DevOps vs DevSecOps – Incorporating security principles


Introduction [CISMP]
2m 30s
Summary [CISMP]

The course is part of this learning path

DevOps vs DevSecOps – Incorporating security principles

DevOps is a set of practices for automating the processes between software development and information technology operations teams so that they can build, test, and release software faster and more reliably.

The goal is to shorten the systems development life cycle and improve reliability. This is all achieved while continuing to deliver features, fixes, and updates promptly – in close alignment with business objectives.

DevSecOps is a new culture shift in the software industry that aims to take security into the rapid-release cycles that are typical of the DevOps process.

Diagram showing the DevOps Vs DevSecOps showing the overlaying of the security testing throughout the DevOps cycle.

Figure 1: DevOps Vs DevSecOps

1. Security happens during, not after development

Traditionally, application security testing sits as a discrete stage between development and operations. DevOps practices sped up this approach — develop, test and secure, operate. Now the new culture of DevSecOps unites the three stages into one effort coordinated by a single team with access to the same data.

DevSecOps integrates application security testing earlier in the development and operations workflow. This avoids relying on post-development scans and assessments to find potential application security issues.

2. Security can ‘shift left’—and ‘shift right’

The ability for DevSecOps to ‘shift left’ to address security in pre-production, helps improve efficiency during development. However, it is also vital that security practices ‘shift right’, by continuing to monitor applications running in a production environment.

Here’s why:

  • Production is where most exploits take place. Applications are open to the internet and accessed by unknown entities, some of which may have malicious intent.
  • Production is where off-the-shelf and home-grown applications run. These applications may not be subject to your usual pre-production testing regimen and may fall through the cracks.

Because application vulnerabilities can be addressed during development and evaluated in the run-time context of the production environment, the time and effort required to remediate those vulnerabilities is much less.

3. Security is by design, not tacked on

The most hardened, well protected, applications are those for which security was a key consideration all along. DevSecOps practices ensure that applications do not rely on tacked-on protections. They do this by giving security staff a seat at the table and incorporating their input from the very beginning of app development and operations.

The result is secure by design. In the past, discovering application vulnerabilities with post-release security solutions would, at best, slow software rollouts and, at worst, require recalls. The DevSecOps approach avoids this situation by making security a native component of key application frameworks and functions.

4. Security is a shared responsibility

When considering DevOps vs DevSecOps, you can see that both look to integrate diverse processes using a combination of agility and automation. One contribution security can make to DevOps is to emphasise the idea that everyone is responsible for security.

DevOps teams’ relationships with security staff can range from apathetic to downright hostile.  This happens if DevOps staff does not understand the importance of the security practices suggested or if they feel these practices obstruct their work. In a recent study by ESG, 27% of respondents admitted their application development and DevOps teams don't even work with their cybersecurity teams because they are afraid this will slow them down.

DevSecOps requires a cultural shift. Rather than simply joining three disparate disciplines under common management, DevSecOps expects every individual to exercise security best practices relevant to their role and to remain in a security-focused mindset. The result is a shared responsibility model that helps ensure a secure product.

5. Shared security intelligence breaks down silos

While DevOps looks to integrate once-disparate processes, DevSecOps looks to break down more of the conventional walls between organisational departments. These are known as 'silos'. They are the data and applications that each department handles in its own specific way. Having silos can create immediate inconveniences and signal deeper problems with observability and sharing of critical information.

However, DevSecOps efforts level the playing field by creating a framework of shared solutions, data, and security protocols.  All teams can leverage these throughout the software delivery lifecycle. While use cases and customisations may vary for different processes, shared resources that integrate into a common workflow help to eliminate unnecessary silos.

6. Integrated security enables automation

Both DevOps and DevSecOps prioritise simplifying processes through automation. For DevOps, automation streamlines design, testing, and deployment processes; it also increases the speed of application development.

Similarly, integrating application security earlier in the software development process enables teams to identify key areas. They can resolve and prevent application vulnerabilities early in pre-production, but also in production. This integrated approach makes it possible for teams to reliably automate vulnerability detection and security practices into a continuous delivery workflow.

What's next

Next you will be exploring the important area of auditing.


In this course on IT infrastructure security, we’ll be looking at the SD3 framework and some modern development approaches that seek to incorporate security into the development right from the beginning. You’ll also look at detection and testing in some detail.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.