DevSecOps integrates security practices within the DevOps process.
What is DevSecOps?
DevSecOps stands for Development, Security, and Operations. Its aim is to embed security practices into the DevOps process. The term represents a natural and necessary evolution in the way organizations approach the design, development, deployment, and maintenance of software applications. By including security as a shared responsibility throughout the entire IT lifecycle, DevSecOps seeks to close the gaps that might otherwise be present when security is only considered a final checkpoint in software delivery.
DevSecOps involves creating a 'Security as Code' culture with ongoing, flexible collaboration between release engineers and security teams. The traditional model of software development and deployment often saw security as a final step, which could cause delays and friction if vulnerabilities were found late in the process.
In contrast, DevSecOps emphasizes the importance of security decisions and actions at the same speed and scale as development and operations decisions and actions. This requires:
- Automating core security tasks by embedding security controls and processes into the CI/CD (Continuous Integration/Continuous Deployment) pipeline.
- Shifting security to the left (earlier in the development process) so that everyone is responsible for security from the outset.
- Ensuring continuous security monitoring to provide visibility into security issues and to allow for quick remediation.
The goal of DevSecOps is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of code. It is a cross-disciplinary practice that seeks to improve the overall security posture by designing secure software from the ground up, involving all stakeholders in security decisions, and automating security assurance as an integral part of the development and deployment processes.