Lock on keyboard

What is DevSecOps? What You Need to Know

What exactly is DevSecOps? We explore this development practice, as well as its relationship to DevOps and agile methodologies. Read about this all here.

Thomas Bailey

Thomas Bailey


To understand DevSecOps, we first need to define the role of DevOps.

What is DevOps?

DevOps is essentially the unification of existing functions. DevOps has grown alongside agile development practices. While agile promotes continuous fast release cycles, relying upon long-established system administration led to a bottleneck as existing processes struggled to keep pace with demand for more frequent releases and tighter feedback loops.

DevOps comprises values, methods, practices and tools. The values of DevOps largely mirror those of the agile manifesto. The details of each are open to individual interpretation and discussion but essentially DevOps is the meeting point of agile development teams that need to release software fast and often, and operations teams that need stability and predictability. The unification of these needs is achieved by adopting agile tools and processes methodically.

For example, by providing developers with the right tools to create and deploy code independently, a DevOps team can support agile development and do so in a way that adheres to operational processes.

DevOps practices might include ensuring metrics and health-monitoring features are always provided in order to provide insights to quickly identify issues.

Defining DevSecOps

DevSecOps elaborates on DevOps by aiming to bake a security culture into the DevOps process and again unify security roles and DevOps into one common movement with aligned goals.

While traditionally security might be a separate activity, performing threat analysis on given releases, with agile development, security becomes inherent and a real-time part of the develop-release cycle.

DevSecOps can leverage the tools and established DevOps processes to include security. For example: automating threat-analysis scanning upon every code release, or providing tooling so that as developers release software, intrusion detection is automatically configured and deployed together with the software rather than as an after-thought.

DevOps practices might include only allowing passwords to be read from environment variables rather than flat configuration files - supporting agile development and inherently more secure by reducing the risk of passwords that could be accidentally stored in code repositories.