To understand DevSecOps, we first need to define the role of DevOps. DevOps is essentially the unification of existing functions, borrowing skills from system administration and developer roles - developers and IT operations.
DevOps has grown alongside agile development practices. While agile promotes continuous fast release cycles, relying upon long-established system administration led to a bottleneck as existing processes struggled to keep pace with demand for more frequent releases and tighter feedback loops.
DevOps comprises values, methods, practices and tools. The values of DevOps largely mirror those of the agile manifesto. The details of each are open to individual interpretation and discussion but essentially DevOps is the meeting point of agile development teams that need to release software fast and often, and operations teams that need stability and predictability. The unification of these needs is achieved by adopting agile tools and processes methodically.
For example, by providing developers with the right tools to create and deploy code independently, a DevOps team can support agile development and do so in a way that adheres to operational processes. DevOps practices might include ensuring metrics and health-monitoring features are always provided in order to provide insights to quickly identify issues.
DevSecOps elaborates on DevOps by aiming to bake a security culture into the DevOps process and again unify security roles and DevOps into one common movement with aligned goals. While traditionally security might be a separate activity, performing threat analysis on given releases, with agile development, security becomes inherent and a real-time part of the develop-release cycle.
DevOps can leverage the tools and established DevOps processes to include security. For example: automating threat-analysis scanning upon every code release, or providing tooling so that as developers release software, intrusion detection is automatically configured and deployed together with the software rather than as an after-thought. DevOps practices might include only allowing passwords to be read from environment variables rather than flat configuration files - supporting agile development and inherently more secure by reducing the risk of passwords that could be accidentally stored in code repositories.