identity Management: Enforce single sign-on (SSO) and multi-factor authentication (MFA) for all users accessing the flag dashboard.
  • RBAC: Not every developer needs the ability to toggle flags in the production environment. Implement granular Role-Based Access Control to ensure only authorized personnel can change the state of critical flags.

“The industry is catching up to the reality that feature management is sensitive security infrastructure. Major cloud providers have begun adding private endpoints and customer-managed encryption to their configuration stores, a tacit acknowledgment that flag data contains sensitive business logic and release timings worth protecting.

At Unleash, this has been a design principle from the start. Because Unleash evaluates flags locally or at the edge, your flag configuration never needs to traverse the public internet to a third-party SaaS endpoint. Combined with self-hosted deployment options, RBAC, and immutable audit logging, this architecture gives security teams full control over the control plane rather than delegating it to a vendor’s shared infrastructure.”

Your feature flag implementation should adhere to these same hardening standards, ensuring that the system controlling your production behavior is as secure as the production environment itself.

Audit logs and attribution

Every change to a flag’s state must be attributable. DevOps trends emphasize observability, and this extends to configuration changes.

You need a persistent, immutable record of who changed a flag, when they changed it, and what the previous and new values were. This audit trail is vital for post-incident reviews and compliance audits (such as SOC 2 or ISO 27001). If a feature was mysteriously enabled at 2:00 a.m., the audit log is the first place you look to determine if it was a scheduled automation or compromised credentials.

Distinguish between flags and secrets

A dangerous anti-pattern is using feature flags to manage secrets, such as API keys or encryption tokens. Feature flag payloads are often delivered to client-side applications (browsers or mobile devices) for local evaluation.

If you put a database credential inside a feature flag payload, you are effectively publishing that credential to the internet. Keep secrets in dedicated secrets management tools (like HashiCorp Vault or AWS Secrets Manager) and use feature flags strictly for controlling logic flows and behavior.

Implementing governance without destroying velocity

Security teams often worry that feature flags introduce chaos, such as untracked changes bypassing the formal change management process. However, modern feature management allows you to enforce governance that is actually stricter than code reviews, because it applies to runtime state.

The four-eyes principle

For sensitive environments like production, you can enforce approval workflows on flag changes. Just as a pull request requires a peer review before merging, a flag change should require a second set of eyes before it activates.

Using a “Change Request” model allows developers to schedule and draft changes, but prevents unilateral execution. Mandatory approvals satisfy compliance requirements for segregation of duties without forcing teams back into the era of filing tickets with a release manager.

Do not flag security patches

While feature flags are powerful for feature rollouts, they can introduce risk if used to roll out security fixes. GitLab’s security policy explicitly prohibits using feature flags for security merge requests. The rationale is simple: if a security fix is hidden behind a flag, there is a risk that the flag could be accidentally disabled (or left disabled by default), leaving the system vulnerable despite the patch being present in the code.

Security patches should be binary, applied or not applied, rather than conditional. Reserve feature flags for functional changes where “off” is a safe state. For a security fix, the “off” state is a known vulnerability, which violates the principle of secure-by-design.

Flag hygiene and lifecycle management

Old flags represent technical debt and potential security risk. If a flag is left in the codebase for years after the feature has fully launched, it becomes a distinct attack vector: dead code that could be accidentally reactivated.

Best practices dictate a strict lifecycle for flags:

  1. Creation: Define the flag type (release, operational, permission).
  2. Rollout: Incrementally increase reach.
  3. Graduate: Once at 100%, the flag is considered permanent behavior.
  4. Cleanup: Remove the conditional logic from the code and archive the flag in the management system.

Teams should automate the detection of “stale” flags—flags that haven’t changed state or been evaluated in weeks—and prioritize their removal during maintenance sprints.

Conclusion

DevSecOps doesn’t stop at the pipeline. If you can’t control software behavior in production, your security posture has a hole in it. While shifting left reduces the number of defects that reach production, relying solely on pre-deployment checks ignores the reality of complex systems where failure is inevitable. You must assume vulnerabilities will slip through and build the controls necessary to mitigate them instantly.

Unleash supports this runtime security posture by providing a focused control plane that evaluates flags locally or at the edge, ensuring no PII leaves your infrastructure, a primary requirement for privacy-conscious enterprises. By integrating approval workflows, audit logging, and granular access controls directly into the feature delivery process, teams can maintain high release velocity while satisfying the rigorous governance demands of modern security standards.

DevSecOps security FAQs

How do feature flags differ from configuration management?

Feature flags are designed for dynamic, runtime control of logic paths, often scoped to specific user segments, whereas configuration management typically handles static environment settings like database URLs or timeouts. Security best practices suggest keeping secrets and static infrastructure settings in configuration management while using flags for releasing features and operational kill switches.

Can feature flags be used for access control?

You should not use feature flags as a primary security authorization layer. While flags can hide UI elements or disable API endpoints, they do not replace proper backend authentication and authorization checks (like OAuth or OPA) which must verify a user’s permission to access a resource regardless of the flag state.

What is the security risk of using client-side feature flags?

Client-side flags rely on the user’s browser or device to evaluate rules, which means the flag configuration and ruleset are often visible to the user. To mitigate this risk, never include sensitive data, secrets, or administrative logic in the payload sent to the client, and ensure backend validation exists for any action a user attempts.

How does “shifting left” relate to runtime security?

Shifting left moves security testing earlier in the development process (e.g., SAST in the IDE), which reduces the number of vulnerabilities that reach production. Runtime security complements this by providing controls (like feature flags and WAFs) to manage and mitigate unforeseen issues that were not caught during the pre-deployment phase.

Do feature flags impact compliance audits like SOC 2?

Yes, feature flags are in scope for compliance audits because they change system behavior. To satisfy auditors, your feature management system must demonstrate robust access controls (RBAC), enforce approval workflows for production changes, and maintain immutable audit logs of all modifications.

Share this article

Explore further

Product

Using Feature Flags to Enable Trunk-Based Development

Most engineering teams know the pain of “merge hell.” You spend two weeks building a feature on a dedicated branch, only to find that the main branch has moved on without you. The result is a painful afternoon of resolving conflicts, regression testing, and praying that the integration doesn’t break production. Trunk-based development (TBD) solves […]

Product

Designing secure kill switches for financial services

In August 2012, Knight Capital Group lost $440 million in 45 minutes because a deployment error reactivated dormant code, as detailed in the SEC’s administrative proceeding. This incident remains the canonical example of why financial institutions need the ability to stop a process immediately. However, simply having a “stop” button is insufficient. In modern high-frequency […]

Product

Streamlining Change Management for SOC 2 Compliance

For engineering teams, SOC 2 Common Criteria 8 (CC8) often represents a fundamental conflict. The requirement demands that all changes to the system are authorized, tested, and documented. Historically, this led to the creation of slow-moving Change Advisory Boards (CABs) and manual spreadsheet tracking. However, modern compliance focuses less on adding bureaucratic friction and more […]